clean and fix wiki security

15 years ago · 9adc76f893
parent 8c6e06e475
commit 9adc76f893
5 changed files with 170 additions and 281 deletions
--- a/main/inc/lib/internationalization.lib.php
+++ b/main/inc/lib/internationalization.lib.php
@ -1119,6 +1119,14 @@ function api_htmlentities($string, $quote_style = ENT_COMPAT, $encoding = null)
 	if (!api_is_utf8($encoding) && _api_html_entity_supports($encoding)) {
 		return htmlentities($string, $quote_style, $encoding);
 	}
+    switch($quote_style) {
+		case ENT_COMPAT:
+			$string = str_replace(array('&', '"', '<', '>'), array('&amp;', '&quot;', '&lt;', '&gt;'), $string);
+			break;
+		case ENT_QUOTES:
+			$string = str_replace(array('&', '\'', '"', '<', '>'), array('&amp;', '&#039;', '&quot;', '&lt;', '&gt;'), $string);
+			break;
+	}
 	if (_api_mb_supports($encoding)) {
 		if (!api_is_utf8($encoding)) {
 			$string = api_utf8_encode($string, $encoding);
@ -1137,18 +1145,7 @@ function api_htmlentities($string, $quote_style = ENT_COMPAT, $encoding = null)
 			$string = _api_convert_encoding($string, $encoding, 'UTF-8');
 		}
 	}
-	else {
-		// Here the function gives up.
-		return $string;
-	}
-	switch($quote_style) {
-		case ENT_COMPAT:
-			$string = str_replace('"', '&quot;', $string);
-			break;
-		case ENT_QUOTES:
-			$string = str_replace(array('\'', '"'), array('&#039;', '&quot;'), $string);
-			break;
-	}
+
 	return $string;
 }

--- a/main/wiki/export_html2pdf.php
+++ b/main/wiki/export_html2pdf.php
@ -1,101 +0,0 @@
-<?php
-/*
-==============================================================================
-	Dokeos - elearning and course management software
-
-	Copyright (c) 2004-2009 Dokeos SPRL
-
-	For a full list of contributors, see "credits.txt".
-	The full license can be read in "license.txt".
-
-	This program is free software; you can redistribute it and/or
-	modify it under the terms of the GNU General Public License
-	as published by the Free Software Foundation; either version 2
-	of the License, or (at your option) any later version.
-
-	See the GNU General Public License for more details.
-
-	Contact address: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium
-	Mail: info@dokeos.com
-==============================================================================
-*/
-
-/**
-*   Export html to pdf
-* 	@Author Juan Carlos Raña <herodoto@telefonica.net>
-*
-*/
-
-
-include '../inc/global.inc.php';
-api_block_anonymous_users();
-
-require '../inc/lib/html2pdf/html2pdf.class.php';
-
-$contentPDF = stripslashes(api_html_entity_decode($_POST['contentPDF'], ENT_QUOTES, api_get_system_encoding()));
-$titlePDF = stripslashes(api_html_entity_decode($_POST['titlePDF'], ENT_QUOTES, api_get_system_encoding()));
-
-ob_start();//activate Output -Buffer
-///////////////////////
-?>
-<page backtop="10mm" backbottom="10mm" footer="page">
-      <page_header>
-           <?php echo $titlePDF.'<br/><hr/>'?>
-      </page_header>
-      <page_footer>
-            <?php echo '<hr/>'; ?>
-      </page_footer>
- </page>
-
- <?php
-/////////////////////
-echo $contentPDF;
-$htmlbuffer = ob_get_contents();// Store Output-Buffer in one variable
-ob_end_clean();// delete Output-Buffer
-
-/////bridge to  dokeos lang
-	$langhtml2pdf = api_get_language_isocode();
-
-	// Some code translations are needed.
-	$langhtml2pdf = strtolower(str_replace('_', '-', $langhtml2pdf));
-	switch ($langhtml2pdf)
-	{
-		case 'uk':
-			$langhtml2pdf = 'ukr';
-			break;
-		case 'pt':
-			$langhtml2pdf = 'pt_pt';
-			break;
-		case 'pt-br':
-			$langhtml2pdf = 'pt_br';
-			break;
-		// Code here other noticed exceptions.
-	}
-
-	// Checking for availability of a corresponding language file.
-	if (!file_exists(api_get_path(SYS_PATH).'main/inc/lib/html2pdf/langues/'.$langhtml2pdf.'.txt'))
-	{
-		// If there was no language file, use the english one.
-		$langhtml2pdf = 'en';
-	}
-
-////
-
-//$script = "
-//var rep = app.response('Your name');
-//app.alert('Hello '+rep);
-//";
-
-$html2pdf = new HTML2PDF('P','A4',$langhtml2pdf, array(30,10,30,10));//array (margin left, margin top, margin right, margin bottom)
-//$html2pdf->pdf->IncludeJS($script);
-//$html2pdf->pdf->IncludeJS("print(true);");
-//$html2pdf->pdf->IncludeJS("app.alert('Generated by Dokeos to PDF');");
-//$html2pdf->pdf->SetProtection(array('print'), 'guest');//add a password sample: guest
-$html2pdf->pdf->SetAuthor('Wiki Dokeos');
-$html2pdf->pdf->SetTitle($titlePDF);
-$html2pdf->pdf->SetSubject('Exported from Dokeos Wiki');
-$html2pdf->pdf->SetKeywords('Dokeos Wiki');
-//$html2pdf->WriteHTML(utf8_decode($htmlbuffer));
-$html2pdf->WriteHTML($htmlbuffer);
-$html2pdf->Output($titlePDF.'.pdf', 'D');
-?>
--- a/main/wiki/export_mpdf.php
+++ b/main/wiki/export_mpdf.php
@ -15,8 +15,8 @@ api_block_anonymous_users();
 define('_MPDF_PATH', api_get_path(LIBRARY_PATH).'mpdf/');
 require_once _MPDF_PATH.'mpdf.php';

