From 65d6591421e86e18c3bc2fca3843e408052c3046 Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Thu, 31 Jan 2008 02:58:54 +0100 Subject: [PATCH] [svn r14211] Added filtering against XSS (see FS#2218 4.1) --- main/calendar/myagenda.php | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/main/calendar/myagenda.php b/main/calendar/myagenda.php index 016c2d422f..2b87ca93d5 100644 --- a/main/calendar/myagenda.php +++ b/main/calendar/myagenda.php @@ -1,5 +1,4 @@ ".$time." ".$array_course_info["visual_code"]." ".$item['title']."
"; } } @@ -419,8 +418,8 @@ function display_monthcalendar($agendaitems, $month, $year, $weekdaynames, $mont $dayone = getdate(mktime(0, 0, 0, $month, 1, $year)); //Start the week on monday $startdayofweek = $dayone['wday'] <> 0 ? ($dayone['wday'] - 1) : 6; - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".htmlentities($_GET['courseCode'])."&action=view&view=month&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".htmlentities($_GET['courseCode'])."&action=view&view=month&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=month&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=month&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); echo "\n", "\n", "\n", "\n", "\n", "\n"; @@ -482,8 +481,8 @@ function display_minimonthcalendar($agendaitems, $month, $year, $monthName) $dayone = getdate(mktime(0, 0, 0, $month, 1, $year)); //Start the week on monday $startdayofweek = $dayone['wday'] <> 0 ? ($dayone['wday'] - 1) : 6; - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&month=". ($month == 1 ? 12 : $month -1)."&year=". ($month == 1 ? $year -1 : $year); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&month=". ($month == 12 ? 1 : $month +1)."&year=". ($month == 12 ? $year +1 : $year); echo "
«", $monthName, " ", $year, "»
\n", "\n", "\n", "\n", "\n", "\n"; @@ -563,8 +562,8 @@ function display_weekcalendar($agendaitems, $month, $year, $weekdaynames, $month $day_of_the_week = date("w", $today); // Numeric representation of the day of the week 0 (for Sunday) through 6 (for Saturday) of today $timestamp_first_date_of_week = $today - (($day_of_the_week -1) * 24 * 60 * 60); // timestamp of the monday of this week $timestamp_last_date_of_week = $today + ((7 - $day_of_the_week) * 24 * 60 * 60); // timestamp of the sunday of this week - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=week&week=". ($week_number -1); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=week&week=". ($week_number +1); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=week&week=". ($week_number -1); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=week&week=". ($week_number +1); echo "
«", $monthName, " ", $year, "»
\n"; // The title row containing the the week information (week of the year (startdate of week - enddate of week) echo "\n"; @@ -655,8 +654,8 @@ function display_daycalendar($agendaitems, $day, $month, $year, $weekdaynames, $ // we are loading all the calendar items of all the courses for today echo "
\n"; // the forward and backwards url - $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=day&day=".date("j", $previousday)."&month=".date("n", $previousday)."&year=".date("Y", $previousday); - $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".$_GET['courseCode']."&action=view&view=day&day=".date("j", $nextday)."&month=".date("n", $nextday)."&year=".date("Y", $nextday); + $backwardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=day&day=".date("j", $previousday)."&month=".date("n", $previousday)."&year=".date("Y", $previousday); + $forewardsURL = api_get_self()."?coursePath=".urlencode($course_path)."&courseCode=".Security::remove_XSS($_GET['courseCode'])."&action=view&view=day&day=".date("j", $nextday)."&month=".date("n", $nextday)."&year=".date("Y", $nextday); // The title row containing the day echo "\n", "\n", "
«"; echo $DaysLong[$day_of_the_week]." ".date("j", $today)." ".$MonthsLong[date("n", $today) - 1]." ".date("Y", $today);