chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Blogs: Add remove_xss

Browse Source
pull/3937/head^2
Julio Montoya 4 years ago
parent 0d9add8ec3
commit 6c935a64be
4 changed files with 37 additions and 36 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      main/blog/blog.php
  2. 35
      main/inc/lib/blog.lib.php
  3. 12
      main/template/default/blog/blog.tpl
  4. 22
      main/template/default/blog/post.tpl

4
main/blog/blog.php
Unescape View File

@ -315,7 +315,7 @@ switch ($action) {
}
break;
case 'view_post':
$postArticle = Blog::getSinglePost($blog_id, intval($_GET['post_id']));
$postArticle = Blog::getSinglePost($blog_id, $_GET['post_id']);
$tpl->assign('post', $postArticle);
$blogLayout = $tpl->get_template('blog/post.tpl');
break;
@ -390,7 +390,7 @@ switch ($action) {
break;
case 'execute_task':
if (isset($_GET['post_id'])) {
$post = Blog::getSinglePost($blog_id, intval($_GET['post_id']));
$post = Blog::getSinglePost($blog_id, $_GET['post_id']);
$tpl->assign('post', $post);
$blogLayout = $tpl->get_template('blog/post.tpl');
} else {

35
main/inc/lib/blog.lib.php
Unescape View File

@ -1045,9 +1045,9 @@ class Blog
'id_autor' => $blog_post['author_id'],
'autor' => $blog_post['firstname'].' '.$blog_post['lastname'],
'username' => $blog_post['username'],
'title' => stripslashes($blog_post['title']),
'title' => Security::remove_XSS($blog_post['title']),
'extract' => self::getPostExtract($blog_post['full_text'], BLOG_MAX_PREVIEW_CHARS),
'content' => stripslashes($blog_post['full_text']),
'content' => Security::remove_XSS($blog_post['full_text']),
'post_date' => Display::dateToStringAgoAndLongDate($blog_post['date_creation']),
'n_comments' => $blog_post_comments['number_of_comments'],
'files' => $fileArray,
@ -1104,7 +1104,6 @@ class Blog
global $charset;
$course_id = api_get_course_int_id();
$courseParams = api_get_cidreq();
$blog_id = intval($blog_id);
$post_id = intval($post_id);
@ -1182,9 +1181,9 @@ class Blog
'id_author' => $blog_post['author_id'],
'author' => $blog_post['firstname'].' '.$blog_post['lastname'],
'username' => $blog_post['username'],
'title' => stripslashes($blog_post['title']),
'title' => Security::remove_XSS($blog_post['title']),
'extract' => api_get_short_text_from_html(
stripslashes($blog_post['full_text']),
Security::remove_XSS($blog_post['full_text']),
400
),
'content' => $post_text,
@ -1252,7 +1251,7 @@ class Blog
$commentActions = null;
$ratingSelect = null;
$comment_text = make_clickable(stripslashes($comment['comment']));
$comment_text = stripslashes($comment_text);
$comment_text = Security::remove_XSS($comment_text);
$commentActions .= Display::toolbarButton(
get_lang('ReplyToThisComment'),
'#',
@ -1300,7 +1299,7 @@ class Blog
'iid' => $comment['iid'],
'id_comment' => $comment['comment_id'],
'id_curso' => $comment['c_id'],
'title' => $comment['title'],
'title' => Security::remove_XSS($comment['title']),
'content' => $comment_text,
'id_author' => $comment['author_id'],
'comment_date' => Display::dateToStringAgoAndLongDate($comment['date_creation']),
@ -1881,11 +1880,6 @@ class Blog
