Add database::escape_string, Security::remove_XSS

9 years ago · 52ef413e27
parent 3d62bc8afc
commit 52ef413e27
7 changed files with 36 additions and 37 deletions
--- a/main/exercice/adminhp.php
+++ b/main/exercice/adminhp.php
@ -20,18 +20,17 @@ if (isset($_REQUEST["cancel"])) {
 }

 $newName = !empty($_REQUEST['newName']) ? $_REQUEST['newName'] : '';
-$hotpotatoesName = !empty($_REQUEST['hotpotatoesName']) ? $_REQUEST['hotpotatoesName'] : '';
-
-$is_allowedToEdit=api_is_allowed_to_edit(null,true);
+$hotpotatoesName = !empty($_REQUEST['hotpotatoesName']) ? Security::remove_XSS($_REQUEST['hotpotatoesName']) : '';
+$is_allowedToEdit = api_is_allowed_to_edit(null,true);

 // document path
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';

 // picture path
-$picturePath=$documentPath.'/images';
+$picturePath = $documentPath.'/images';

 // audio path
-$audioPath=$documentPath.'/audio';
+$audioPath = $documentPath.'/audio';

 // Database table definitions
 if (!$is_allowedToEdit) {
@ -39,7 +38,7 @@ if (!$is_allowedToEdit) {
 }

 if (isset($_SESSION['gradebook'])) {
-    $gradebook=	$_SESSION['gradebook'];
+    $gradebook =	$_SESSION['gradebook'];
 }

 if (!empty($gradebook) && $gradebook == 'view') {
--- a/main/exercice/hotpotatoes_exercise_report.php
+++ b/main/exercice/hotpotatoes_exercise_report.php
@ -1,5 +1,8 @@
 <?php
 /* For licensing terms, see /license.txt */
+
+use ChamiloSession as Session;
+
 /**
 *	Exercise list: This script shows the list of exercises for administrators and students.
 *	@package chamilo.exercise
@ -7,15 +10,12 @@
 *
 */

-use ChamiloSession as Session;
-
-// including the global library
 require_once '../inc/global.inc.php';

 // Setting the tabs
 $this_section = SECTION_COURSES;
-
 $htmlHeadXtra[] = api_get_jqgrid_js();
+$_course = api_get_course_info();

 // Access control
 api_protect_course_script(true, false, true);
@ -23,7 +23,6 @@ api_protect_course_script(true, false, true);
 // including additional libraries
 require_once 'hotpotatoes.lib.php';

-
 // document path
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path']."/document";

@ -37,7 +36,7 @@ $TBL_TRACK_HOTPOTATOES_EXERCISES = Database :: get_main_table(TABLE_STATISTIC_TR
 $TBL_LP_ITEM_VIEW = Database :: get_course_table(TABLE_LP_ITEM_VIEW);

 $course_id = api_get_course_int_id();
-$hotpotatoes_path = isset($_REQUEST['path']) ? $_REQUEST['path'] : null;
+$hotpotatoes_path = isset($_REQUEST['path']) ? Security::remove_XSS($_REQUEST['path']) : null;
 $filter_user = isset($_REQUEST['filter_by_user']) ? intval($_REQUEST['filter_by_user']) : null;

 if (empty($hotpotatoes_path)) {
@ -73,10 +72,12 @@ $actions = null;
 if ($is_allowedToEdit && $origin != 'learnpath') {
    // the form
    if (api_is_platform_admin() || api_is_course_admin() || api_is_course_tutor() || api_is_course_coach()) {
-        $actions .= '<a id="export_opener" href="'.api_get_self().'?export_report=1&path='.Security::remove_XSS($hotpotatoes_path).' ">'.Display::return_icon('save.png',   get_lang('Export'),'',ICON_SIZE_MEDIUM).'</a>';
+        $actions .= '<a id="export_opener" href="'.api_get_self().'?export_report=1&path='.$hotpotatoes_path.' ">'.
+            Display::return_icon('save.png',   get_lang('Export'),'',ICON_SIZE_MEDIUM).'</a>';
    }
 } else {
-    $actions .= '<a href="exercise.php">' . Display :: return_icon('back.png', get_lang('GoBackToQuestionList'),'',ICON_SIZE_MEDIUM).'</a>';
+    $actions .= '<a href="exercise.php">' .
+        Display :: return_icon('back.png', get_lang('GoBackToQuestionList'),'',ICON_SIZE_MEDIUM).'</a>';
 }

