chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20644] add remove_XSS in exercises see FS#4169

Browse Source
skala
Carlos Vargas 17 years ago
parent 4329ba9a61
commit 86daa345e4
3 changed files with 37 additions and 60 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      main/exercice/answer.class.php
  2. 20
      main/exercice/exercise.class.php
  3. 63
      main/exercice/question.class.php

14
main/exercice/answer.class.php
Unescape View File

@ -23,7 +23,7 @@
* 5 arrays are created to receive the attributes of each answer belonging to a specified question * 5 arrays are created to receive the attributes of each answer belonging to a specified question
* @package dokeos.exercise * @package dokeos.exercise
* @author Olivier Brouckaert * @author Olivier Brouckaert
* @version $Id: answer.class.php 20451 2009-05-10 12:02:22Z ivantcholakov $ * @version $Id: answer.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
*/ */
@ -401,8 +401,8 @@ class Answer
$questionId=$this->questionId; $questionId=$this->questionId;
$sql = "UPDATE $TBL_REPONSES SET " . $sql = "UPDATE $TBL_REPONSES SET " .
"answer = '".Database::escape_string($answer)."', " . "answer = '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($answer)),COURSEMANAGER))."', " .
"comment = '".Database::escape_string($comment)."', " . "comment = '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($comment)),COURSEMANAGER))."', " .
"ponderation = '".Database::escape_string($weighting)."', " . "ponderation = '".Database::escape_string($weighting)."', " .
"position = '".Database::escape_string($position)."', " . "position = '".Database::escape_string($position)."', " .
"destination = '".Database::escape_string($destination)."' " . "destination = '".Database::escape_string($destination)."' " .
@ -434,9 +434,9 @@ class Answer
for($i=1;$i <= $this->new_nbrAnswers;$i++) for($i=1;$i <= $this->new_nbrAnswers;$i++)
{ {
$answer = Database::escape_string($this->new_answer[$i]); $answer = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->new_answer[$i])),COURSEMANAGER));
$correct = Database::escape_string($this->new_correct[$i]); $correct = Database::escape_string($this->new_correct[$i]);
$comment = Database::escape_string($this->new_comment[$i]); $comment = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->new_comment[$i])),COURSEMANAGER));
$weighting = Database::escape_string($this->new_weighting[$i]); $weighting = Database::escape_string($this->new_weighting[$i]);
$position = Database::escape_string($this->new_position[$i]); $position = Database::escape_string($this->new_position[$i]);
$hotspot_coordinates = Database::escape_string($this->new_hotspot_coordinates[$i]); $hotspot_coordinates = Database::escape_string($this->new_hotspot_coordinates[$i]);
@ -484,9 +484,9 @@ class Answer
for($i=1;$i <= $this->nbrAnswers;$i++) for($i=1;$i <= $this->nbrAnswers;$i++)
{ {
$answer = Database::escape_string($this->answer[$i]); $answer = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->answer[$i])),COURSEMANAGER));
$correct = Database::escape_string($this->correct[$i]); $correct = Database::escape_string($this->correct[$i]);
$comment = Database::escape_string($this->comment[$i]); $comment = Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($this->comment[$i])),COURSEMANAGER));
$weighting = Database::escape_string($this->weighting[$i]); $weighting = Database::escape_string($this->weighting[$i]);
$position = Database::escape_string($this->position[$i]); $position = Database::escape_string($this->position[$i]);
$hotspot_coordinates = Database::escape_string($this->hotspot_coordinates[$i]); $hotspot_coordinates = Database::escape_string($this->hotspot_coordinates[$i]);

