Gradebook eval: add remove_xss

5 years ago · 9815db1ff9
parent e561531a74
commit 9815db1ff9
4 changed files with 8 additions and 7 deletions
--- a/main/gradebook/lib/fe/displaygradebook.php
+++ b/main/gradebook/lib/fe/displaygradebook.php
@ -85,7 +85,7 @@ class DisplayGradebook

        $description = '';
        if ('' == !$evalobj->get_description()) {
-            $description = get_lang('Description').' :<b> '.$evalobj->get_description().'</b><br>';
+            $description = get_lang('Description').' :<b> '.Security::remove_XSS($evalobj->get_description()).'</b><br>';
        }

        if ($evalobj->get_course_code() == null) {
@ -95,7 +95,7 @@ class DisplayGradebook
        }

        $evalinfo = '<table width="100%" border="0"><tr><td>';
-        $evalinfo .= '<h2>'.$evalobj->get_name().'</h2><hr>';
+        $evalinfo .= '<h2>'.Security::remove_XSS($evalobj->get_name()).'</h2><hr>';
        $evalinfo .= $description;
        $evalinfo .= get_lang('Course').' :<b> '.$course.'</b><br />';
        if (empty($model)) {
--- a/main/gradebook/lib/fe/evalform.class.php
+++ b/main/gradebook/lib/fe/evalform.class.php
@ -577,7 +577,7 @@ class EvalForm extends FormValidator
                                $select_gradebook->addOption(get_lang('Default'), $my_cat->get_id());
                                $cats_added[] = $my_cat->get_id();
                            } else {
-                                $select_gradebook->addOption($my_cat->get_name(), $my_cat->get_id());
+                                $select_gradebook->addOption(Security::remove_XSS($my_cat->get_name()), $my_cat->get_id());
                                $cats_added[] = $my_cat->get_id();
                            }
                        } else {
--- a/main/gradebook/lib/fe/gradebooktable.class.php
+++ b/main/gradebook/lib/fe/gradebooktable.class.php
@ -423,10 +423,11 @@ class GradebookTable extends SortableTable

                // Name.
                if ('Category' === get_class($item)) {
-                    $row[] = $invisibility_span_open.'<strong>'.Security::remove_XSS($item->get_name()).'</strong>'.$invisibility_span_close;
+                    $row[] = $invisibility_span_open.
+                        '<strong>'.Security::remove_XSS($item->get_name()).'</strong>'.$invisibility_span_close;
                    $main_categories[$item->get_id()]['name'] = $item->get_name();
                } else {
-                    $name = $this->build_name_link($item, $type);
+                    $name = Security::remove_XSS($this->build_name_link($item, $type));
                    $row[] = $invisibility_span_open.$name.$invisibility_span_close;
                    $main_categories[$item->get_id()]['name'] = $name;
                }
@ -622,7 +623,7 @@ class GradebookTable extends SortableTable
                            $row[] = $this->build_type_column($item, ['style' => 'padding-left:5px']);
                            // Name.
                            $row[] = $invisibility_span_open.'&nbsp;&nbsp;&nbsp; '.
-                                $this->build_name_link($item, $type, 4).$invisibility_span_close;
+                                Security::remove_XSS($this->build_name_link($item, $type, 4)).$invisibility_span_close;

                            // Description.
                            if (false == $this->exportToPdf) {
--- a/main/gradebook/lib/fe/resulttable.class.php
+++ b/main/gradebook/lib/fe/resulttable.class.php
@ -26,7 +26,7 @@ class ResultTable extends SortableTable
     */
    public function __construct(
        $evaluation,
-        $results = [],
+        $results,
        $iscourse,
        $addparams = [],
        $forprint = false