Adding filter_terms in forums see BT#2685 new option in Settings>security

15 years ago · 63c6efc5ba
parent a84ccaa2a2
commit 63c6efc5ba
5 changed files with 79 additions and 13 deletions
--- a/main/admin/settings.php
+++ b/main/admin/settings.php
@ -233,7 +233,7 @@ if (!empty($_GET['category']) && !in_array($_GET['category'], array('Plugins', '
                }
                break;
            case 'textarea':
-                $form->addElement('textarea', $row['variable'], get_lang($row['comment']), $hideme);
+                $form->addElement('textarea', $row['variable'], get_lang($row['comment']) , array('rows'=>'10','cols'=>'50'), $hideme);
                $default_values[$row['variable']] = $row['selected_value'];
                break;
            case 'radio':
--- a/main/forum/forumfunction.inc.php
+++ b/main/forum/forumfunction.inc.php
@ -144,6 +144,7 @@ function show_add_forumcategory_form($inputvalues = array(),$lp_id) {
        $check = Security::check_token('post');
        if ($check) {
            $values = $form->exportValues();
+            
            store_forumcategory($values);
        }
        Security::clear_token();
@ -477,16 +478,16 @@ function store_forumcategory($values) {
    $new_max = $row['sort_max'] + 1;
    $session_id = api_get_session_id();

-    $clean_cat_title = Database::escape_string(Security::remove_XSS(stripslashes($values['forum_category_title'])));
+    $clean_cat_title = Database::escape_string($values['forum_category_title']);

    if (isset($values['forum_category_id'])) { // Storing after edition.
-        $sql = "UPDATE ".$table_categories." SET cat_title='".$clean_cat_title."', cat_comment='".Database::escape_string(Security::remove_XSS(stripslashes($values['forum_category_comment'])))."' WHERE cat_id='".Database::escape_string($values['forum_category_id'])."'";
+        $sql = "UPDATE ".$table_categories." SET cat_title='".$clean_cat_title."', cat_comment='".Database::escape_string($values['forum_category_comment'])."' WHERE cat_id='".Database::escape_string($values['forum_category_id'])."'";
        Database::query($sql);
        $last_id = Database::insert_id();
        api_item_property_update(api_get_course_info(), TOOL_FORUM_CATEGORY, $values['forum_category_id'], 'ForumCategoryUpdated', api_get_user_id());
        $return_message = get_lang('ForumCategoryEdited');
    } else {
-        $sql = "INSERT INTO ".$table_categories." (cat_title, cat_comment, cat_order, session_id) VALUES ('".$clean_cat_title."','".Database::escape_string(Security::remove_XSS(stripslashes($values['forum_category_comment'])))."','".Database::escape_string($new_max)."','".Database::escape_string($session_id)."')";
+        $sql = "INSERT INTO ".$table_categories." (cat_title, cat_comment, cat_order, session_id) VALUES ('".$clean_cat_title."','".Database::escape_string($values['forum_category_comment'])."','".Database::escape_string($new_max)."','".Database::escape_string($session_id)."')";
        Database::query($sql);
        $last_id = Database::insert_id();
        if ($last_id > 0) {
@ -2516,9 +2517,9 @@ function store_edit_post($values) {
    $gradebook = Security::remove_XSS($_GET['gradebook']);
    // First we check if the change affects the thread and if so we commit the changes (sticky and post_title=thread_title are relevant).
    //if (array_key_exists('is_first_post_of_thread',$values)  AND $values['is_first_post_of_thread']=='1') {
-    $sql = "UPDATE $table_threads SET thread_title='".Database::escape_string(stripslashes($values['post_title']))."',
+    $sql = "UPDATE $table_threads SET thread_title='".Database::escape_string($values['post_title'])."',
                thread_sticky='".Database::escape_string(isset($values['thread_sticky']) ? $values['thread_sticky'] : null)."'," .
-                "thread_title_qualify='".Database::escape_string(Security::remove_XSS(stripslashes($values['calification_notebook_title'])))."'," .
+                "thread_title_qualify='".Database::escape_string($values['calification_notebook_title'])."'," .
                "thread_qualify_max='".Database::escape_string($values['numeric_calification'])."',".
                "thread_weight='".Database::escape_string($values['weight_calification'])."'".
                " WHERE thread_id='".Database::escape_string($values['thread_id'])."'";
@ -2526,8 +2527,8 @@ function store_edit_post($values) {
    Database::query($sql);
    //}
    // Update the post_title and the post_text.
-    $sql = "UPDATE $table_posts SET post_title='".Database::escape_string(Security::remove_XSS(stripslashes($values['post_title'])))."',
-                post_text='".Database::escape_string(Security::remove_XSS(stripslashes($values['post_text'])))."',
+    $sql = "UPDATE $table_posts SET post_title='".Database::escape_string($values['post_title'])."',
+                post_text='".Database::escape_string($values['post_text'])."',
                post_notification='".Database::escape_string(isset($values['post_notification'])?$values['post_notification']:null)."'
                WHERE post_id='".Database::escape_string($values['post_id'])."'";
    Database::query($sql);
@ -3257,7 +3258,7 @@ function prepare4display($input) {

