From c4b51722d8f9fa190c453fdc69d2378493726936 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Wed, 16 Oct 2024 17:14:53 -0500
Subject: [PATCH 1/5] Compilatio: Define missing variable - refs BT#22064
---
main/inc/lib/Compilatio.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/main/inc/lib/Compilatio.php b/main/inc/lib/Compilatio.php
index bf353dff09..76e25b296e 100644
--- a/main/inc/lib/Compilatio.php
+++ b/main/inc/lib/Compilatio.php
@@ -340,6 +340,7 @@ class Compilatio
$courseId = api_get_course_int_id();
$compilatioId = $this->getCompilatioId($workId, $courseId);
+ $actionCompilatio = '';
// if the compilatio's hash is not a valide hash md5,
// we return à specific status (cf : IsInCompilatio() )
// Not used since implementation of RestAPI but there if needed later
From 9edc811a5f3309f3fe849c3ef7de1794e92b41fe Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Wed, 16 Oct 2024 17:30:51 -0500
Subject: [PATCH 2/5] Declare UserManager::isEmailingAllowed as static method
---
main/inc/lib/usermanager.lib.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php
index cb1dd5f4ef..0504323f5e 100755
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@@ -8112,7 +8112,7 @@ SQL;
*
* @return bool Whether we can send an e-mail or not
*/
- public function isEmailingAllowed(string $mail): bool
+ public static function isEmailingAllowed(string $mail): bool
{
$list = self::getUsersByMail($mail);
if (empty($list)) {
From 2c32fdef693e6340feacc65d3591ee29d5028c07 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Wed, 16 Oct 2024 18:48:10 -0500
Subject: [PATCH 3/5] Security: User FormValidator::addHtmlEditor
FormValidator::addElement('html_editor')
---
...MultipleAnswerTrueFalseDegreeCertainty.php | 2 ++
main/exercise/calculated_answer.class.php | 1 +
main/exercise/exercise_show.php | 10 +++++---
main/exercise/fill_blanks.class.php | 12 +++++----
.../exercise/global_multiple_answer.class.php | 21 ++++++++--------
.../multiple_answer_combination.class.php | 21 ++++++++--------
.../multiple_answer_true_false.class.php | 1 +
.../unique_answer_no_option.class.php | 8 +++---
main/forum/forumfunction.inc.php | 25 +++++++++----------
main/glossary/index.php | 12 ++++-----
main/inc/lib/agenda.lib.php | 7 +++---
.../lib/formvalidator/FormValidator.class.php | 1 +
main/lp/learnpath.class.php | 2 +-
main/lp/lp_edit.php | 6 ++---
main/notebook/index.php | 18 +++++++------
main/survey/create_new_survey.php | 24 +++++++++---------
.../notebookteacher/src/NotebookTeacher.php | 7 +++---
17 files changed, 94 insertions(+), 84 deletions(-)
diff --git a/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php b/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php
index 12535118cf..c1c3e5283c 100644
--- a/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php
+++ b/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php
@@ -163,6 +163,7 @@ class MultipleAnswerTrueFalseDegreeCertainty extends Question
['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
);
$form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
+ $form->applyFilter("answer[$i]", 'attr_on_filter');
if (isset($_POST['answer']) && isset($_POST['answer'][$i])) {
$txtAnswer->setValue(Security::remove_XSS($_POST['answer'][$i]));
@@ -177,6 +178,7 @@ class MultipleAnswerTrueFalseDegreeCertainty extends Question
['style' => 'vertical-align:middle;'],
['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
);
+ $form->applyFilter("comment[$i]", 'attr_on_filter');
if (isset($_POST['comment']) && isset($_POST['comment'][$i])) {
$txtComment->setValue(Security::remove_XSS($_POST['comment'][$i]));
diff --git a/main/exercise/calculated_answer.class.php b/main/exercise/calculated_answer.class.php
index 7efa10802a..530c6f17a1 100644
--- a/main/exercise/calculated_answer.class.php
+++ b/main/exercise/calculated_answer.class.php
@@ -133,6 +133,7 @@ class CalculatedAnswer extends Question
$form->addRule('answer', get_lang('GiveText'), 'required');
$form->addRule('answer', get_lang('DefineBlanks'), 'regex', '/\[.*\]/');
+ $form->applyFilter('answer', 'attr_on_filter');
$form->addElement('label', null, get_lang('IfYouWantOnlyIntegerValuesWriteBothLimitsWithoutDecimals'));
