From 52ef413e2719be2da521beb83a476d91468ef5e7 Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Mon, 18 Jul 2016 14:06:02 +0200
Subject: [PATCH] Add database::escape_string, Security::remove_XSS

---
 main/exercice/adminhp.php                      | 11 +++++------
 main/exercice/hotpotatoes_exercise_report.php  | 17 +++++++++--------
 .../hotpotatoes_exercise_result.class.php      |  2 +-
 main/exercice/hotspot_admin.inc.php            | 15 ++++++++-------
 main/forum/forumqualify.php                    |  4 ++--
 main/inc/lib/fileUpload.lib.php                |  6 ++----
 main/upload/upload.document.php                | 18 +++++++++---------
 7 files changed, 36 insertions(+), 37 deletions(-)

diff --git a/main/exercice/adminhp.php b/main/exercice/adminhp.php
index 6ace897b72..f960917b85 100755
--- a/main/exercice/adminhp.php
+++ b/main/exercice/adminhp.php
@@ -20,18 +20,17 @@ if (isset($_REQUEST["cancel"])) {
 }
 
 $newName = !empty($_REQUEST['newName']) ? $_REQUEST['newName'] : '';
-$hotpotatoesName = !empty($_REQUEST['hotpotatoesName']) ? $_REQUEST['hotpotatoesName'] : '';
-
-$is_allowedToEdit=api_is_allowed_to_edit(null,true);
+$hotpotatoesName = !empty($_REQUEST['hotpotatoesName']) ? Security::remove_XSS($_REQUEST['hotpotatoesName']) : '';
+$is_allowedToEdit = api_is_allowed_to_edit(null,true);
 
 // document path
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
 
 // picture path
-$picturePath=$documentPath.'/images';
+$picturePath = $documentPath.'/images';
 
 // audio path
-$audioPath=$documentPath.'/audio';
+$audioPath = $documentPath.'/audio';
 
 // Database table definitions
 if (!$is_allowedToEdit) {
@@ -39,7 +38,7 @@ if (!$is_allowedToEdit) {
 }
 
 if (isset($_SESSION['gradebook'])) {
-    $gradebook=	$_SESSION['gradebook'];
+    $gradebook =	$_SESSION['gradebook'];
 }
 
 if (!empty($gradebook) && $gradebook == 'view') {
diff --git a/main/exercice/hotpotatoes_exercise_report.php b/main/exercice/hotpotatoes_exercise_report.php
index 64cf29e3d6..2aaf781cc9 100755
--- a/main/exercice/hotpotatoes_exercise_report.php
+++ b/main/exercice/hotpotatoes_exercise_report.php
@@ -1,5 +1,8 @@
 <?php
 /* For licensing terms, see /license.txt */
+
+use ChamiloSession as Session;
+
 /**
  *	Exercise list: This script shows the list of exercises for administrators and students.
  *	@package chamilo.exercise
@@ -7,15 +10,12 @@
  *
  */
 
-use ChamiloSession as Session;
-
-// including the global library
 require_once '../inc/global.inc.php';
 
 // Setting the tabs
 $this_section = SECTION_COURSES;
-
 $htmlHeadXtra[] = api_get_jqgrid_js();
+$_course = api_get_course_info();
 
 // Access control
 api_protect_course_script(true, false, true);
@@ -23,7 +23,6 @@ api_protect_course_script(true, false, true);
 // including additional libraries
 require_once 'hotpotatoes.lib.php';
 
-
 // document path
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path']."/document";
 
@@ -37,7 +36,7 @@ $TBL_TRACK_HOTPOTATOES_EXERCISES = Database :: get_main_table(TABLE_STATISTIC_TR
 $TBL_LP_ITEM_VIEW = Database :: get_course_table(TABLE_LP_ITEM_VIEW);
 
 $course_id = api_get_course_int_id();
-$hotpotatoes_path = isset($_REQUEST['path']) ? $_REQUEST['path'] : null;
+$hotpotatoes_path = isset($_REQUEST['path']) ? Security::remove_XSS($_REQUEST['path']) : null;
 $filter_user = isset($_REQUEST['filter_by_user']) ? intval($_REQUEST['filter_by_user']) : null;
 
 if (empty($hotpotatoes_path)) {
@@ -73,10 +72,12 @@ $actions = null;
 if ($is_allowedToEdit && $origin != 'learnpath') {
     // the form
     if (api_is_platform_admin() || api_is_course_admin() || api_is_course_tutor() || api_is_course_coach()) {
-        $actions .= '<a id="export_opener" href="'.api_get_self().'?export_report=1&path='.Security::remove_XSS($hotpotatoes_path).' ">'.Display::return_icon('save.png',   get_lang('Export'),'',ICON_SIZE_MEDIUM).'</a>';
+        $actions .= '<a id="export_opener" href="'.api_get_self().'?export_report=1&path='.$hotpotatoes_path.' ">'.
+            Display::return_icon('save.png',   get_lang('Export'),'',ICON_SIZE_MEDIUM).'</a>';
     }
 } else {
-    $actions .= '<a href="exercise.php">' . Display :: return_icon('back.png', get_lang('GoBackToQuestionList'),'',ICON_SIZE_MEDIUM).'</a>';
+    $actions .= '<a href="exercise.php">' .
+        Display :: return_icon('back.png', get_lang('GoBackToQuestionList'),'',ICON_SIZE_MEDIUM).'</a>';
 }
 