 if ($is_allowedToEdit) {
--- a/main/exercice/hotpotatoes_exercise_result.class.php
+++ b/main/exercice/hotpotatoes_exercise_result.class.php
@ -121,7 +121,7 @@ class HotpotatoesExerciseResult
 	 * @param	boolean		Whether to include user fields or not
 	 * @return	boolean		False on error
 	 */
-	public function exportCompleteReportCSV($document_path='', $hotpotato_name)
+	public function exportCompleteReportCSV($document_path = '', $hotpotato_name)
    {
 		global $charset;
 		$this->getExercisesReporting($document_path, $hotpotato_name);
--- a/main/exercice/hotspot_admin.inc.php
+++ b/main/exercice/hotspot_admin.inc.php
@ -1,13 +1,14 @@
 <?php
 /* For licensing terms, see /license.txt */

+use \ChamiloSession as Session;
+
 /**
 * This script allows to manage answers. It is included from the
 * script admin.php
 * @package chamilo.exercise
 * @author Toon Keppens
 */
-use \ChamiloSession as Session;

 $modifyAnswers = intval($_GET['hotspotadmin']);

@ -246,11 +247,11 @@ if ($submitAnswers || $buttonBack) {
        }  // end for()

        //now the noerror section
-        $selectQuestionNoError = $_POST['select_question_noerror'];
-        $lp_noerror = $_POST['lp_noerror'];
-        $try_noerror = isset($_POST['try_noerror']) ? $_POST['try_noerror'] : null;
-        $url_noerror = $_POST['url_noerror'];
-        $comment_noerror = $_POST['comment_noerror'];
+        $selectQuestionNoError = Security::remove_XSS($_POST['select_question_noerror']);
+        $lp_noerror = Security::remove_XSS($_POST['lp_noerror']);
+        $try_noerror = isset($_POST['try_noerror']) ? Security::remove_XSS($_POST['try_noerror']) : null;
+        $url_noerror = Security::remove_XSS($_POST['url_noerror']);
+        $comment_noerror = Security::remove_XSS($_POST['comment_noerror']);
        $threadhold_total = '0;0;0';

        if ($try_noerror == 'on') {
@ -292,6 +293,7 @@ if ($submitAnswers || $buttonBack) {
                if ($weighting[$i]) {
                    $questionWeighting+=$weighting[$i];
                }
+
                // creates answer
                $objAnswer->createAnswer(
                    $reponse[$i],
@ -324,7 +326,6 @@ if ($submitAnswers || $buttonBack) {

            $editQuestion = $questionId;
            unset($modifyAnswers);
-
            echo '<script type="text/javascript">window.location.href="' . $hotspot_admin_url . '&message=ItemUpdated"</script>';
        }
    }
--- a/main/forum/forumqualify.php
+++ b/main/forum/forumqualify.php
@ -171,7 +171,7 @@ if ($allowToQualify) {
    // Show max qualify in my form
    $maxQualify = showQualify('2', $userIdToQualify, $threadId);

-    $score = isset($_POST['idtextqualify']) ? $_POST['idtextqualify'] : '';
+    $score = isset($_POST['idtextqualify']) ? Security::remove_XSS($_POST['idtextqualify']) : '';

    if ($score > $maxQualify) {
        Display:: display_error_message(
@ -292,7 +292,7 @@ if ($allowToQualify) {
                $realname = $attachment_list['path'];
                $user_filename = $attachment_list['filename'];

-                echo Display::return_icon('attachment.gif',get_lang('Attachment'));
+                echo Display::return_icon('attachment.gif', get_lang('Attachment'));
                echo '<a href="download.php?file=';
                echo $realname;
                echo ' "> '.$user_filename.' </a>';
--- a/main/inc/lib/fileUpload.lib.php
+++ b/main/inc/lib/fileUpload.lib.php
@ -1542,13 +1542,12 @@ function create_unexisting_directory(
                    WHERE
                        c_id = $course_id AND
                        (
-                            path = '" . $systemFolderName . "'
+                            path = '" . Database::escape_string($systemFolderName). "'
                        )
            ";

