Fix #7564

10 years ago · 97fec37027
parent ba947ae637
commit 97fec37027
3 changed files with 64 additions and 55 deletions
--- a/main/admin/session_add.php
+++ b/main/admin/session_add.php
@ -96,55 +96,65 @@ function fill_coach_field (username) {


 if (isset($_POST['formSent']) && $_POST['formSent']) {
-	$formSent = 1;
-    $name = $_POST['name'];
-    $year_start = $_POST['year_start'];
-    $month_start = $_POST['month_start'];
-    $day_start = $_POST['day_start'];
-    $year_end = $_POST['year_end'];
-    $month_end = $_POST['month_end'];
-    $day_end = $_POST['day_end'];
-    $nb_days_acess_before = $_POST['nb_days_acess_before'];
-    $nb_days_acess_after = $_POST['nb_days_acess_after'];
-    $coach_username = $_POST['coach_username'];
-    $id_session_category = $_POST['session_category'];
-    $id_visibility = $_POST['session_visibility'];
-    $end_limit = $_POST['end_limit'];
-    $start_limit = $_POST['start_limit'];
-    $duration = isset($_POST['duration']) ? $_POST['duration'] : null;
-
-    if (empty($end_limit) && empty($start_limit)) {
-        $nolimit = 1;
+    $check = Security::check_token('post');
+    Security::clear_token();
+    if ($check) {
+        $formSent = 1;
+        $name = $_POST['name'];
+        $year_start = $_POST['year_start'];
+        $month_start = $_POST['month_start'];
+        $day_start = $_POST['day_start'];
+        $year_end = $_POST['year_end'];
+        $month_end = $_POST['month_end'];
+        $day_end = $_POST['day_end'];
+        $nb_days_acess_before = $_POST['nb_days_acess_before'];
+        $nb_days_acess_after = $_POST['nb_days_acess_after'];
+        $coach_username = $_POST['coach_username'];
+        $id_session_category = $_POST['session_category'];
+        $id_visibility = $_POST['session_visibility'];
+        $end_limit = $_POST['end_limit'];
+        $start_limit = $_POST['start_limit'];
+        $duration = isset($_POST['duration']) ? $_POST['duration'] : null;
+
+        if (empty($end_limit) && empty($start_limit)) {
+            $nolimit = 1;
+        } else {
+            $nolimit = null;
+        }
+
+        $return = SessionManager::create_session(
+            $name,
+            $year_start,
+            $month_start,
+            $day_start,
+            $year_end,
+            $month_end,
+            $day_end,
+            $nb_days_acess_before,
+            $nb_days_acess_after,
+            $nolimit,
+            $coach_username,
+            $id_session_category,
+            $id_visibility,
+            $start_limit,
+            $end_limit,
+            $duration
+        );
+
+        if ($return == strval(intval($return))) {
+            // integer => no error on session creation
+            header('Location: add_courses_to_session.php?id_session=' . $return . '&add=true&msg=');
+            exit();
+        }
    } else {
-    	$nolimit = null;
+        header('Location: '.api_get_self());
+        exit();
    }
-
-    $return = SessionManager::create_session(
-        $name,
-        $year_start,
-        $month_start,
-        $day_start,
-        $year_end,
-        $month_end,
-        $day_end,
-        $nb_days_acess_before,
-        $nb_days_acess_after,
-        $nolimit,
-        $coach_username,
-        $id_session_category,
-        $id_visibility,
-        $start_limit,
-        $end_limit,
-        $duration
-    );
-
-	if ($return == strval(intval($return))) {
-		// integer => no error on session creation
-		header('Location: add_courses_to_session.php?id_session='.$return.'&add=true&msg=');
-		exit();
-	}
 }