20
main/exercice/exercise.class.php
Unescape View File

@ -25,7 +25,7 @@
* Exercise class: This class allows to instantiate an object of type Exercise * Exercise class: This class allows to instantiate an object of type Exercise
* @package dokeos.exercise * @package dokeos.exercise
* @author Olivier Brouckaert * @author Olivier Brouckaert
* @version $Id: exercise.class.php 20200 2009-04-29 22:14:55Z cvargas1 $ * @version $Id: exercise.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
*/ */
@ -537,11 +537,10 @@ class Exercise
$start_time = Database::escape_string($this->start_time); $start_time = Database::escape_string($this->start_time);
$end_time = Database::escape_string($this->end_time); $end_time = Database::escape_string($this->end_time);
// exercise already exists // exercise already exists
if($id) if($id) {
{
$sql="UPDATE $TBL_EXERCICES SET $sql="UPDATE $TBL_EXERCICES SET
title='".Database::escape_string($exercise)."', title='".Database::escape_string(Security::remove_XSS($exercise))."',
description='".Database::escape_string($description)."'"; description='".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."'";
if ($type_e != 'simple') { if ($type_e != 'simple') {
$sql .= ", sound='".Database::escape_string($sound)."', $sql .= ", sound='".Database::escape_string($sound)."',
type='".Database::escape_string($type)."', type='".Database::escape_string($type)."',
@ -564,15 +563,12 @@ class Exercise
$this -> search_engine_edit(); $this -> search_engine_edit();
} }
} } else {// creates a new exercise
// creates a new exercise
else
{
$sql="INSERT INTO $TBL_EXERCICES(start_time,end_time,title,description,sound,type,random,active, results_disabled, max_attempt,feedback_type) $sql="INSERT INTO $TBL_EXERCICES(start_time,end_time,title,description,sound,type,random,active, results_disabled, max_attempt,feedback_type)
VALUES( VALUES(
'$start_time','$end_time', '$start_time','$end_time',
'".Database::escape_string($exercise)."', '".Database::escape_string(Security::remove_XSS($exercise))."',
'".Database::escape_string($description)."', '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."',
'".Database::escape_string($sound)."', '".Database::escape_string($sound)."',
'".Database::escape_string($type)."', '".Database::escape_string($type)."',
'".Database::escape_string($random)."', '".Database::escape_string($random)."',
@ -859,7 +855,7 @@ class Exercise
$form->addElement('header', '', $form_title); $form->addElement('header', '', $form_title);
// title // title
$form -> addElement('text', 'exerciseTitle', get_lang('ExerciseName'),'class="input_titles"'); $form -> addElement('text', 'exerciseTitle', get_lang('ExerciseName'),'class="input_titles"');
$form->applyFilter('exerciseTitle','html_filter'); //$form->applyFilter('exerciseTitle','html_filter');
// fck editor // fck editor
global $fck_attribute; global $fck_attribute;