-$content_pdf = stripslashes(api_html_entity_decode($_POST['contentPDF'], ENT_QUOTES, api_get_system_encoding()));
-$title_pdf = stripslashes(api_html_entity_decode($_POST['titlePDF'], ENT_QUOTES, api_get_system_encoding()));
+$content_pdf = api_html_entity_decode($_POST['contentPDF'], ENT_QUOTES, api_get_system_encoding());
+$title_pdf = api_html_entity_decode($_POST['titlePDF'], ENT_QUOTES, api_get_system_encoding());

 $html = '
 <page backtop="10mm" backbottom="10mm" footer="page">
--- a/main/wiki/index.php
+++ b/main/wiki/index.php
@ -2,12 +2,9 @@
 /* For licensing terms, see /license.txt */

 /**
-*	The Chamilo wiki is a further development of the CoolWiki plugin.
 *
 *	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University, Belgium
 * 	@author Juan Carlos Raña <herodoto@telefonica.net>
-*	@copyright Ghent University
-*	@copyright Patrick Cool
 *
 * 	@package chamilo.wiki
 */
@ -138,7 +135,7 @@ INITIALISATION
 if (!isset($_GET['title'])) {
 	$page = 'index';
 } else {
-	$page = Security::remove_XSS($_GET['title']);
+	$page = $_GET['title'];
 }

 // some titles are not allowed
@ -220,7 +217,6 @@ if (isset($_POST['SaveWikiNew']))
 	   {
 			$return_message=save_new_wiki();
 			Display::display_confirmation_message($return_message, false);
-			$page=urlencode(Security::remove_XSS($_POST['reflink']));
 	   }
 	}
 }
@ -233,13 +229,13 @@ if ($_GET['view'])
 		$result=Database::query($sql);
 		$current_row=Database::fetch_array($result);

