chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Blogs: Add remove_xss

Browse Source
pull/3937/head^2
Julio Montoya 4 years ago
parent 0d9add8ec3
commit 6c935a64be
4 changed files with 37 additions and 36 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      main/blog/blog.php
  2. 35
      main/inc/lib/blog.lib.php
  3. 12
      main/template/default/blog/blog.tpl
  4. 22
      main/template/default/blog/post.tpl

4
main/blog/blog.php
Unescape View File

@ -315,7 +315,7 @@ switch ($action) {
} }
break; break;
case 'view_post': case 'view_post':
$postArticle = Blog::getSinglePost($blog_id, intval($_GET['post_id'])); $postArticle = Blog::getSinglePost($blog_id, $_GET['post_id']);
$tpl->assign('post', $postArticle); $tpl->assign('post', $postArticle);
$blogLayout = $tpl->get_template('blog/post.tpl'); $blogLayout = $tpl->get_template('blog/post.tpl');
break; break;
@ -390,7 +390,7 @@ switch ($action) {
break; break;
case 'execute_task': case 'execute_task':
if (isset($_GET['post_id'])) { if (isset($_GET['post_id'])) {
$post = Blog::getSinglePost($blog_id, intval($_GET['post_id'])); $post = Blog::getSinglePost($blog_id, $_GET['post_id']);
$tpl->assign('post', $post); $tpl->assign('post', $post);
$blogLayout = $tpl->get_template('blog/post.tpl'); $blogLayout = $tpl->get_template('blog/post.tpl');
} else { } else {