$form->addElement('html', '');
diff --git a/main/exercise/exercise_show.php b/main/exercise/exercise_show.php
index 01661fd73f..fb33cf4eb9 100755
--- a/main/exercise/exercise_show.php
+++ b/main/exercise/exercise_show.php
@@ -659,12 +659,13 @@ foreach ($questionList as $questionId) {
$default = [$textareaId => $comnt];
if ($useAdvancedEditor) {
- $feedback_form->addElement(
- 'html_editor',
+ $feedback_form->addHtmlEditor(
$textareaId,
- null,
- ['id' => $textareaId],
+ '',
+ false,
+ false,
[
+ 'id' => $textareaId,
'ToolbarSet' => 'TestAnswerFeedback',
'Width' => '100%',
'Height' => '120',
@@ -672,6 +673,7 @@ foreach ($questionList as $questionId) {
);
} else {
$feedback_form->addElement('textarea', $textareaId, ['id' => $textareaId]);
+ $feedback_form->applyFilter($textareaId, 'attr_on_filter');
}
$feedback_form->setDefaults($default);
$feedback_form->display();
diff --git a/main/exercise/fill_blanks.class.php b/main/exercise/fill_blanks.class.php
index 0993dfc929..6fef845c39 100755
--- a/main/exercise/fill_blanks.class.php
+++ b/main/exercise/fill_blanks.class.php
@@ -338,14 +338,16 @@ class FillBlanks extends Question
null,
get_lang('TypeTextBelow').', '.get_lang('And').' '.get_lang('UseTagForBlank')
);
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'answer',
Display::return_icon('fill_field.png'),
- ['id' => 'answer'],
- ['ToolbarSet' => 'TestQuestionDescription']
+ true,
+ false,
+ [
+ 'id' => 'answer',
+ 'ToolbarSet' => 'TestQuestionDescription',
+ ]
);
- $form->addRule('answer', get_lang('GiveText'), 'required');
//added multiple answers
$form->addElement('checkbox', 'multiple_answer', '', get_lang('FillInBlankSwitchable'));
diff --git a/main/exercise/global_multiple_answer.class.php b/main/exercise/global_multiple_answer.class.php
index 21a174f86c..46b4092d26 100755
--- a/main/exercise/global_multiple_answer.class.php
+++ b/main/exercise/global_multiple_answer.class.php
@@ -119,23 +119,22 @@ class GlobalMultipleAnswer extends Question
$form->addElement('checkbox', 'correct['.$i.']', null, null, 'class="checkbox"');
$boxes_names[] = 'correct['.$i.']';
- $form->addElement(
- 'html_editor',
- 'answer['.$i.']',
- null,
- [],
+ $form->addHtmlEditor(
+ "answer[$i]",
+ '',
+ false,
+ false,
[
'ToolbarSet' => 'TestProposedAnswer',
'Width' => '100%',
'Height' => '100',
]
);
- $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
- $form->addElement(
- 'html_editor',
- 'comment['.$i.']',
- null,
- [],
+ $form->addHtmlEditor(
+ "comment[$i]",
+ '',
+ false,
+ false,
[
'ToolbarSet' => 'TestProposedAnswer',
'Width' => '100%',
diff --git a/main/exercise/multiple_answer_combination.class.php b/main/exercise/multiple_answer_combination.class.php
index ed6c110005..a951b2c7bd 100755
--- a/main/exercise/multiple_answer_combination.class.php
+++ b/main/exercise/multiple_answer_combination.class.php
@@ -121,20 +121,19 @@ class MultipleAnswerCombination extends Question
);
$boxes_names[] = 'correct['.$i.']';
- $form->addElement(
- 'html_editor',
- 'answer['.$i.']',
- null,
- [],
+ $form->addHtmlEditor(
+ "answer[$i]",
+ '',
+ true,
+ false,
['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
);
- $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
- $form->addElement(
- 'html_editor',
- 'comment['.$i.']',
- null,
- [],
+ $form->addHtmlEditor(
+ "comment[$i]",
+ '',
+ false,
+ false,
['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
);
diff --git a/main/exercise/multiple_answer_true_false.class.php b/main/exercise/multiple_answer_true_false.class.php
index 35403c0025..b971ef4d08 100755
--- a/main/exercise/multiple_answer_true_false.class.php
+++ b/main/exercise/multiple_answer_true_false.class.php
@@ -162,6 +162,7 @@ class MultipleAnswerTrueFalse extends Question
'Height' => '100',
]
);
+ $form->applyFilter("comment[$i]", 'attr_on_filter');
if (isset($_POST['comment']) && isset($_POST['comment'][$i])) {
$txtComment->setValue(Security::remove_XSS($_POST['comment'][$i]));
diff --git a/main/exercise/unique_answer_no_option.class.php b/main/exercise/unique_answer_no_option.class.php
index 8fd2f5a295..4a58379839 100755
--- a/main/exercise/unique_answer_no_option.class.php
+++ b/main/exercise/unique_answer_no_option.class.php