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC'; //last version
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC'; //last version
 		$result=Database::query($sql);
 		$last_row=Database::fetch_array($result);

 	if ($_GET['view']<$last_row['id'])
 	{
-	   $message= '<center>'.get_lang('NoAreSeeingTheLastVersion').'<br /> '.get_lang("Version").' (<a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.$current_row['reflink'].'&view='.Security::remove_XSS($_GET['view']).'&group_id='.$current_row['group_id'].'" title="'.get_lang('CurrentVersion').'">'.$current_row['version'].'</a> / <a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.$last_row['reflink'].'&group_id='.$last_row['group_id'].'" title="'.get_lang('LastVersion').'">'.$last_row['version'].'</a>) <br />'.get_lang("ConvertToLastVersion").': <a href="index.php?cidReq='.$_course[id].'&action=restorepage&amp;title='.$last_row['reflink'].'&view='.Security::remove_XSS($_GET['view']).'">'.get_lang("Restore").'</a></center>';
+	   $message= '<center>'.get_lang('NoAreSeeingTheLastVersion').'<br /> '.get_lang("Version").' (<a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode($current_row['reflink'])).'&view='.api_htmlentities($_GET['view']).'&group_id='.$current_row['group_id'].'" title="'.get_lang('CurrentVersion').'">'.$current_row['version'].'</a> / <a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode($last_row['reflink'])).'&group_id='.$last_row['group_id'].'" title="'.get_lang('LastVersion').'">'.$last_row['version'].'</a>) <br />'.get_lang("ConvertToLastVersion").': <a href="index.php?cidReq='.$_course[id].'&action=restorepage&amp;title='.api_htmlentities(urlencode($last_row['reflink'])).'&view='.api_htmlentities($_GET['view']).'">'.get_lang("Restore").'</a></center>';

 	   Display::display_warning_message($message,false);
 	}
@ -275,12 +271,12 @@ if ($_GET['view'])
 			}

 			// check if is an assignment
-			if(stripslashes($current_row['assignment'])==1)
+			if($current_row['assignment']==1)
 			{
 				Display::display_normal_message(get_lang('EditAssignmentWarning'));
 				$icon_assignment='<img src="../img/wiki/assignment.gif" title="'.get_lang('AssignmentDescExtra').'" alt="'.get_lang('AssignmentDescExtra').'" />';
 			}
-			elseif(stripslashes($current_row['assignment'])==2)
+			elseif($current_row['assignment']==2)
 			{
 				$icon_assignment='<img src="../img/wiki/works.gif" title="'.get_lang('AssignmentWorkExtra').'" alt="'.get_lang('AssignmentWorkExtra').'" />';
 				if((api_get_user_id()==$current_row['user_id'])==false)
@ -325,7 +321,7 @@ if ($_GET['view'])
 					}
 					else
 					{
-					 	Display::display_confirmation_message(restore_wikipage($current_row['page_id'], $current_row['reflink'], $current_row['title'], $current_row['content'], $current_row['group_id'], $current_row['assignment'], $current_row['progress'], $current_row['version'], $last_row['version'], $current_row['linksto']).': <a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.$last_row['reflink'].'&group_id='.$last_row['group_id'].'">'.$last_row['title'].'</a>',false);
+					 	Display::display_confirmation_message(restore_wikipage($current_row['page_id'], $current_row['reflink'], $current_row['title'], $current_row['content'], $current_row['group_id'], $current_row['assignment'], $current_row['progress'], $current_row['version'], $last_row['version'], $current_row['linksto']).': <a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode($last_row['reflink'])).'&group_id='.$last_row['group_id'].'">'.api_htmlentities($last_row['title']).'</a>',false);
 					}
 				}
 			}
@ -392,7 +388,7 @@ echo '<td>';
 		}
 	}

-		echo '<a href="index.php?action=show&amp;actionpage='.$lock_unlock_addnew.'&amp;title='.$page.'">'.$protect_addnewpage.'</a></li>';
+		echo '<a href="index.php?action=show&amp;actionpage='.$lock_unlock_addnew.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$protect_addnewpage.'</a></li>';