$css_class = (($counter % 2) == 0) ? "row_odd" : "row_even";
$delete_icon = ($assignment['system_task'] == '1') ? "delete_na.png" : "delete.png";
$delete_title = ($assignment['system_task'] == '1') ? get_lang('DeleteSystemTask') : get_lang('DeleteTask');
$delete_link = ($assignment['system_task'] == '1') ? '#' : api_get_self().'?action=manage_tasks&blog_id='.$assignment['blog_id'].'&do=delete&task_id='.$assignment['task_id'].'&'.api_get_cidreq();
$delete_confirm = ($assignment['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(
api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset)
).'\')) return false;"';
$username = api_htmlentities(sprintf(get_lang('LoginX'), $assignment['username']), ENT_QUOTES);
$return .= '<tr class="'.$css_class.'" valign="top">';
@ -1894,8 +1888,8 @@ class Blog
api_get_person_name($assignment['firstname'], $assignment['lastname']),
['title' => $username]
).'</td>';
$return .= '<td>'.stripslashes($assignment['title']).'</td>';
$return .= '<td>'.stripslashes($assignment['description']).'</td>';
$return .= '<td>'.Security::remove_XSS($assignment['title']).'</td>';
$return .= '<td>'.Security::remove_XSS($assignment['description']).'</td>';
$return .= '<td>'.$assignment['target_date'].'</td>';
$return .= '<td width="50">';
$return .= '<a
@ -2414,6 +2408,7 @@ class Blog
AND c_id = $course_id";
$result = Database::query($sql);
$row = Database::fetch_assoc($result);
// Get posts and authors
$sql = "SELECT post.*, user.lastname, user.firstname, user.username
FROM $tbl_blogs_posts post
@ -2425,8 +2420,8 @@ class Blog
// Display
$return = '<span class="blogpost_title">'.
get_lang('SelectTaskArticle').' "'.stripslashes($row['title']).'"</span>';
$return .= '<span style="font-style: italic;"">'.stripslashes($row['description']).'</span><br><br>';
get_lang('SelectTaskArticle').' "'.Security::remove_XSS($row['title']).'"</span>';
$return .= '<span style="font-style: italic;"">'.Security::remove_XSS($row['description']).'</span><br><br>';
if (Database::num_rows($result) == 0) {
$return .= get_lang('NoArticles');
@ -2437,9 +2432,8 @@ class Blog
while ($blog_post = Database::fetch_array($result)) {
$username = api_htmlentities(sprintf(get_lang('LoginX'), $blog_post['username']), ENT_QUOTES);
$return .= '<a href="'.$url.'&blog_id='.$blog_id.'&task_id='.$task_id.'&post_id='.$blog_post['post_id'].'#add_comment">'.
stripslashes(
$blog_post['title']
).'</a>, '.get_lang('WrittenBy').' '.stripslashes(
Security::remove_XSS($blog_post['title']).'</a>, '.
get_lang('WrittenBy').' '.stripslashes(
Display::tag(
'span',
api_get_person_name($blog_post['firstname'], $blog_post['lastname']),
@ -2502,8 +2496,6 @@ class Blog
$html .= '<legend>'.get_lang('SubscribeMembers').'</legend>';
$properties['width'] = '100%';
// Get blog members' id.
$sql = "SELECT user.user_id FROM $tbl_users user
INNER JOIN $tbl_blogs_rel_user blogs_rel_user
@ -2630,7 +2622,6 @@ class Blog
$html .= '<legend>'.get_lang('UnsubscribeMembers').'</legend>';
$properties["width"] = "100%";
//table column titles
$column_header[] = ['', false, ''];
if ($is_western_name_order) {

