[svn r20788] logic changes - changed remove_XSS,allow all tag to COURSEMANAGER - (partial FS#3909)

16 years ago · 89b2800f93
parent 43e6d8f543
commit 89b2800f93
3 changed files with 37 additions and 24 deletions
--- a/main/exercice/exercise.class.php
+++ b/main/exercice/exercise.class.php
@ -25,7 +25,7 @@
 *	Exercise class: This class allows to instantiate an object of type Exercise
 *	@package dokeos.exercise
 * 	@author Olivier Brouckaert
-* 	@version $Id: exercise.class.php 20776 2009-05-18 12:43:44Z pcool $
+* 	@version $Id: exercise.class.php 20788 2009-05-18 16:18:01Z iflorespaz $
 */


@ -538,9 +538,14 @@ class Exercise
        $end_time = Database::escape_string($this->end_time);
 		// exercise already exists
 		if($id) {
+		/*
+		title='".Database::escape_string(Security::remove_XSS($exercise))."',
+		description='".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."'";
+		*/
 			$sql="UPDATE $TBL_EXERCICES SET 
-						title='".Database::escape_string(Security::remove_XSS($exercise))."',
-						description='".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."'";
+						title='".Database::escape_string($exercise)."',
+						description='".Database::escape_string($description)."'";
+						
 				if ($type_e != 'simple') {					
 						$sql .= ", sound='".Database::escape_string($sound)."',
 						type='".Database::escape_string($type)."',
@ -564,11 +569,22 @@ class Exercise
            }

 		} else {// creates a new exercise
+		//add condition by anonymous user
+		
+		/*if (!api_is_anonymous()) {
+			//is course manager			
+			$cond1=Database::escape_string($exercise);
+			$cond2=Database::escape_string($description);			
+		} else {
+			//is anonymous user
+			$cond1=Database::escape_string(Security::remove_XSS($exercise));
+			$cond2=Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER));		
+		}*/
 			$sql="INSERT INTO $TBL_EXERCICES(start_time,end_time,title,description,sound,type,random,active, results_disabled, max_attempt,feedback_type) 
 					VALUES(
 						'$start_time','$end_time',
-						'".Database::escape_string(Security::remove_XSS($exercise))."',
-						'".Database::escape_string(Security::remove_XSS(api_html_entity_decode($description),COURSEMANAGER))."',
+						'".Database::escape_string($exercise)."',
+						'".Database::escape_string($description)."',
 						'".Database::escape_string($sound)."',
 						'".Database::escape_string($type)."',
 						'".Database::escape_string($random)."',
@ -578,8 +594,7 @@ class Exercise
 						'".Database::escape_string($feedbacktype)."'
 						)";
 			api_sql_query($sql,__FILE__,__LINE__);			
-
-			$this->id=mysql_insert_id();		
+			$this->id=Database::insert_id();		
        	// insert into the item_property table
        	
        	api_item_property_update($_course, TOOL_QUIZ, $this->id,'QuizAdded',$_user['user_id']);
--- a/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
+++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier.php
@ -96,18 +96,19 @@ class HTMLPurifier
 			global $tag_student,$attribute_student;//$tag_student
 	   		$config->set('HTML', 'SafeEmbed',true);			
 			$config->set('Filter', 'YouTube', true);						
-	   		$config->set('HTML', 'AllowedElements',$tag_student);//'a,em,blockquote,p,code,pre,strong,b,img,span'
-			$config->set('HTML', 'AllowedAttributes',$attribute_student);//'a.href,a.title,img.src'
+	   		$config->set('HTML', 'AllowedElements',$tag_student);
+			$config->set('HTML', 'AllowedAttributes',$attribute_student);
 		} elseif ($user_status==COURSEMANAGER) {
-			global $tag_teacher,$attribute_teacher;
+			//activate in configuration setting 
+			/*global $tag_teacher,$attribute_teacher;
 	   		$config->set('HTML', 'SafeEmbed',true);				
 			$config->set('Filter', 'YouTube', true);						
 	   		$config->set('HTML', 'AllowedElements',$tag_teacher);
-			$config->set('HTML', 'AllowedAttributes', $attribute_teacher);//'a.href,a.title,img.src'				
+			$config->set('HTML', 'AllowedAttributes', $attribute_teacher);	*/			
 		} else {
 			global $tag_anonymous,$attribute_anonymous;			
 	   		$config->set('HTML', 'AllowedElements', $tag_anonymous);
-			$config->set('HTML', 'AllowedAttributes',$attribute_anonymous);//'a.href,a.title,img.src'			
+			$config->set('HTML', 'AllowedAttributes',$attribute_anonymous);			
 		}
 			$config->set('HTML', 'TidyLevel', 'light');
        	$this->config = HTMLPurifier_Config::create($config);
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -250,7 +250,7 @@ class Security{
 	 */
 	function remove_XSS($var,$user_status=ANONYMOUS) {
 		global $charset;
-		/*if (is_null($user_status)) {
+		if ($user_status==COURSEMANAGER) {
 			if (is_array($var)) {
 				if (count($var)>0) {
 					foreach ($var as &$value_var) {
@ -265,15 +265,12 @@ class Security{
 				return api_htmlentities($var,ENT_QUOTES,$charset);	
 			}			
 		} else {
-		$purifier = new HTMLPurifier($config_purifier,$user_status);
-		return $purifier->purify($var);
-		}*/	
-		$purifier = new HTMLPurifier(null,$user_status);		
-		if (is_array($var)) {
-			return $purifier->purifyArray($var);				
-		} else {
-			return $purifier->purify($var);	
+			$purifier = new HTMLPurifier(null,$user_status);		
+			if (is_array($var)) {
+				return $purifier->purifyArray($var);				
+			} else {
+				return $purifier->purify($var);	
+			}
 		}	
-			
 	}
 }