 	///menu find
 	echo '<li><a href="index.php?cidReq='.$_course[id].'&action=searchpages&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('searchpages').'>'.get_lang('SearchPages').'</a></li>';
@ -403,11 +399,11 @@ echo '<td>';
 	///menu delete all wiki
 	if(api_is_allowed_to_edit(false,true) || api_is_platform_admin())
 	{
-			echo '<li><a href="index.php?action=deletewiki&amp;title='.$page.'"'.is_active_navigation_tab('deletewiki').'>'.get_lang('DeleteWiki').'</a></li>';
+			echo '<li><a href="index.php?action=deletewiki&amp;title='.api_htmlentities(urlencode($page)).'"'.is_active_navigation_tab('deletewiki').'>'.get_lang('DeleteWiki').'</a></li>';
 	}
 	///menu more

-	echo '<li><a href="index.php?action=more&amp;title='.$page.'"'.is_active_navigation_tab('more').'>'.get_lang('More').'</a></li>';
+	echo '<li><a href="index.php?action=more&amp;title='.api_htmlentities(urlencode($page)).'"'.is_active_navigation_tab('more').'>'.get_lang('More').'</a></li>';

 	echo '</ul>';
 echo '</td>';
@ -429,25 +425,25 @@ if (!in_array($_GET['action'], array('addnew', 'searchpages', 'allpages', 'recen
 	echo "<div class='actions'>";

 	//menu show page
-	echo '<a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.$page.'&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('showpage').'>'.Display::display_icon('lp_document.png',get_lang('ShowThisPage')).' '.get_lang('Page').'</a>';
+	echo '<a href="index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode($page)).'&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('showpage').'>'.Display::display_icon('lp_document.png',get_lang('ShowThisPage')).' '.get_lang('Page').'</a>';

 	if (api_is_allowed_to_session_edit(false,true) ) {
 		//menu edit page
-		echo '<a href="index.php?cidReq='.$_course[id].'&action=edit&amp;title='.$page.'&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('edit').'>'.Display::display_icon('lp_quiz.png',get_lang('EditThisPage')).' '.get_lang('EditPage').'</a>';
+		echo '<a href="index.php?cidReq='.$_course[id].'&action=edit&amp;title='.api_htmlentities(urlencode($page)).'&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('edit').'>'.Display::display_icon('lp_quiz.png',get_lang('EditThisPage')).' '.get_lang('EditPage').'</a>';

 		//menu discuss page
-		echo '<a href="index.php?action=discuss&amp;title='.$page.'"'.is_active_navigation_tab('discuss').'>'.Display::display_icon('comment_bubble.gif',get_lang('DiscussThisPage')).' '.get_lang('Discuss').'</a>';
+		echo '<a href="index.php?action=discuss&amp;title='.api_htmlentities(urlencode($page)).'"'.is_active_navigation_tab('discuss').'>'.Display::display_icon('comment_bubble.gif',get_lang('DiscussThisPage')).' '.get_lang('Discuss').'</a>';
 	}

 	//menu history
-	echo '<a href="index.php?cidReq='.$_course[id].'&action=history&amp;title='.$page.'&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('history').'>'.Display::display_icon('history.gif',get_lang('ShowPageHistory')).' '.get_lang('History').'</a>';
+	echo '<a href="index.php?cidReq='.$_course[id].'&action=history&amp;title='.api_htmlentities(urlencode($page)).'&group_id='.$_clean['group_id'].'"'.is_active_navigation_tab('history').'>'.Display::display_icon('history.gif',get_lang('ShowPageHistory')).' '.get_lang('History').'</a>';
 	//menu linkspages
-	echo '<a href="index.php?action=links&amp;title='.$page.'"'.is_active_navigation_tab('links').'>'.Display::display_icon('lp_link.png',get_lang('ShowLinksPages')).' '.get_lang('LinksPages').'</a>';
+	echo '<a href="index.php?action=links&amp;title='.api_htmlentities(urlencode($page)).'"'.is_active_navigation_tab('links').'>'.Display::display_icon('lp_link.png',get_lang('ShowLinksPages')).' '.get_lang('LinksPages').'</a>';