    // TODO: Security should be implemented outside this function.
    // Change this to COURSEMANAGERLOWSECURITY or COURSEMANAGER to lower filtering and allow more styles (see comments of Security::remove_XSS() method to learn about other levels).
-    return Security::remove_XSS($input, STUDENT);
+    return Security::remove_XSS($input, STUDENT, true);
 }

 /**
--- a/main/inc/lib/database.constants.inc.php
+++ b/main/inc/lib/database.constants.inc.php
@ -125,6 +125,9 @@ define('TABLE_STATISTIC_TRACK_E_HOTSPOT',           'track_e_hotspot');
 define('TABLE_STATISTIC_TRACK_E_ITEM_PROPERTY',     'track_e_item_property');
 define('TABLE_STATISTIC_TRACK_E_OPEN',              'track_e_open');

+define('TABLE_STATISTIC_TRACK_FILTERED_TERMS',      'track_filtered_terms');
+
+
 define('TABLE_STATISTIC_TRACK_C_BROWSERS',          'track_c_browsers');
 define('TABLE_STATISTIC_TRACK_C_COUNTRIES',         'track_c_countries');
 define('TABLE_STATISTIC_TRACK_C_OS',                'track_c_os');
@ -294,3 +297,4 @@ define('TABLE_USERGROUP_REL_SESSION',   'usergroup_rel_session');

 // Mail notifications
 define('TABLE_NOTIFICATION',               'notification');
+
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -256,7 +256,11 @@ class Security {
     * @param   integer The user status,constant allowed (STUDENT, COURSEMANAGER, ANONYMOUS, COURSEMANAGERLOWSECURITY)
     * @return	mixed	Filtered string or array
     */
-    public static function remove_XSS($var, $user_status = ANONYMOUS) {
+    public static function remove_XSS($var, $user_status = ANONYMOUS, $filter_terms = false) {
+    	if ($filter_terms) {
+    		$var = self::filter_terms($var);
+    	}
+    	
        if ($user_status == COURSEMANAGERLOWSECURITY) {
            return $var;  // No filtering.
        }
@ -308,6 +312,61 @@ class Security {
            return $purifier[$user_status]->purify($var);
        }
    }
+    
+    
+    /**
+     * 
+     * Filter content 
+     * @param	string content to be filter
+     * @return 	string
+     */
+    function filter_terms($text) {
+    	static $bad_terms = array();
+    	    	
+    	if (empty($bad_terms)) {    		
+    		$list = api_get_setting('filter_terms');    	    	
+    		$list = explode("\n", $list);    		
+    		$list = array_filter($list);    		
+    		if (!empty($list)) {
+    			foreach($list as $term) {
+    				$term = str_replace(array("\r\n", "\r", "\n", "\t"), '', $term);
+    				$html_entities_value = api_htmlentities($term, ENT_QUOTES, api_get_system_encoding()); 
+    				$bad_terms[] = $term;
+    				if ($term != $html_entities_value) {    				 
+    					$bad_terms[] = $html_entities_value;
+    				}
+    			}
+    			$bad_terms = array_filter($bad_terms);
+    		}
+    	}
+    	    	
+    	$replace = '***';    	
+    	if (!empty($bad_terms)) {
+    		//Fast way
+    		$new_text = str_replace($bad_terms, $replace, $text, $count);
+    		
+    		//We need statistics
+    		/*
+    		if (strlen($new_text) != strlen($text)) {
+    			$table = Database::get_main_table(TABLE_STATISTIC_TRACK_FILTERED_TERMS);
+    			$attributes = array();
+    			
+    			
+    			$attributes['user_id'] 		=
+    			$attributes['course_id'] 	=
+    			$attributes['session_id'] 	=
+    			$attributes['tool_id'] 		=
+    			$attributes['term'] 		=
+    			$attributes['created_at'] 	= api_get_utc_datetime();
+    			$sql = Database::insert($table, $attributes);
+    		}
+    		*/
+    		$text = $new_text;
+    		
+    	}        	
+		return $text;
+    }
+    

    /**
     * This method provides specific protection (against XSS and other kinds of attacks) for static images (icons) used by the system.
@ -350,5 +409,5 @@ class Security {
            return '';
        }
        return $image_path;
-    }
+    }   
 }
--- a/main/install/migrate-db-1.8.8-1.9.0-pre.sql
+++ b/main/install/migrate-db-1.8.8-1.9.0-pre.sql
@ -13,12 +13,14 @@
 -- This first part is for the main database

 -- xxMAINxx
-UPDATE settings_current SET selected_value = '1.9.0.14911' WHERE variable = 'chamilo_database_version';
+UPDATE settings_current SET selected_value = '1.9.0.15605' WHERE variable = 'chamilo_database_version';
+
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('filter_terms', NULL, 'textarea', 'Security', '', 'FilterTermsTitle', 'FilterTermsComment', NULL, NULL, 0);


 -- xxSTATSxx
 ALTER TABLE track_e_exercices ADD COLUMN questions_to_check TEXT  NOT NULL DEFAULT '';
-
+--CREATE TABLE track_filtered_terms (id int, user_id int, course_id int, session_id int, tool_id char(12), filtered_term varchar(255), created_at datetime);

 -- xxUSERxx