            $rs = Database::query($sql);
            if (Database::num_rows($rs) == 0) {
-        
                $document_id = add_document(
                    $_course,
                    $systemFolderName,
@ -1566,7 +1565,6 @@ function create_unexisting_directory(
                if ($document_id) {
                    // Update document item_property
                    if (!empty($visibility)) {
-
                        $visibilities = array(
                            0 => 'invisible',
                            1 => 'visible',
--- a/main/upload/upload.document.php
+++ b/main/upload/upload.document.php
@ -10,6 +10,7 @@
 * @author Yannick Warnier <ywarnier@beeznest.org>
 */

+$_course = api_get_course_info();
 $courseDir = $_course['path'] . "/document";
 $sys_course_path = api_get_path(SYS_COURSE_PATH);
 $base_work_dir = $sys_course_path . $courseDir;
@ -18,7 +19,7 @@ $max_filled_space = DocumentManager::get_course_quota();

 //what's the current path?
 if (isset($_POST['curdirpath'])) {
-    $path = $_POST['curdirpath'];
+    $path = Security::remove_XSS($_POST['curdirpath']);
 } else {
    $path = '/';
 }
@ -34,7 +35,7 @@ if (!DocumentManager::get_document_id($_course, $path)) {
 */
 $nameTools = get_lang('UplUploadDocument');
 $interbreadcrumb[] = array(
-    "url" => "./document.php?curdirpath=" . urlencode($path) . '&'.api_get_cidreq(),
+    "url" => api_get_path(WEB_CODE_PATH)."document/document.php?curdirpath=" . urlencode($path) . '&'.api_get_cidreq(),
    "name" => $langDocuments
 );
 Display::display_header($nameTools, "Doc");
@ -54,14 +55,14 @@ if (isset($_FILES['user_upload'])) {
            $_FILES['user_upload'],
            $base_work_dir,
            $_POST['curdirpath'],
-            $_user['user_id'],
+            api_get_user_id(),
            $to_group_id,
            $to_user_id,
            $_POST['unzip'],
            $_POST['if_exists']
        );
-    	$new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
-    	$new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
+    	$new_comment = isset($_POST['comment']) ? Database::escape_string(trim($_POST['comment'])) : '';
+    	$new_title = isset($_POST['title']) ? Database::escape_string(trim($_POST['title'])) : '';

    	if ($new_path && ($new_comment || $new_title))
    	if (($docid = DocumentManager::get_document_id($_course, $new_path))) {
@ -99,7 +100,7 @@ if (isset($_POST['submit_image'])) {
        $img_directory = str_replace('.', '_', $_POST['related_file']."_files");
        $folderData = create_unexisting_directory(
            $_course,
-            $_user['user_id'],
+            api_get_user_id(),
            api_get_session_id(),
            $to_group_id,
            $to_user_id,
@ -131,11 +132,11 @@ if (isset($_POST['submit_image'])) {
 }
 //they want to create a directory
 if (isset($_POST['create_dir']) && $_POST['dirname']!='') {
-    $added_slash = ($path == '/') ? '' : '/';
+    $added_slash = $path == '/' ? '' : '/';
 	$dir_name = $path.$added_slash.api_replace_dangerous_char($_POST['dirname']);
    $created_dir = create_unexisting_directory(
        $_course,
-        $_user['user_id'],
+        api_get_user_id(),
        api_get_session_id(),
        $to_group_id,
        $to_user_id,
@ -206,7 +207,6 @@ if (isset($_GET['createdir'])) {
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="nothing" title="<?php echo (get_lang('UplDoNothingLong'));?>" checked="checked"/>  <?php echo (get_lang('UplDoNothing'));?><br/>
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="overwrite" title="<?php echo (get_lang('UplOverwriteLong'));?>"/> <?php echo (get_lang('UplOverwrite'));?><br/>
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="rename" title="<?php echo (get_lang('UplRenameLong'));?>"/> <?php echo (get_lang('UplRename'));?>
-
 </td>
 </tr>
 </table>