 	//menu delete wikipage
 	if(api_is_allowed_to_edit(false,true) || api_is_platform_admin())
 	{
-		echo '<a href="index.php?action=delete&amp;title='.$page.'"'.is_active_navigation_tab('delete').'>'.Display::display_icon('delete.gif',get_lang('DeleteThisPage')).' '.get_lang('Delete').'</a>';
+		echo '<a href="index.php?action=delete&amp;title='.api_htmlentities(urlencode($page)).'"'.is_active_navigation_tab('delete').'>'.Display::display_icon('delete.gif',get_lang('DeleteThisPage')).' '.get_lang('Delete').'</a>';
 	}
 	echo '</div>';
 }
@ -456,7 +452,7 @@ if (!in_array($_GET['action'], array('addnew', 'searchpages', 'allpages', 'recen
 //In new pages go to new page
 if (isset($_POST['SaveWikiNew']))
 {
-	display_wiki_entry(Security::remove_XSS($_POST['reflink']));
+	display_wiki_entry($_POST['reflink']);
 }

 /////////////////////// more options /////////////////////// Juan Carlos Raña Trabado
@ -563,8 +559,8 @@ if ($_GET['action']=='mactiveusers')
 			$userinfo=Database::get_user_info_from_id($obj->user_id);
 			$row = array ();

-			$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a><a href="'.api_get_self().'?cidReq='.$_course[id].'&action=usercontrib&user_id='.urlencode($row['user_id']).'&group_id='.Security::remove_XSS($_GET['group_id']).'"></a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
-			$row[] ='<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=usercontrib&user_id='.urlencode($obj->user_id).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$obj->NUM_EDIT.'</a>';
+			$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a><a href="'.api_get_self().'?cidReq='.$_course[id].'&action=usercontrib&user_id='.urlencode($row['user_id']).'&group_id='.api_htmlentities($_GET['group_id']).'"></a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
+			$row[] ='<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=usercontrib&user_id='.urlencode($obj->user_id).'&group_id='.api_htmlentities($_GET['group_id']).'">'.$obj->NUM_EDIT.'</a>';
 			$rows[] = $row;
 		}

@ -581,18 +577,18 @@ if ($_GET['action']=='mactiveusers')

 if ($_GET['action']=='usercontrib')
 {
-	$userinfo=Database::get_user_info_from_id(Security::remove_XSS($_GET['user_id']));
+	$userinfo=Database::get_user_info_from_id($_GET['user_id']);

-	echo '<div class="actions">'.get_lang('UserContributions').': <a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a><a href="'.api_get_self().'?cidReq='.$_course[id].'&action=usercontrib&user_id='.urlencode($row['user_id']).'&group_id='.Security::remove_XSS($_GET['group_id']).'"></a></div>';
+	echo '<div class="actions">'.get_lang('UserContributions').': <a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a><a href="'.api_get_self().'?cidReq='.$_course[id].'&action=usercontrib&user_id='.urlencode($row['user_id']).'&group_id='.api_htmlentities($_GET['group_id']).'"></a></div>';


 	if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) //only by professors if page is hidden
 	{
-		$sql='SELECT * FROM '.$tbl_wiki.'  WHERE  '.$groupfilter.$condition_session.' AND user_id="'.Security::remove_XSS($_GET['user_id']).'"';
+		$sql='SELECT * FROM '.$tbl_wiki.'  WHERE  '.$groupfilter.$condition_session.' AND user_id="'.Database::escape_string($_GET['user_id']).'"';
 	}
 	else
 	{
-		$sql='SELECT * FROM '.$tbl_wiki.'  WHERE  '.$groupfilter.$condition_session.' AND user_id="'.Security::remove_XSS($_GET['user_id']).'" AND visibility=1';
+		$sql='SELECT * FROM '.$tbl_wiki.'  WHERE  '.$groupfilter.$condition_session.' AND user_id="'.Database::escape_string($_GET['user_id']).'" AND visibility=1';
 	}