 if ($is_allowedToEdit) {
diff --git a/main/exercice/hotpotatoes_exercise_result.class.php b/main/exercice/hotpotatoes_exercise_result.class.php
index 9ed5d04aaf..22c32aa253 100755
--- a/main/exercice/hotpotatoes_exercise_result.class.php
+++ b/main/exercice/hotpotatoes_exercise_result.class.php
@@ -121,7 +121,7 @@ class HotpotatoesExerciseResult
 	 * @param	boolean		Whether to include user fields or not
 	 * @return	boolean		False on error
 	 */
-	public function exportCompleteReportCSV($document_path='', $hotpotato_name)
+	public function exportCompleteReportCSV($document_path = '', $hotpotato_name)
     {
 		global $charset;
 		$this->getExercisesReporting($document_path, $hotpotato_name);
diff --git a/main/exercice/hotspot_admin.inc.php b/main/exercice/hotspot_admin.inc.php
index e4ef2eea0b..f6366aa34e 100755
--- a/main/exercice/hotspot_admin.inc.php
+++ b/main/exercice/hotspot_admin.inc.php
@@ -1,13 +1,14 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use \ChamiloSession as Session;
+
 /**
  * This script allows to manage answers. It is included from the
  * script admin.php
  * @package chamilo.exercise
  * @author Toon Keppens
  */
-use \ChamiloSession as Session;
 
 $modifyAnswers = intval($_GET['hotspotadmin']);
 
@@ -246,11 +247,11 @@ if ($submitAnswers || $buttonBack) {
         }  // end for()
 
         //now the noerror section
-        $selectQuestionNoError = $_POST['select_question_noerror'];
-        $lp_noerror = $_POST['lp_noerror'];
-        $try_noerror = isset($_POST['try_noerror']) ? $_POST['try_noerror'] : null;
-        $url_noerror = $_POST['url_noerror'];
-        $comment_noerror = $_POST['comment_noerror'];
+        $selectQuestionNoError = Security::remove_XSS($_POST['select_question_noerror']);
+        $lp_noerror = Security::remove_XSS($_POST['lp_noerror']);
+        $try_noerror = isset($_POST['try_noerror']) ? Security::remove_XSS($_POST['try_noerror']) : null;
+        $url_noerror = Security::remove_XSS($_POST['url_noerror']);
+        $comment_noerror = Security::remove_XSS($_POST['comment_noerror']);
         $threadhold_total = '0;0;0';
 
         if ($try_noerror == 'on') {
@@ -292,6 +293,7 @@ if ($submitAnswers || $buttonBack) {
                 if ($weighting[$i]) {
                     $questionWeighting+=$weighting[$i];
                 }
+
                 // creates answer
                 $objAnswer->createAnswer(
                     $reponse[$i],
@@ -324,7 +326,6 @@ if ($submitAnswers || $buttonBack) {
 
             $editQuestion = $questionId;
             unset($modifyAnswers);
-
             echo '<script type="text/javascript">window.location.href="' . $hotspot_admin_url . '&message=ItemUpdated"</script>';
         }
     }
diff --git a/main/forum/forumqualify.php b/main/forum/forumqualify.php
index d2f45ae625..1720324166 100755
--- a/main/forum/forumqualify.php
+++ b/main/forum/forumqualify.php
@@ -171,7 +171,7 @@ if ($allowToQualify) {
     // Show max qualify in my form
     $maxQualify = showQualify('2', $userIdToQualify, $threadId);
 
-    $score = isset($_POST['idtextqualify']) ? $_POST['idtextqualify'] : '';
+    $score = isset($_POST['idtextqualify']) ? Security::remove_XSS($_POST['idtextqualify']) : '';
 
     if ($score > $maxQualify) {
         Display:: display_error_message(
@@ -292,7 +292,7 @@ if ($allowToQualify) {
                 $realname = $attachment_list['path'];
                 $user_filename = $attachment_list['filename'];
 