12
main/template/default/blog/blog.tpl
Unescape View File

@ -20,7 +20,7 @@
<input type="hidden" name="id_session" value="{{ session_id }}"/>
<input type="hidden" name="blog_id" value="{{ id_blog }}"/>
<input type="hidden" name="action" value="view_search_result"/>
<input type="text" class="form-control" size="20" name="q" value="{{ search }}"/>
<input type="text" class="form-control" size="20" name="q" value="{{ search | remove_xss }}"/>
</div>
<button class="btn btn-default btn-block" type="submit">
<em class="fa fa-search"></em> {{ 'Search'|get_lang }}
@ -62,7 +62,9 @@
<div class="panel-body">
<h3 class="title-post">
<a href="{{ _p.web_self ~ '?' ~ _p.web_cid_query ~ '&' ~ {'action':'view_post', 'blog_id':item.id_blog, 'post_id':item.id_post}|url_encode }}#add_comment"
title="{{ item.title }}">{{ item.title }}</a>
title="{{ item.title }}">
{{ item.title | remove_xss }}
</a>
</h3>
<div class="info-post">
<span class="date"><i class="fa fa-clock-o"></i> {{ item.post_date }}</span>
@ -85,13 +87,15 @@
{% endif %}
<div id="post-content-{{ item.id_post }}" class="{{ item.extract ? 'hidden' : '' }}">
{{ item.content }}
{{ item.content | remove_xss }}
</div>
{% if item.files %}
<div class="well well-sm files">
<i class="fa fa-paperclip" aria-hidden="true"></i>
<a href="download.php?file={{ item.files.path }}">{{ item.files.filename }}</a>
<a href="download.php?file={{ item.files.path }}">
{{ item.files.filename | remove_xss }}
</a>
</div>
{% endif %}
</div>

22
main/template/default/blog/post.tpl
Unescape View File

@ -12,7 +12,9 @@
{{ item.actions }}
</div>
<h4 class="media-heading"
id="comment-{{ item.iid }}-title">{{ item.title }}</h4>
id="comment-{{ item.iid }}-title">
{{ item.title | remove_xss }}
</h4>
<ul class="info-post list-inline">
<li class="date">
<i class="fa fa-clock-o"></i> {{ item.comment_date }}
@ -29,13 +31,15 @@
</li>
</ul>
<div id="comment-{{ item.iid }}-content">
{{ item.content }}
{{ item.content | remove_xss }}
</div>
{% if item.files %}
<aside class="well well-sm files">
<i class="fa fa-paperclip" aria-hidden="true"></i>
<a href="download.php?file={{ item.files.path }}">{{ item.files.filename }}</a>
<p>{{ item.files.comment }}</p>
<a href="download.php?file={{ item.files.path }}">
{{ item.files.filename | remove_xss }}
</a>
<p>{{ item.files.comment | remove_xss }}</p>
</aside>
{% endif %}
@ -74,7 +78,7 @@
<div class="form-group">
<input type="hidden" name="blog_id" value="{{ id_blog }}"/>
<input type="hidden" name="action" value="view_search_result"/>
<input type="text" class="form-control" size="20" name="q" value="{{ search }}"/>
<input type="text" class="form-control" size="20" name="q" value="{{ search | remove_xss }}"/>
</div>
<button class="btn btn-default btn-block" type="submit">
<em class="fa fa-search"></em> {{ 'Search'|get_lang }}
@ -106,7 +110,7 @@
<article>
<div class="article-header">
<div class="title">
<h1 title="{{ post.title }}">{{ post.title }}</h1>
<h1 title="{{ post.title }}">{{ post.title | remove_xss }}</h1>
</div>
<ul class="info-post list-inline">
<li class="date">
@ -118,7 +122,9 @@
</li>
<li class="autor">
<i class="fa fa-user" aria-hidden="true"></i>
<a href="{{ _p.web }}main/social/profile.php?u={{ post.id_author }}">{{ post.author }}</a>
<a href="{{ _p.web }}main/social/profile.php?u={{ post.id_author }}">
{{ post.author }}
</a>
</li>
<li class="score">
<i class="fa fa-star" aria-hidden="true"></i> {{ post.score_ranking }}
@ -126,7 +132,7 @@
</ul>
</div>
<div class="content-post">
{{ post.content }}
{{ post.content | remove_xss }}
</div>
{% if post.files %}
<aside class="well well-sm files">

Write Preview
Loading…
Cancel
Save