35
main/inc/lib/blog.lib.php
Unescape View File

@ -1045,9 +1045,9 @@ class Blog
'id_autor' => $blog_post['author_id'], 'id_autor' => $blog_post['author_id'],
'autor' => $blog_post['firstname'].' '.$blog_post['lastname'], 'autor' => $blog_post['firstname'].' '.$blog_post['lastname'],
'username' => $blog_post['username'], 'username' => $blog_post['username'],
'title' => stripslashes($blog_post['title']), 'title' => Security::remove_XSS($blog_post['title']),
'extract' => self::getPostExtract($blog_post['full_text'], BLOG_MAX_PREVIEW_CHARS), 'extract' => self::getPostExtract($blog_post['full_text'], BLOG_MAX_PREVIEW_CHARS),
'content' => stripslashes($blog_post['full_text']), 'content' => Security::remove_XSS($blog_post['full_text']),
'post_date' => Display::dateToStringAgoAndLongDate($blog_post['date_creation']), 'post_date' => Display::dateToStringAgoAndLongDate($blog_post['date_creation']),
'n_comments' => $blog_post_comments['number_of_comments'], 'n_comments' => $blog_post_comments['number_of_comments'],
'files' => $fileArray, 'files' => $fileArray,
@ -1104,7 +1104,6 @@ class Blog
global $charset; global $charset;
$course_id = api_get_course_int_id(); $course_id = api_get_course_int_id();
$courseParams = api_get_cidreq();
$blog_id = intval($blog_id); $blog_id = intval($blog_id);
$post_id = intval($post_id); $post_id = intval($post_id);
@ -1182,9 +1181,9 @@ class Blog
'id_author' => $blog_post['author_id'], 'id_author' => $blog_post['author_id'],
'author' => $blog_post['firstname'].' '.$blog_post['lastname'], 'author' => $blog_post['firstname'].' '.$blog_post['lastname'],
'username' => $blog_post['username'], 'username' => $blog_post['username'],
'title' => stripslashes($blog_post['title']), 'title' => Security::remove_XSS($blog_post['title']),
'extract' => api_get_short_text_from_html( 'extract' => api_get_short_text_from_html(
stripslashes($blog_post['full_text']), Security::remove_XSS($blog_post['full_text']),
400 400
), ),
'content' => $post_text, 'content' => $post_text,
@ -1252,7 +1251,7 @@ class Blog
$commentActions = null; $commentActions = null;
$ratingSelect = null; $ratingSelect = null;
$comment_text = make_clickable(stripslashes($comment['comment'])); $comment_text = make_clickable(stripslashes($comment['comment']));
$comment_text = stripslashes($comment_text); $comment_text = Security::remove_XSS($comment_text);
$commentActions .= Display::toolbarButton( $commentActions .= Display::toolbarButton(
get_lang('ReplyToThisComment'), get_lang('ReplyToThisComment'),
'#', '#',
@ -1300,7 +1299,7 @@ class Blog
'iid' => $comment['iid'], 'iid' => $comment['iid'],
'id_comment' => $comment['comment_id'], 'id_comment' => $comment['comment_id'],
'id_curso' => $comment['c_id'], 'id_curso' => $comment['c_id'],
'title' => $comment['title'], 'title' => Security::remove_XSS($comment['title']),
'content' => $comment_text, 'content' => $comment_text,
'id_author' => $comment['author_id'], 'id_author' => $comment['author_id'],
'comment_date' => Display::dateToStringAgoAndLongDate($comment['date_creation']), 'comment_date' => Display::dateToStringAgoAndLongDate($comment['date_creation']),
@ -1881,11 +1880,6 @@ class Blog
$css_class = (($counter % 2) == 0) ? "row_odd" : "row_even"; $css_class = (($counter % 2) == 0) ? "row_odd" : "row_even";
$delete_icon = ($assignment['system_task'] == '1') ? "delete_na.png" : "delete.png"; $delete_icon = ($assignment['system_task'] == '1') ? "delete_na.png" : "delete.png";
$delete_title = ($assignment['system_task'] == '1') ? get_lang('DeleteSystemTask') : get_lang('DeleteTask'); $delete_title = ($assignment['system_task'] == '1') ? get_lang('DeleteSystemTask') : get_lang('DeleteTask');
$delete_link = ($assignment['system_task'] == '1') ? '#' : api_get_self().'?action=manage_tasks&blog_id='.$assignment['blog_id'].'&do=delete&task_id='.$assignment['task_id'].'&'.api_get_cidreq();
$delete_confirm = ($assignment['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(
api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset)
).'\')) return false;"';
$username = api_htmlentities(sprintf(get_lang('LoginX'), $assignment['username']), ENT_QUOTES); $username = api_htmlentities(sprintf(get_lang('LoginX'), $assignment['username']), ENT_QUOTES);
$return .= '<tr class="'.$css_class.'" valign="top">'; $return .= '<tr class="'.$css_class.'" valign="top">';
@ -1894,8 +1888,8 @@ class Blog
api_get_person_name($assignment['firstname'], $assignment['lastname']), api_get_person_name($assignment['firstname'], $assignment['lastname']),
['title' => $username] ['title' => $username]
).'</td>'; ).'</td>';
$return .= '<td>'.stripslashes($assignment['title']).'</td>'; $return .= '<td>'.Security::remove_XSS($assignment['title']).'</td>';
$return .= '<td>'.stripslashes($assignment['description']).'</td>'; $return .= '<td>'.Security::remove_XSS($assignment['description']).'</td>';
$return .= '<td>'.$assignment['target_date'].'</td>'; $return .= '<td>'.$assignment['target_date'].'</td>';
$return .= '<td width="50">'; $return .= '<td width="50">';
$return .= '<a $return .= '<a
@ -2414,6 +2408,7 @@ class Blog
AND c_id = $course_id"; AND c_id = $course_id";
$result = Database::query($sql); $result = Database::query($sql);
$row = Database::fetch_assoc($result); $row = Database::fetch_assoc($result);
// Get posts and authors // Get posts and authors
$sql = "SELECT post.*, user.lastname, user.firstname, user.username $sql = "SELECT post.*, user.lastname, user.firstname, user.username
FROM $tbl_blogs_posts post FROM $tbl_blogs_posts post
@ -2425,8 +2420,8 @@ class Blog
// Display // Display
$return = '<span class="blogpost_title">'. $return = '<span class="blogpost_title">'.
get_lang('SelectTaskArticle').' "'.stripslashes($row['title']).'"</span>'; get_lang('SelectTaskArticle').' "'.Security::remove_XSS($row['title']).'"</span>';
$return .= '<span style="font-style: italic;"">'.stripslashes($row['description']).'</span><br><br>'; $return .= '<span style="font-style: italic;"">'.Security::remove_XSS($row['description']).'</span><br><br>';
if (Database::num_rows($result) == 0) { if (Database::num_rows($result) == 0) {
$return .= get_lang('NoArticles'); $return .= get_lang('NoArticles');
@ -2437,9 +2432,8 @@ class Blog
while ($blog_post = Database::fetch_array($result)) { while ($blog_post = Database::fetch_array($result)) {
$username = api_htmlentities(sprintf(get_lang('LoginX'), $blog_post['username']), ENT_QUOTES); $username = api_htmlentities(sprintf(get_lang('LoginX'), $blog_post['username']), ENT_QUOTES);
$return .= '<a href="'.$url.'&blog_id='.$blog_id.'&task_id='.$task_id.'&post_id='.$blog_post['post_id'].'#add_comment">'. $return .= '<a href="'.$url.'&blog_id='.$blog_id.'&task_id='.$task_id.'&post_id='.$blog_post['post_id'].'#add_comment">'.
stripslashes( Security::remove_XSS($blog_post['title']).'</a>, '.
$blog_post['title'] get_lang('WrittenBy').' '.stripslashes(
).'</a>, '.get_lang('WrittenBy').' '.stripslashes(
Display::tag( Display::tag(
'span', 'span',
api_get_person_name($blog_post['firstname'], $blog_post['lastname']), api_get_person_name($blog_post['firstname'], $blog_post['lastname']),
@ -2502,8 +2496,6 @@ class Blog
$html .= '<legend>'.get_lang('SubscribeMembers').'</legend>'; $html .= '<legend>'.get_lang('SubscribeMembers').'</legend>';
$properties['width'] = '100%';
// Get blog members' id. // Get blog members' id.
$sql = "SELECT user.user_id FROM $tbl_users user $sql = "SELECT user.user_id FROM $tbl_users user
INNER JOIN $tbl_blogs_rel_user blogs_rel_user INNER JOIN $tbl_blogs_rel_user blogs_rel_user
@ -2630,7 +2622,6 @@ class Blog
$html .= '<legend>'.get_lang('UnsubscribeMembers').'</legend>'; $html .= '<legend>'.get_lang('UnsubscribeMembers').'</legend>';
$properties["width"] = "100%";
//table column titles //table column titles
$column_header[] = ['', false, '']; $column_header[] = ['', false, ''];
if ($is_western_name_order) { if ($is_western_name_order) {