 	$allpages=Database::query($sql);
@ -632,15 +628,15 @@ if ($_GET['action']=='usercontrib')
 			$row[] = $year.'-'.$month.'-'.$day.' '.$hours.":".$minutes.":".$seconds;
 			$row[] =$ShowAssignment;

-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($obj->reflink).'&view='.$obj->id.'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$obj->title.'</a>';
-			$row[] =$obj->version;
-			$row[] =$obj->comment;
-			//$row[] = api_strlen($obj->comment)>30 ? api_substr($obj->comment,0,30).'...' : $obj->comment;
-			$row[] =$obj->progress.' %';
-			$row[] =$obj->score;
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&view='.$obj->id.'&group_id='.api_htmlentities(urlencode($_GET['group_id'])).'">'.api_htmlentities($obj->title).'</a>';
+			$row[] =Security::remove_XSS($obj->version);
+			$row[] =Security::remove_XSS($obj->comment);			
+			//$row[] = api_strlen($obj->comment)>30 ? Security::remove_XSS(api_substr($obj->comment,0,30)).'...' : Security::remove_XSS($obj->comment);
+			$row[] =Security::remove_XSS($obj->progress).' %';
+			$row[] =Security::remove_XSS($obj->score);
 			//if(api_is_allowed_to_edit() || api_is_platform_admin())
 			//{
-				//$row[] =$obj->user_ip;
+				//$row[] =Security::remove_XSS($obj->user_ip);
 			//}

 			$rows[] = $row;
@ -706,7 +702,7 @@ if ($_GET['action']=='mostchanged')

 			$row = array ();
 			$row[] =$ShowAssignment;
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($obj->reflink).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$obj->title.'</a>';
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($obj->title).'</a>';
 			$row[] = $obj->MAX;
 			$rows[] = $row;
 		}
@ -760,7 +756,7 @@ if ($_GET['action']=='mvisited')

 			$row = array ();
 			$row[] =$ShowAssignment;
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($obj->reflink).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$obj->title.'</a>';
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($obj->title).'</a>';
 			$row[] = $obj->tsum;
 			$rows[] = $row;
 		}
@ -815,7 +811,7 @@ if ($_GET['action']=='wanted')
 		{
 			if (trim($v)!="")
 			{
-				echo   '<li><a href="'.api_get_path(WEB_PATH).'main/wiki/index.php?cidReq=&action=addnew&title='.urlencode(str_replace('_',' ',$v)).'&group_id='.Security::remove_XSS($_GET['group_id']).'" class="new_wiki_link">'.str_replace('_',' ',$v).'</a></li>';
+				echo   '<li><a href="'.api_get_path(WEB_PATH).'main/wiki/index.php?cidReq=&action=addnew&title='.api_htmlentities(urlencode(str_replace('_',' ',$v))).'&group_id='.api_htmlentities($_GET['group_id']).'" class="new_wiki_link">'.api_htmlentities(str_replace('_',' ',$v)).'</a></li>';
 			}
 		}
 	}
@ -873,11 +869,11 @@ if ($_GET['action']=='orphaned')
 	{
 		if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) //only by professors if page is hidden
 		{
-			$sql='SELECT  *  FROM   '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.$vshow.'" GROUP BY reflink';
+			$sql='SELECT  *  FROM   '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.Database::escape_string($vshow).'" GROUP BY reflink';
 		}
 		else
 		{
-			$sql='SELECT  *  FROM   '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.$vshow.'" AND visibility=1 GROUP BY reflink';
+			$sql='SELECT  *  FROM   '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.Database::escape_string($vshow).'" AND visibility=1 GROUP BY reflink';
 		}

 		$allpages=Database::query($sql);
@ -899,7 +895,7 @@ if ($_GET['action']=='orphaned')
 				$ShowAssignment='<img src="../img/wiki/trans.gif" />';
 			}

-			echo '<li>'.$ShowAssignment.'<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($row['reflink']).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$row['title'].'</a></li>';
+			echo '<li>'.$ShowAssignment.'<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($row['reflink'])).'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($row['title']).'</a></li>';
 		}
 		echo '</ul>';
 	}
@ -927,7 +923,7 @@ if ($_GET['action']=='delete')
 			Display::display_warning_message(get_lang('WarningDeleteMainPage'),false);
 		}