-                echo Display::return_icon('attachment.gif',get_lang('Attachment'));
+                echo Display::return_icon('attachment.gif', get_lang('Attachment'));
                 echo '<a href="download.php?file=';
                 echo $realname;
                 echo ' "> '.$user_filename.' </a>';
diff --git a/main/inc/lib/fileUpload.lib.php b/main/inc/lib/fileUpload.lib.php
index 717def598d..c2a8e57ef8 100755
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@@ -1202,7 +1202,7 @@ function filter_extension(&$filename)
  * @param int $group_id
  * @param int $session_id Session ID, if any
  * @param int $userId creator id
- * 
+ *
  * @return int id if inserted document
  */
 function add_document(
@@ -1542,13 +1542,12 @@ function create_unexisting_directory(
                     WHERE
                         c_id = $course_id AND
                         (
-                            path = '" . $systemFolderName . "'
+                            path = '" . Database::escape_string($systemFolderName). "'
                         )
             ";
 
             $rs = Database::query($sql);
             if (Database::num_rows($rs) == 0) {
-        
                 $document_id = add_document(
                     $_course,
                     $systemFolderName,
@@ -1566,7 +1565,6 @@ function create_unexisting_directory(
                 if ($document_id) {
                     // Update document item_property
                     if (!empty($visibility)) {
-
                         $visibilities = array(
                             0 => 'invisible',
                             1 => 'visible',
diff --git a/main/upload/upload.document.php b/main/upload/upload.document.php
index 0436c162d0..c397696b2f 100755
--- a/main/upload/upload.document.php
+++ b/main/upload/upload.document.php
@@ -10,6 +10,7 @@
  * @author Yannick Warnier <ywarnier@beeznest.org>
  */
 
+$_course = api_get_course_info();
 $courseDir = $_course['path'] . "/document";
 $sys_course_path = api_get_path(SYS_COURSE_PATH);
 $base_work_dir = $sys_course_path . $courseDir;
@@ -18,7 +19,7 @@ $max_filled_space = DocumentManager::get_course_quota();
 
 //what's the current path?
 if (isset($_POST['curdirpath'])) {
-    $path = $_POST['curdirpath'];
+    $path = Security::remove_XSS($_POST['curdirpath']);
 } else {
     $path = '/';
 }
@@ -34,7 +35,7 @@ if (!DocumentManager::get_document_id($_course, $path)) {
  */
 $nameTools = get_lang('UplUploadDocument');
 $interbreadcrumb[] = array(
-    "url" => "./document.php?curdirpath=" . urlencode($path) . '&'.api_get_cidreq(),
+    "url" => api_get_path(WEB_CODE_PATH)."document/document.php?curdirpath=" . urlencode($path) . '&'.api_get_cidreq(),
     "name" => $langDocuments
 );
 Display::display_header($nameTools, "Doc");
@@ -54,14 +55,14 @@ if (isset($_FILES['user_upload'])) {
             $_FILES['user_upload'],
             $base_work_dir,
             $_POST['curdirpath'],
-            $_user['user_id'],
+            api_get_user_id(),
             $to_group_id,
             $to_user_id,
             $_POST['unzip'],
             $_POST['if_exists']
         );
-    	$new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
-    	$new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
+    	$new_comment = isset($_POST['comment']) ? Database::escape_string(trim($_POST['comment'])) : '';
+    	$new_title = isset($_POST['title']) ? Database::escape_string(trim($_POST['title'])) : '';
 
     	if ($new_path && ($new_comment || $new_title))
     	if (($docid = DocumentManager::get_document_id($_course, $new_path))) {
@@ -99,7 +100,7 @@ if (isset($_POST['submit_image'])) {
         $img_directory = str_replace('.', '_', $_POST['related_file']."_files");
         $folderData = create_unexisting_directory(
             $_course,
-            $_user['user_id'],
+            api_get_user_id(),
             api_get_session_id(),
             $to_group_id,
             $to_user_id,
@@ -131,11 +132,11 @@ if (isset($_POST['submit_image'])) {
 }
 //they want to create a directory
 if (isset($_POST['create_dir']) && $_POST['dirname']!='') {
-    $added_slash = ($path == '/') ? '' : '/';
+    $added_slash = $path == '/' ? '' : '/';
 	$dir_name = $path.$added_slash.api_replace_dangerous_char($_POST['dirname']);
     $created_dir = create_unexisting_directory(
         $_course,
-        $_user['user_id'],
+        api_get_user_id(),
         api_get_session_id(),
         $to_group_id,
         $to_user_id,
@@ -206,7 +207,6 @@ if (isset($_GET['createdir'])) {
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="nothing" title="<?php echo (get_lang('UplDoNothingLong'));?>" checked="checked"/>  <?php echo (get_lang('UplDoNothing'));?><br/>
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="overwrite" title="<?php echo (get_lang('UplOverwriteLong'));?>"/> <?php echo (get_lang('UplOverwrite'));?><br/>
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="rename" title="<?php echo (get_lang('UplRenameLong'));?>"/> <?php echo (get_lang('UplRename'));?>
-
 </td>
 </tr>
 </table>