@@ -190,9 +190,9 @@ class UniqueAnswerNoOption extends Question
$answer_number->freeze();
$form->addElement('radio', 'correct', null, null, $i, 'class="checkbox" style="margin-left: 0em;"');
- $form->addElement('html_editor', 'answer['.$i.']', null, [], $editor_config);
+ $form->addHtmlEditor("answer[$i]", '', false, false, $editor_config);
- $form->addElement('html_editor', 'comment['.$i.']', null, [], $editor_config);
+ $form->addHtmlEditor("comment[$i]", '', false, false, $editor_config);
$form->addElement('text', 'weighting['.$i.']', null, ['style' => 'width: 60px;', 'value' => '0']);
$form->addElement('html', '');
$i++;
@@ -240,10 +240,10 @@ class UniqueAnswerNoOption extends Question
$form->addElement('hidden', 'position['.$i.']', '666');
$form->addElement('radio', 'correct', null, null, $i, ['class' => 'checkbox', 'disabled' => true]);
- $form->addElement('html_editor', 'answer['.$i.']', null, [], $editor_config);
+ $form->addHtmlEditor("answer[$i]", '', false, false, $editor_config);
$form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
- $form->addElement('html_editor', 'comment['.$i.']', null, [], $editor_config);
+ $form->addHtmlEditor("comment[$i]", '', false, false, $editor_config);
$form->addElement('text', "weighting[$i]", null)->freeze();
$form->addHTml('');
diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php
index 0adb95d75e..c7cf649ba2 100755
--- a/main/forum/forumfunction.inc.php
+++ b/main/forum/forumfunction.inc.php
@@ -202,11 +202,11 @@ function show_add_forumcategory_form($lp_id)
$form->addElement('header', get_lang('AddForumCategory'));
$form->addElement('text', 'forum_category_title', get_lang('Title'), ['autofocus']);
$form->applyFilter('forum_category_title', 'html_filter');
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'forum_category_comment',
get_lang('Description'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200']
);
@@ -283,11 +283,11 @@ function show_add_forum_form($inputvalues = [], $lp_id = 0)
$form->applyFilter('forum_title', 'html_filter');
// The comment of the forum.
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'forum_comment',
get_lang('Description'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200']
);
@@ -533,11 +533,11 @@ function show_edit_forumcategory_form($inputvalues = [])
$form->addElement('text', 'forum_category_title', get_lang('Title'));
$form->applyFilter('forum_category_title', 'html_filter');
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'forum_category_comment',
get_lang('Comment'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200']
);
@@ -4047,11 +4047,11 @@ function show_edit_post_form(
$form->addElement('text', 'post_title', get_lang('Title'));
$form->applyFilter('post_title', 'html_filter');
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'post_text',
get_lang('Text'),
- null,
+ true,
+ false,
api_is_allowed_to_edit(null, true) ? [
'ToolbarSet' => 'Forum',
'Width' => '100%',
@@ -4063,7 +4063,6 @@ function show_edit_post_form(
'UserStatus' => 'student',
]
);
- $form->addRule('post_text', get_lang('ThisFieldIsRequired'), 'required');
$extraFields = new ExtraField('forum_post');
$extraFields->addElements($form, $current_post['post_id']);
diff --git a/main/glossary/index.php b/main/glossary/index.php
index 56b72a21fc..3dee76f303 100755
--- a/main/glossary/index.php
+++ b/main/glossary/index.php
@@ -98,11 +98,11 @@ switch ($action) {
$form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']);
}
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'description',
get_lang('TermDefinition'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Glossary', 'Height' => '300']
);
$form->addButtonCreate(get_lang('TermAddButton'), 'SubmitGlossary');
@@ -162,11 +162,11 @@ switch ($action) {
$form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']);
}
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'description',
get_lang('TermDefinition'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Glossary', 'Height' => '300']
);
diff --git a/main/inc/lib/agenda.lib.php b/main/inc/lib/agenda.lib.php
index c9e1ce906f..1a241b8bde 100644
--- a/main/inc/lib/agenda.lib.php