63
main/exercice/question.class.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: question.class.php 20566 2009-05-12 20:50:00Z juliomontoya $ <?php // $Id: question.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
/* /*
============================================================================== ==============================================================================
@ -28,7 +28,7 @@
* File containing the Question class. * File containing the Question class.
* @package dokeos.exercise * @package dokeos.exercise
* @author Olivier Brouckaert * @author Olivier Brouckaert
* @version $Id: question.class.php 20566 2009-05-12 20:50:00Z juliomontoya $ * @version $Id: question.class.php 20644 2009-05-14 16:42:28Z cvargas1 $
*/ */
@ -572,8 +572,7 @@ abstract class Question
* @author - Olivier Brouckaert * @author - Olivier Brouckaert
* @param - integer $exerciseId - exercise ID if saving in an exercise * @param - integer $exerciseId - exercise ID if saving in an exercise
*/ */
function save($exerciseId=0) function save($exerciseId=0) {
{
global $_course,$_user; global $_course,$_user;
$TBL_EXERCICE_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION); $TBL_EXERCICE_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION);
@ -589,11 +588,10 @@ abstract class Question
$level=$this->level; $level=$this->level;
// question already exists // question already exists
if(!empty($id)) if(!empty($id)) {
{
$sql="UPDATE $TBL_QUESTIONS SET $sql="UPDATE $TBL_QUESTIONS SET
question ='".Database::escape_string($question)."', question ='".Database::escape_string(Security::remove_XSS($question))."',
description ='".Database::escape_string($description)."', description ='".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."',
ponderation ='".Database::escape_string($weighting)."', ponderation ='".Database::escape_string($weighting)."',
position ='".Database::escape_string($position)."', position ='".Database::escape_string($position)."',
type ='".Database::escape_string($type)."', type ='".Database::escape_string($type)."',
@ -607,8 +605,7 @@ abstract class Question
if (api_get_setting('search_enabled')=='true') { if (api_get_setting('search_enabled')=='true') {
if ($exerciseId != 0) { if ($exerciseId != 0) {
$this -> search_engine_edit($exerciseId); $this -> search_engine_edit($exerciseId);
} } else {
else {
/** /**
* actually there is *not* an user interface for * actually there is *not* an user interface for
* creating questions without a relation with an exercise * creating questions without a relation with an exercise
@ -616,10 +613,7 @@ abstract class Question
} }
} }
} } else {// creates a new question
// creates a new question
else
{
$sql="SELECT max(position) FROM $TBL_QUESTIONS as question, $TBL_EXERCICE_QUESTION as test_question WHERE question.id=test_question.question_id AND test_question.exercice_id='".Database::escape_string($exerciseId)."'"; $sql="SELECT max(position) FROM $TBL_QUESTIONS as question, $TBL_EXERCICE_QUESTION as test_question WHERE question.id=test_question.question_id AND test_question.exercice_id='".Database::escape_string($exerciseId)."'";
$result=api_sql_query($sql); $result=api_sql_query($sql);
$current_position=Database::result($result,0,0); $current_position=Database::result($result,0,0);
@ -627,8 +621,8 @@ abstract class Question
$position = $this -> position; $position = $this -> position;
$sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture,level) VALUES( $sql="INSERT INTO $TBL_QUESTIONS(question,description,ponderation,position,type,picture,level) VALUES(
'".Database::escape_string($question)."', '".Database::escape_string(Security::remove_XSS($question))."',
'".Database::escape_string($description)."', '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($description)),COURSEMANAGER))."',
'".Database::escape_string($weighting)."', '".Database::escape_string($weighting)."',
'".Database::escape_string($position)."', '".Database::escape_string($position)."',
'".Database::escape_string($type)."', '".Database::escape_string($type)."',
@ -653,8 +647,7 @@ abstract class Question
if (api_get_setting('search_enabled')=='true') { if (api_get_setting('search_enabled')=='true') {
if ($exerciseId != 0) { if ($exerciseId != 0) {
$this -> search_engine_edit($exerciseId, TRUE); $this -> search_engine_edit($exerciseId, TRUE);
} } else {
else {
/** /**
* actually there is *not* an user interface for * actually there is *not* an user interface for
* creating questions without a relation with an exercise * creating questions without a relation with an exercise
@ -664,8 +657,7 @@ abstract class Question
} }
// if the question is created in an exercise // if the question is created in an exercise
if($exerciseId) if($exerciseId) {
{
$sql = 'UPDATE '.Database::get_course_table(TABLE_LP_ITEM).' $sql = 'UPDATE '.Database::get_course_table(TABLE_LP_ITEM).'
SET max_score = '.intval($weighting).' SET max_score = '.intval($weighting).'
@ -682,15 +674,13 @@ abstract class Question
// update search engine and its values table if enabled // update search engine and its values table if enabled
if (api_get_setting('search_enabled')=='true') { if (api_get_setting('search_enabled')=='true') {
$course_id = api_get_course_id(); $course_id = api_get_course_id();
// get search_did // get search_did
$tbl_se_ref = Database::get_main_table(TABLE_MAIN_SEARCH_ENGINE_REF); $tbl_se_ref = Database::get_main_table(TABLE_MAIN_SEARCH_ENGINE_REF);
if ($addQs || $rmQs) { if ($addQs || $rmQs) {
//there's only one row per question on normal db and one document per question on search engine db //there's only one row per question on normal db and one document per question on search engine db
