Issue #306 - Searching and fixing some insafe calls of htmlentities().

17 years ago · 70f9882931
parent fecadb6abe
commit 70f9882931
4 changed files with 5 additions and 5 deletions
--- a/main/external_module/external_module.php
+++ b/main/external_module/external_module.php
@ -164,7 +164,7 @@ if(!empty($msgErr))
 </tr>
 <tr>
  <td align="right"><?php echo get_lang('Name'); ?> :</td>
-  <td><input type="text" name="name_link" size="50" value="<?php if($_POST['formSent']) echo htmlentities($name_link,ENT_QUOTES,$charset); else echo $toolid ? htmlspecialchars($row['name'],ENT_QUOTES,$charset) : ''; ?>"></td>
+  <td><input type="text" name="name_link" size="50" value="<?php if($_POST['formSent']) echo api_htmlentities($name_link,ENT_QUOTES,$charset); else echo $toolid ? htmlspecialchars($row['name'],ENT_QUOTES,$charset) : ''; ?>"></td>
 </tr>
 <tr>
  <td align="right"><?php echo get_lang('LinkTarget'); ?> :</td>
--- a/main/newscorm/lp_stats.php
+++ b/main/newscorm/lp_stats.php
@ -333,7 +333,7 @@ if (is_array($list) && count($list) > 0){
 						$view_score = ($score == 0 ? '/' : ($maxscore === 0 ? $score : $score . '/' . float_format($maxscore, 1)));
 					}
 					$output .= "<tr class='$oddclass'>\n" . "<td></td>\n" . "<td>$extend_attempt_link</td>\n" . '<td colspan="3">' . api_convert_encoding(get_lang('Attempt'), $lp_charset, $dokeos_charset) . ' ' . $row['iv_view_count'] . "</td>\n"
-					//."<td><font color='$color'><div class='mystatus'>".htmlentities($array_status[$lesson_status],ENT_QUOTES,$lp_charset)."</div></font></td>\n"
+					//."<td><font color='$color'><div class='mystatus'>".api_htmlentities($array_status[$lesson_status],ENT_QUOTES,$lp_charset)."</div></font></td>\n"
 					 . '<td colspan="2"><font color="' . $color . '"><div class="mystatus">' . $my_lesson_status . "</div></font></td>\n" . '<td colspan="2"><div class="mystatus" align="center">' . $view_score . "</div></td>\n" . '<td colspan="2"><div class="mystatus">'.$time.'</div></td><td></td></tr>';
 					
 					if (!empty($export_csv)) {
@ -587,7 +587,7 @@ if (is_array($list) && count($list) > 0){
 					$correct_test_link = '-';
 				}
 				
-				//."<td><font color='$color'><div class='mystatus'>".htmlentities($array_status[$lesson_status],ENT_QUOTES,$lp_charset)."</div></font></td>\n"
+				//."<td><font color='$color'><div class='mystatus'>".api_htmlentities($array_status[$lesson_status],ENT_QUOTES,$lp_charset)."</div></font></td>\n"
 				$title = Security::remove_XSS($title);
 				if ( (isset($_GET['lp_id']) && $_GET['lp_id'] == $my_lp_id ) && (isset($_GET['my_lp_id']) && $_GET['my_lp_id'] == $my_id)) {					
 					$output .= "<tr class='$oddclass' >\n" . "<td>$extend_link</td>\n" . '<td colspan="4"><div class="mystatus">' .$title. '</div></td>' . "\n";				
--- a/main/reservation/m_item_origineel.php
+++ b/main/reservation/m_item_origineel.php
@ -64,7 +64,7 @@ function modify_filter($id) {
 *  @param  -   int     $id     The item-rights-id's
 */
 function modify_rights_filter($id) {
-	return ' <a href="m_item.php?action=m_rights&amp;subaction=delete&amp;item_id='.substr($id, 0, strpos($id, '-')).'&amp;class_id='.substr($id, strrpos($id, '-') + 1).'" title="'.get_lang("RemoveClassRights").'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteItem")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
+	return ' <a href="m_item.php?action=m_rights&amp;subaction=delete&amp;item_id='.substr($id, 0, strpos($id, '-')).'&amp;class_id='.substr($id, strrpos($id, '-') + 1).'" title="'.get_lang("RemoveClassRights").'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteItem"), ENT_QUOTES, api_get_system_encoding()))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
 }

 /**
--- a/main/tracking/userlogCSV.php
+++ b/main/tracking/userlogCSV.php
@ -631,7 +631,7 @@ if( ( $is_allowedToTrack || $is_allowedToTrackEverybodyInCourse ) && $_configura
       							while ($ar3['status'] != '') {
 									require_once('../newscorm/learnpathItem.class.php');
 									$time = learnpathItem::get_scorm_time('php',$ar3['total_time']);
-									$title = htmlentities($ar3['title'],ENT_QUOTES,$lp_charset);
+									$title = api_htmlentities($ar3['title'],ENT_QUOTES,$lp_charset);
       								$line .= $title.';'.$ar3['status'].';'.$ar3['score'].';'.$time."\n";
       								$ar3=Database::fetch_array($result3);
       							}