-		$message = get_lang('ConfirmDeletePage')."</p>"."<p>"."<a href=\"index.php\">".get_lang("No")."</a>"."&nbsp;&nbsp;|&nbsp;&nbsp;"."<a href=\"".api_get_self()."?action=delete&amp;title=".$page."&amp;delete=yes\">".get_lang("Yes")."</a>"."</p>";
+		$message = get_lang('ConfirmDeletePage')."</p>"."<p>"."<a href=\"index.php\">".get_lang("No")."</a>"."&nbsp;&nbsp;|&nbsp;&nbsp;"."<a href=\"".api_get_self()."?action=delete&amp;title=".api_htmlentities(urlencode($page))."&amp;delete=yes\">".get_lang("Yes")."</a>"."</p>";

 		if (!isset ($_GET['delete']))
 		{
@ -936,14 +932,14 @@ if ($_GET['action']=='delete')

 		if ($_GET['delete'] == 'yes')
 		{
-			$sql='DELETE '.$tbl_wiki_discuss.' FROM '.$tbl_wiki.', '.$tbl_wiki_discuss.' WHERE '.$tbl_wiki.'.reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_discuss.'.publication_id='.$tbl_wiki.'.id';
+			$sql='DELETE '.$tbl_wiki_discuss.' FROM '.$tbl_wiki.', '.$tbl_wiki_discuss.' WHERE '.$tbl_wiki.'.reflink="'.Database::escape_string($page).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_discuss.'.publication_id='.$tbl_wiki.'.id';
 			Database::query($sql);

-			$sql='DELETE '.$tbl_wiki_mailcue.' FROM '.$tbl_wiki.', '.$tbl_wiki_mailcue.' WHERE '.$tbl_wiki.'.reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_mailcue.'.id='.$tbl_wiki.'.id';
+			$sql='DELETE '.$tbl_wiki_mailcue.' FROM '.$tbl_wiki.', '.$tbl_wiki_mailcue.' WHERE '.$tbl_wiki.'.reflink="'.Database::escape_string($page).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_mailcue.'.id='.$tbl_wiki.'.id';
 			Database::query($sql);

-			$sql='DELETE FROM '.$tbl_wiki.' WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.'';
-	  		Database::query($sql);
+			$sql='DELETE FROM '.$tbl_wiki.' WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.'';
+ 	  		Database::query($sql);

 			check_emailcue(0, 'E');

@ -993,7 +989,7 @@ if ($_GET['action']=='searchpages')
 	echo '<div class="actions">'.get_lang('SearchPages').'</div>';
 	echo '<div style="overflow:hidden">';
 	// initiate the object
-	$form = new FormValidator('wiki_search','post', api_get_self().'?cidReq='.Security::remove_XSS($_GET['cidReq']).'&action='.Security::remove_XSS($_GET['action']).'&group_id='.Security::remove_XSS($_GET['group_id']));
+	$form = new FormValidator('wiki_search','post', api_get_self().'?cidReq='.api_htmlentities($_GET['cidReq']).'&action='.api_htmlentities($_GET['action']).'&group_id='.api_htmlentities($_GET['group_id']));

 	// settting the form elements

@ -1031,9 +1027,9 @@ if ($_GET['action']=='links')
 	else
 	{

-		$sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.'';
-		$result=Database::query($sql);
-		$row=Database::fetch_array($result);
+		$sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.'';
+ 		$result=Database::query($sql);
+ 		$row=Database::fetch_array($result);

 		//get type assignment icon

@ -1058,7 +1054,7 @@ if ($_GET['action']=='links')
 		}

 		echo '<div id="wikititle">';
-		echo get_lang('LinksPagesFrom').': '.$ShowAssignment.' <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.Security::remove_XSS($page).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.Security::remove_XSS($row['title']).'</a>';
+		echo get_lang('LinksPagesFrom').': '.$ShowAssignment.' <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($page)).'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($row['title']).'</a>';
 		echo '</div>';