+++ b/main/inc/lib/agenda.lib.php
@@ -3106,12 +3106,13 @@ class Agenda
$toolbar = 'AgendaStudent';
}
- $form->addElement(
- 'html_editor',
+ $form->addHtmlEditor(
'content',
get_lang('Description'),
- null,
+ false,
+ false,
[
+ 'style' => 'vertical-align:middle;',
'ToolbarSet' => $toolbar,
'Width' => '100%',
'Height' => '200',
diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php
index 3224a7dc7a..45aa25757d 100755
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@@ -384,6 +384,7 @@ EOT;
if ($required) {
$this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
}
+ $this->applyFilter($name, 'attr_on_filter');
return $element;
}
diff --git a/main/lp/learnpath.class.php b/main/lp/learnpath.class.php
index 3e51bec124..07f7346522 100755
--- a/main/lp/learnpath.class.php
+++ b/main/lp/learnpath.class.php
@@ -9054,7 +9054,7 @@ class learnpath
'BaseHref' => api_get_path(WEB_COURSE_PATH).api_get_course_path().$item_path_fck,
];
- $form->addElement('html_editor', 'content_lp', '', null, $editor_config);
+ $form->addHtmlEditor('content_lp', '', true, true, $editor_config);
$content_path = api_get_path(SYS_COURSE_PATH).api_get_course_path().$item_path_fck;
$defaults['content_lp'] = file_get_contents($content_path);
}
diff --git a/main/lp/lp_edit.php b/main/lp/lp_edit.php
index 286c2e6a70..6b0425e251 100755
--- a/main/lp/lp_edit.php
+++ b/main/lp/lp_edit.php
@@ -104,11 +104,11 @@ if (api_get_setting('allow_course_theme') === 'true') {
}
// Author
-$form->addElement(
- 'html_editor',
+$form->addHtmlEditor(
'lp_author',
get_lang('Author'),
- ['size' => 80],
+ false,
+ false,
['ToolbarSet' => 'LearningPathAuthor', 'Width' => '100%', 'Height' => '200px']
);
$form->applyFilter('lp_author', 'html_filter');
diff --git a/main/notebook/index.php b/main/notebook/index.php
index f7d907843c..96d7aace2a 100755
--- a/main/notebook/index.php
+++ b/main/notebook/index.php
@@ -91,11 +91,12 @@ if ($action === 'addnote') {
$form->addElement('header', '', get_lang('NoteAddNew'));
$form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']);
$form->applyFilter('text', 'html_filter');
- $form->addElement(
- 'html_editor',
+ $form->applyFilter('text', 'attr_on_filter');
+ $form->addHtmlEditor(
'note_comment',
get_lang('NoteComment'),
- null,
+ false,
+ false,
api_is_allowed_to_edit() ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300'] : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
);
$form->addButtonCreate(get_lang('AddNote'), 'SubmitNote');
@@ -158,14 +159,15 @@ if ($action === 'addnote') {
$form->addElement('hidden', 'notebook_id');
$form->addElement('text', 'note_title', get_lang('NoteTitle'), ['size' => '100']);
$form->applyFilter('text', 'html_filter');
- $form->addElement(
- 'html_editor',
+ $form->applyFilter('text', 'attr_on_filter');
+ $form->addHtmlEditor(
'note_comment',
get_lang('NoteComment'),
- null,
+ false,
+ false,
api_is_allowed_to_edit()
- ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300']
- : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
+ ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300']
+ : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
);
$form->addButtonUpdate(get_lang('ModifyNote'), 'SubmitNote');
diff --git a/main/survey/create_new_survey.php b/main/survey/create_new_survey.php
index fab4d3c658..8c34f62ded 100755
--- a/main/survey/create_new_survey.php
+++ b/main/survey/create_new_survey.php
@@ -142,18 +142,18 @@ if ('edit' == $action) {
$form->applyFilter('survey_code', 'api_strtoupper');
}
-$form->addElement(
- 'html_editor',
+$form->addHtmlEditor(
'survey_title',
get_lang('SurveyTitle'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Survey', 'Width' => '100%', 'Height' => '200']
);
-$form->addElement(
- 'html_editor',
+$form->addHtmlEditor(
'survey_subtitle',
get_lang('SurveySubTitle'),
- null,
+ false,
+ false,
[
'ToolbarSet' => 'Survey',
'Width' => '100%',
@@ -194,18 +194,18 @@ if (api_get_configuration_value('hide_survey_reporting_button')) {
$form->addElement('select', 'visible_results', get_lang('ResultsVisibility'), $visibleResults);
}
//$defaults['visible_results'] = 0;
-$form->addElement(
- 'html_editor',
+$form->addHtmlEditor(
'survey_introduction',