12
main/template/default/blog/blog.tpl
Unescape View File

@ -20,7 +20,7 @@
<input type="hidden" name="id_session" value="{{ session_id }}"/> <input type="hidden" name="id_session" value="{{ session_id }}"/>
<input type="hidden" name="blog_id" value="{{ id_blog }}"/> <input type="hidden" name="blog_id" value="{{ id_blog }}"/>
<input type="hidden" name="action" value="view_search_result"/> <input type="hidden" name="action" value="view_search_result"/>
<input type="text" class="form-control" size="20" name="q" value="{{ search }}"/> <input type="text" class="form-control" size="20" name="q" value="{{ search | remove_xss }}"/>
</div> </div>
<button class="btn btn-default btn-block" type="submit"> <button class="btn btn-default btn-block" type="submit">
<em class="fa fa-search"></em> {{ 'Search'|get_lang }} <em class="fa fa-search"></em> {{ 'Search'|get_lang }}
@ -62,7 +62,9 @@
<div class="panel-body"> <div class="panel-body">
<h3 class="title-post"> <h3 class="title-post">
<a href="{{ _p.web_self ~ '?' ~ _p.web_cid_query ~ '&' ~ {'action':'view_post', 'blog_id':item.id_blog, 'post_id':item.id_post}|url_encode }}#add_comment" <a href="{{ _p.web_self ~ '?' ~ _p.web_cid_query ~ '&' ~ {'action':'view_post', 'blog_id':item.id_blog, 'post_id':item.id_post}|url_encode }}#add_comment"
title="{{ item.title }}">{{ item.title }}</a> title="{{ item.title }}">
{{ item.title | remove_xss }}
</a>
</h3> </h3>
<div class="info-post"> <div class="info-post">
<span class="date"><i class="fa fa-clock-o"></i> {{ item.post_date }}</span> <span class="date"><i class="fa fa-clock-o"></i> {{ item.post_date }}</span>
@ -85,13 +87,15 @@
{% endif %} {% endif %}
<div id="post-content-{{ item.id_post }}" class="{{ item.extract ? 'hidden' : '' }}"> <div id="post-content-{{ item.id_post }}" class="{{ item.extract ? 'hidden' : '' }}">
{{ item.content }} {{ item.content | remove_xss }}
</div> </div>
{% if item.files %} {% if item.files %}
<div class="well well-sm files"> <div class="well well-sm files">
<i class="fa fa-paperclip" aria-hidden="true"></i> <i class="fa fa-paperclip" aria-hidden="true"></i>
<a href="download.php?file={{ item.files.path }}">{{ item.files.filename }}</a> <a href="download.php?file={{ item.files.path }}">
{{ item.files.filename | remove_xss }}
</a>
</div> </div>
{% endif %} {% endif %}
</div> </div>

