Added Security::remove_XSS at text field in forum

15 years ago · 575c1293b3
parent 90a242be86
commit 575c1293b3
5 changed files with 16 additions and 3 deletions
--- a/main/forum/forumfunction.inc.php
+++ b/main/forum/forumfunction.inc.php
@ -1838,6 +1838,7 @@ function store_thread($values) {
 		$sql="UPDATE $table_threads SET thread_last_post='".Database::escape_string($last_post_id)."'  WHERE thread_id='".Database::escape_string($last_thread_id)."'";
 		$result=Database::query($sql, __LINE__, __FILE__);
 		$message=get_lang('NewThreadStored');
+		$message= Database::escape_string($message);
 		// Storing the attachments if any
 		if ($has_attachment) {
 			$courseDir   = $_course['path'].'/upload/forum';
--- a/main/forum/viewthread.php
+++ b/main/forum/viewthread.php
@ -181,7 +181,7 @@ if ($my_message<>'PostDeletedSpecial') {
 	// in this case the first and only post of the thread is removed
 	// this increases the number of times the thread has been viewed
 	increase_thread_view($_GET['thread']);
-	/*
+	/* 
 	-----------------------------------------------------------
 		Action Links
 	-----------------------------------------------------------
@ -291,7 +291,7 @@ if ($my_message<>'PostDeletedSpecial') {
 		default:
 			include_once('viewthread_flat.inc.php');
 			break;
-	}
+	} 
 } // if ($message<>'PostDeletedSpecial') // in this case the first and only post of the thread is removed

 /*
--- a/main/forum/viewthread_flat.inc.php
+++ b/main/forum/viewthread_flat.inc.php
@ -130,14 +130,20 @@ foreach ($rows as $row) {
 	echo "\t\t<td class=\"$titleclass\">".prepare4display($row['post_title'])."</td>\n";
 	echo "\t</tr>\n";

+
+	
 	// The post message
+	//var_dump($messageclass);
+	
+	$row['post_text']= Security::remove_XSS($row['post_text']);
+	
 	echo "\t<tr>\n";
 	echo "\t\t<td class=\"$messageclass\">".prepare4display($row['post_text'])."</td>\n";
 	echo "\t</tr>\n";

 	// The check if there is an attachment
+	 
 	$attachment_list=get_attachment($row['post_id']);
-
 	if (!empty($attachment_list)) {
 		echo '<tr><td height="50%">';
 		$realname=$attachment_list['path'];
--- a/main/forum/viewthread_nested.inc.php
+++ b/main/forum/viewthread_nested.inc.php
@ -129,6 +129,9 @@ foreach ($rows as $post) {
 	echo "\t</tr>\n";

 	// The post message
+	
+	$post['post_text']= Security::remove_XSS($post['post_text']);
+	
 	echo "\t<tr>\n";
 	echo "\t\t<td class=\"$messageclass\">".prepare4display($post['post_text'])."</td>\n";
 	echo "\t</tr>\n";
--- a/main/forum/viewthread_threaded.inc.php
+++ b/main/forum/viewthread_threaded.inc.php
@ -307,6 +307,9 @@ echo "\t\t<td class=\"$titleclass\">".prepare4display($rows[$display_post_id]['p
 echo "\t</tr>\n";

 // The post message
+
+$rows[$display_post_id]['post_text']= Security::remove_XSS($rows[$display_post_id]['post_text']);
+
 echo "\t<tr>\n";
 echo "\t\t<td class=\"$messageclass\">".prepare4display($rows[$display_post_id]['post_text'])."</td>\n";
 echo "\t</tr>\n";