get_lang('SurveyIntroduction'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Survey', 'Width' => '100%', 'Height' => '130', 'ToolbarStartExpanded' => false]
);
-$form->addElement(
- 'html_editor',
+$form->addHtmlEditor(
'survey_thanks',
get_lang('SurveyThanks'),
- null,
+ false,
+ false,
['ToolbarSet' => 'Survey', 'Width' => '100%', 'Height' => '130', 'ToolbarStartExpanded' => false]
);
diff --git a/plugin/notebookteacher/src/NotebookTeacher.php b/plugin/notebookteacher/src/NotebookTeacher.php
index 3defc4fbd2..53ef4bb68a 100644
--- a/plugin/notebookteacher/src/NotebookTeacher.php
+++ b/plugin/notebookteacher/src/NotebookTeacher.php
@@ -512,11 +512,12 @@ class NotebookTeacher
$form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']);
$form->applyFilter('text', 'html_filter');
- $form->addElement(
- 'html_editor',
+ $form->applyFilter('text', 'attr_on_filter');
+ $form->addHtmlEditor(
'note_comment',
get_lang('NoteComment'),
- null,
+ false,
+ false,
api_is_allowed_to_edit()
? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300']
: ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
From b544020d8c36d84fed55c6b6b23e021cc911cfda Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Wed, 16 Oct 2024 19:12:50 -0500
Subject: [PATCH 4/5] Security: apply attr_on_filter when send message by
social network
---
main/inc/ajax/message.ajax.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/main/inc/ajax/message.ajax.php b/main/inc/ajax/message.ajax.php
index f2148dd79e..2e2784a37d 100755
--- a/main/inc/ajax/message.ajax.php
+++ b/main/inc/ajax/message.ajax.php
@@ -47,6 +47,7 @@ switch ($action) {
$subject = isset($_REQUEST['subject']) ? trim($_REQUEST['subject']) : null;
$messageContent = isset($_REQUEST['content']) ? trim($_REQUEST['content']) : null;
+ $messageContent = attr_on_filter($messageContent);
if (empty($subject) || empty($messageContent)) {
echo Display::return_message(get_lang('ErrorSendingMessage'), 'error');
From 7a72f095fac7128be36118b8e1748b9dbb69c599 Mon Sep 17 00:00:00 2001
From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com>
Date: Thu, 17 Oct 2024 10:58:13 -0500
Subject: [PATCH 5/5] Security: Portfolio: Apply remove XSS on items and
comments content - refs BT#22113
---
main/inc/lib/PortfolioController.php | 8 ++++----
main/template/default/portfolio/view.html.twig | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/main/inc/lib/PortfolioController.php b/main/inc/lib/PortfolioController.php
index 7833efdca9..a958050973 100644
--- a/main/inc/lib/PortfolioController.php
+++ b/main/inc/lib/PortfolioController.php
@@ -661,7 +661,7 @@ class PortfolioController
});
$(\'#add_portfolio_template\').on(\'change\', function () {
$(\'#portfolio-spinner\').show();
-
+
$.getJSON(_p.web_ajax + \'portfolio.ajax.php?a=find_template&item=\' + this.value)
.done(function(response) {
if (CKEDITOR.instances.title) {
@@ -3994,7 +3994,7 @@ class PortfolioController
$(function() {
$(\'#frm_comment_template\').on(\'change\', function () {
$(\'#portfolio-spinner\').show();
-
+
$.getJSON(_p.web_ajax + \'portfolio.ajax.php?a=find_template_comment&comment=\' + this.value)
.done(function(response) {
CKEDITOR.instances.content.setData(response.content);
@@ -4094,7 +4094,7 @@ class PortfolioController
$origin = $em->find(Portfolio::class, $item->getOrigin());
if ($origin) {
- $originContent = $origin->getContent();
+ $originContent = Security::remove_XSS($origin->getContent());
$originContentFooter = vsprintf(
get_lang('OriginallyPublishedAsXTitleByYUser'),
[
@@ -4107,7 +4107,7 @@ class PortfolioController
$origin = $em->find(PortfolioComment::class, $item->getOrigin());
if ($origin) {
- $originContent = $origin->getContent();
+ $originContent = Security::remove_XSS($origin->getContent());
$originContentFooter = vsprintf(
get_lang('OriginallyCommentedByXUserInYItem'),
[
diff --git a/main/template/default/portfolio/view.html.twig b/main/template/default/portfolio/view.html.twig
index 93cd033515..2b8d361663 100644
--- a/main/template/default/portfolio/view.html.twig
+++ b/main/template/default/portfolio/view.html.twig
@@ -47,7 +47,7 @@
- {{ item_content }}
+ {{ item_content|remove_xss }}
{% if attachment_list %}