22
main/template/default/blog/post.tpl
Unescape View File

@ -12,7 +12,9 @@
{{ item.actions }} {{ item.actions }}
</div> </div>
<h4 class="media-heading" <h4 class="media-heading"
id="comment-{{ item.iid }}-title">{{ item.title }}</h4> id="comment-{{ item.iid }}-title">
{{ item.title | remove_xss }}
</h4>
<ul class="info-post list-inline"> <ul class="info-post list-inline">
<li class="date"> <li class="date">
<i class="fa fa-clock-o"></i> {{ item.comment_date }} <i class="fa fa-clock-o"></i> {{ item.comment_date }}
@ -29,13 +31,15 @@
</li> </li>
</ul> </ul>
<div id="comment-{{ item.iid }}-content"> <div id="comment-{{ item.iid }}-content">
{{ item.content }} {{ item.content | remove_xss }}
</div> </div>
{% if item.files %} {% if item.files %}
<aside class="well well-sm files"> <aside class="well well-sm files">
<i class="fa fa-paperclip" aria-hidden="true"></i> <i class="fa fa-paperclip" aria-hidden="true"></i>
<a href="download.php?file={{ item.files.path }}">{{ item.files.filename }}</a> <a href="download.php?file={{ item.files.path }}">
<p>{{ item.files.comment }}</p> {{ item.files.filename | remove_xss }}
</a>
<p>{{ item.files.comment | remove_xss }}</p>
</aside> </aside>
{% endif %} {% endif %}
@ -74,7 +78,7 @@
<div class="form-group"> <div class="form-group">
<input type="hidden" name="blog_id" value="{{ id_blog }}"/> <input type="hidden" name="blog_id" value="{{ id_blog }}"/>
<input type="hidden" name="action" value="view_search_result"/> <input type="hidden" name="action" value="view_search_result"/>
<input type="text" class="form-control" size="20" name="q" value="{{ search }}"/> <input type="text" class="form-control" size="20" name="q" value="{{ search | remove_xss }}"/>
</div> </div>
<button class="btn btn-default btn-block" type="submit"> <button class="btn btn-default btn-block" type="submit">
<em class="fa fa-search"></em> {{ 'Search'|get_lang }} <em class="fa fa-search"></em> {{ 'Search'|get_lang }}
@ -106,7 +110,7 @@
<article> <article>
<div class="article-header"> <div class="article-header">
<div class="title"> <div class="title">
<h1 title="{{ post.title }}">{{ post.title }}</h1> <h1 title="{{ post.title }}">{{ post.title | remove_xss }}</h1>
</div> </div>
<ul class="info-post list-inline"> <ul class="info-post list-inline">
<li class="date"> <li class="date">
@ -118,7 +122,9 @@
</li> </li>
<li class="autor"> <li class="autor">
<i class="fa fa-user" aria-hidden="true"></i> <i class="fa fa-user" aria-hidden="true"></i>
<a href="{{ _p.web }}main/social/profile.php?u={{ post.id_author }}">{{ post.author }}</a> <a href="{{ _p.web }}main/social/profile.php?u={{ post.id_author }}">
{{ post.author }}
</a>
</li> </li>
<li class="score"> <li class="score">
<i class="fa fa-star" aria-hidden="true"></i> {{ post.score_ranking }} <i class="fa fa-star" aria-hidden="true"></i> {{ post.score_ranking }}
@ -126,7 +132,7 @@
</ul> </ul>
</div> </div>
<div class="content-post"> <div class="content-post">
{{ post.content }} {{ post.content | remove_xss }}
</div> </div>
{% if post.files %} {% if post.files %}
<aside class="well well-sm files"> <aside class="well well-sm files">

Write Preview
Loading…
Cancel
Save