+$token = Security::get_token();
+
+
 global $_configuration;
 $defaultBeforeDays = isset($_configuration['session_days_before_coach_access']) ?
    $_configuration['session_days_before_coach_access'] : 0;
@ -168,16 +178,16 @@ if (!empty($return)) {
 echo '<div class="actions">';
 echo '<a href="../admin/index.php">'.Display::return_icon('back.png', get_lang('BackTo').' '.get_lang('PlatformAdmin'),'',ICON_SIZE_MEDIUM).'</a>';
 echo '</div>';
-
 ?>
 <form class="form-horizontal" method="post" name="form" action="<?php echo api_get_self(); ?>" style="margin:0px;">
+    <input type="hidden" name="sec_token" value="<?php echo $token; ?>">
    <input type="hidden" name="formSent" value="1">
    <div class="control-group">
        <label class="control-label">
            <?php echo get_lang('SessionName') ?>
        </label>
        <div class="controls">
-            <input type="text" name="name" class="span4" maxlength="50" value="<?php if($formSent) echo api_htmlentities($name,ENT_QUOTES,$charset); ?>">
+            <input type="text" name="name" class="span4" maxlength="50" value="<?php if($formSent) echo Security::remove_XSS($name); ?>">
        </div>
    </div>

@ -250,8 +260,8 @@ $Categories = SessionManager::get_all_session_category();
            <a href="javascript://" onclick="if(document.getElementById('options').style.display == 'none'){document.getElementById('options').style.display = 'block';}else{document.getElementById('options').style.display = 'none';}"><?php echo get_lang('DefineSessionOptions') ?></a>
        <div style="display: <?php if($formSent && ($nb_days_acess_before!=0 || $nb_days_acess_after!=0)) echo 'block'; else echo 'none'; ?>;" id="options">
            <br />
-            <input type="text" name="nb_days_acess_before" value="<?php echo $nb_days_acess_before; ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysBefore') ?><br /><br />
-            <input type="text" name="nb_days_acess_after" value="<?php echo $nb_days_acess_after; ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysAfter') ?>
+            <input type="text" name="nb_days_acess_before" value="<?php echo intval($nb_days_acess_before); ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysBefore') ?><br /><br />
+            <input type="text" name="nb_days_acess_after" value="<?php echo intval($nb_days_acess_after); ?>" style="width: 30px;">&nbsp;<?php echo get_lang('DaysAfter') ?>
            <br />
        </div>
        </div>
@ -326,12 +336,8 @@ for ($i=$thisYear-5;$i <= ($thisYear+5);$i++) {
 ?>
    </select>
    </div>
-
        </div>
    </div>
-
-
-
 <div class="control-group">
        <div class="controls">
            <label for="end_limit">
--- a/main/admin/session_edit.php
+++ b/main/admin/session_edit.php
@ -126,9 +126,11 @@ Display::display_header($tool_name);
 if (!empty($return)) {
    Display::display_error_message($return,false);
 }
+
+$page = isset($_GET['page']) && $_GET['page'] == 'resume_session.php' ? 'resume_session.php' : null;
 ?>

-<form class="form-horizontal" method="post" name="form" action="<?php echo api_get_self(); ?>?page=<?php echo Security::remove_XSS($_GET['page']) ?>&id=<?php echo $id; ?>" style="margin:0px;">
+<form class="form-horizontal" method="post" name="form" action="<?php echo api_get_self(); ?>?page=<?php echo $page; ?>&id=<?php echo $id; ?>" style="margin:0px;">
 <fieldset>
    <legend><?php echo $tool_name; ?></legend>
    <input type="hidden" name="formSent" value="1">
--- a/main/inc/lib/message.lib.php
+++ b/main/inc/lib/message.lib.php
@ -1385,7 +1385,8 @@ class MessageManager
                    $archiveFile = $row_file['path'];
                    $filename = $row_file['filename'];
                    $filesize = format_file_size($row_file['size']);
-                    $filecomment = $row_file['comment'];
+                    $filecomment = Security::remove_XSS($row_file['comment']);
+                    $filename = Security::remove_XSS($filename);
                    $links_attach_file[] = $attach_icon.'&nbsp;<a href="'.$archiveURL.$archiveFile.'">'.$filename.'</a>&nbsp;('.$filesize.')'.(!empty($filecomment) ? '&nbsp;-&nbsp;<i>'.$filecomment.'</i>' : '');
                }
            }