$sql = 'SELECT * FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_second_level=%s LIMIT 1'; $sql = 'SELECT * FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_second_level=%s LIMIT 1';
$sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $this->id); $sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $this->id);
} } else {
else {
$sql = 'SELECT * FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_high_level=%s AND ref_id_second_level=%s LIMIT 1'; $sql = 'SELECT * FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_high_level=%s AND ref_id_second_level=%s LIMIT 1';
$sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $exerciseId, $this->id); $sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $exerciseId, $this->id);
} }
@ -703,8 +693,7 @@ abstract class Question
$di = new DokeosIndexer(); $di = new DokeosIndexer();
if ($addQs) { if ($addQs) {
$question_exercises = array((int)$exerciseId); $question_exercises = array((int)$exerciseId);
} } else {
else {
$question_exercises = array(); $question_exercises = array();
} }
isset($_POST['language'])? $lang=Database::escape_string($_POST['language']): $lang = 'english'; isset($_POST['language'])? $lang=Database::escape_string($_POST['language']): $lang = 'english';
@ -762,8 +751,7 @@ abstract class Question
if ($addQs || $rmQs) { if ($addQs || $rmQs) {
$sql = 'DELETE FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_second_level=\'%s\''; $sql = 'DELETE FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_second_level=\'%s\'';
$sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $this->id); $sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $this->id);
} } else {
else {
$sql = 'DELETE FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_high_level=\'%s\' AND ref_id_second_level=\'%s\''; $sql = 'DELETE FROM %s WHERE course_code=\'%s\' AND tool_id=\'%s\' AND ref_id_high_level=\'%s\' AND ref_id_second_level=\'%s\'';
$sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $exerciseId, $this->id); $sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $exerciseId, $this->id);
} }
@ -775,8 +763,7 @@ abstract class Question
$sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, array_shift($question_exercises), $this->id, $did); $sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, array_shift($question_exercises), $this->id, $did);
api_sql_query($sql,__FILE__,__LINE__); api_sql_query($sql,__FILE__,__LINE__);
} }
} } else {
else {
$sql = 'INSERT INTO %s (id, course_code, tool_id, ref_id_high_level, ref_id_second_level, search_did) $sql = 'INSERT INTO %s (id, course_code, tool_id, ref_id_high_level, ref_id_second_level, search_did)
VALUES (NULL , \'%s\', \'%s\', %s, %s, %s)'; VALUES (NULL , \'%s\', \'%s\', %s, %s, %s)';
$sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $exerciseId, $this->id, $did); $sql = sprintf($sql, $tbl_se_ref, $course_id, TOOL_QUIZ, $exerciseId, $this->id, $did);
@ -796,8 +783,7 @@ abstract class Question
* @param - integer $exerciseId - exercise ID * @param - integer $exerciseId - exercise ID
* @param - boolean $fromSave - comming from $this->save() or not * @param - boolean $fromSave - comming from $this->save() or not
*/ */
function addToList($exerciseId, $fromSave=FALSE) function addToList($exerciseId, $fromSave=FALSE) {
{
global $TBL_EXERCICE_QUESTION; global $TBL_EXERCICE_QUESTION;
$id=$this->id; $id=$this->id;
// checks if the exercise ID is not in the list // checks if the exercise ID is not in the list
@ -819,8 +805,7 @@ abstract class Question
* @param - integer $exerciseId - exercise ID * @param - integer $exerciseId - exercise ID
* @return - boolean - true if removed, otherwise false * @return - boolean - true if removed, otherwise false
*/ */
function removeFromList($exerciseId) function removeFromList($exerciseId) {
{
global $TBL_EXERCICE_QUESTION; global $TBL_EXERCICE_QUESTION;
$id=$this->id; $id=$this->id;
@ -829,12 +814,9 @@ abstract class Question
$pos=array_search($exerciseId,$this->exerciseList); $pos=array_search($exerciseId,$this->exerciseList);
// exercise not found // exercise not found
if($pos === false) if($pos === false) {
{
return false; return false;
} } else {
else
{
// deletes the position in the array containing the wanted exercise ID // deletes the position in the array containing the wanted exercise ID
unset($this->exerciseList[$pos]); unset($this->exerciseList[$pos]);
//update order of other elements //update order of other elements
@ -863,8 +845,7 @@ abstract class Question
* @author - Olivier Brouckaert * @author - Olivier Brouckaert
* @param - integer $deleteFromEx - exercise ID if the question is only removed from one exercise * @param - integer $deleteFromEx - exercise ID if the question is only removed from one exercise
*/ */
function delete($deleteFromEx=0) function delete($deleteFromEx=0) {
{
global $_course,$_user; global $_course,$_user;
$TBL_EXERCICE_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION); $TBL_EXERCICE_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION);
@ -987,7 +968,7 @@ abstract class Question
$form->addElement('html','<div class="form">'); $form->addElement('html','<div class="form">');
// question name // question name
$form->addElement('text','questionName','<span class="form_required">*</span> '.get_lang('Question'),'size="60"'); $form->addElement('text','questionName','<span class="form_required">*</span> '.get_lang('Question'),'size="60"');
$form->applyFilter('questionName','html_filter'); //$form->applyFilter('questionName','html_filter');
//$radios_results_enabled[] = $form->createElement('static', null, null, null); //$radios_results_enabled[] = $form->createElement('static', null, null, null);
//$test=FormValidator :: createElement ('text', 'questionName'); //$test=FormValidator :: createElement ('text', 'questionName');

Write Preview
Loading…
Cancel
Save