 		//fix index to title Main page into linksto
@ -1073,14 +1069,14 @@ if ($_GET['action']=='links')
 		{
 			//$sql="SELECT * FROM ".$tbl_wiki." s1 WHERE linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND id=(SELECT MAX(s2.id) FROM ".$tbl_wiki." s2 WHERE s1.reflink = s2.reflink AND ".$groupfilter.")"; //add blank space after like '%" " %' to identify each word. //Old version TODO: Replace by the bottom line

-			$sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word. // new version
+			$sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE linksto LIKE '%".Database::escape_string($page)." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word. // new version

 		}
 		else
 		{
 			//$sql="SELECT * FROM ".$tbl_wiki." s1 WHERE visibility=1 AND linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND id=(SELECT MAX(s2.id) FROM ".$tbl_wiki." s2 WHERE s1.reflink = s2.reflink AND ".$groupfilter.")"; //add blank space after like '%" " %' to identify each word //old version TODO: Replace by the bottom line

-			$sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE visibility=1 AND linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word // new version
+			$sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE visibility=1 AND linksto LIKE '%".Database::escape_string($page)." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word // new version

 		}

@ -1119,8 +1115,8 @@ if ($_GET['action']=='links')

 				$row = array ();
 				$row[] =$ShowAssignment;
-				$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($obj->reflink).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.Security::remove_XSS($obj->title).'</a>';
-				$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
+				$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($obj->title).'</a>';
+				$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
 				$row[] = $year.'-'.$month.'-'.$day.' '.$hours.":".$minutes.":".$seconds;
 				$rows[] = $row;
 			}
@ -1214,8 +1210,8 @@ if ($_GET['action']=='edit')

 	$_clean['group_id']=(int)$_SESSION['_gid'];

-	$sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$tbl_wiki.'.'.$groupfilter.$condition_session.' ORDER BY id DESC';
-	$result=Database::query($sql);
+	$sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.Database::escape_string($page).'" AND '.$tbl_wiki.'.'.$groupfilter.$condition_session.' ORDER BY id DESC';
+ 	$result=Database::query($sql);
 	$row=Database::fetch_array($result); // we do not need a while loop since we are always displaying the last version


@ -1269,12 +1265,12 @@ if ($_GET['action']=='edit')
 		}

 		// check if is a assignment
-		if(stripslashes($row['assignment'])==1)
+		if($row['assignment']==1)
 		{
 		    Display::display_normal_message(get_lang('EditAssignmentWarning'));
 			$icon_assignment='<img src="../img/wiki/assignment.gif" title="'.get_lang('AssignmentDescExtra').'" alt="'.get_lang('AssignmentDescExtra').'" />';
 		}
-		elseif(stripslashes($row['assignment'])==2)
+		elseif($row['assignment']==2)
 		{
 			$icon_assignment='<img src="../img/wiki/works.gif" title="'.get_lang('AssignmentWorkExtra').'" alt="'.get_lang('AssignmentWorkExtra').'" />';
 			if((api_get_user_id()==$row['user_id'])==false)
@ -1396,7 +1392,7 @@ if ($_GET['action']=='edit')
 					}

 					//comp message
-					$message_task='<b>'.get_lang('DescriptionOfTheTask').'</b><p>'.$row['task'].'</p><hr>';
+					$message_task='<b>'.get_lang('DescriptionOfTheTask').'</b><p>'.api_htmlentities($row['task']).'</p><hr>';
 					$message_task.='<p>'.get_lang('StartDate').': '.$message_task_startdate.'</p>';
 					$message_task.='<p>'.get_lang('EndDate').': '.$message_task_enddate;
 					$message_task.=' ('.get_lang('AllowLaterSends').') '.$message_task_delayedsubmit.'</p>';
@ -1410,17 +1406,17 @@ if ($_GET['action']=='edit')

 				if($row['progress']==$row['fprogress1'] && !empty($row['fprogress1']))
 				{
-					$feedback_message='<b>'.get_lang('Feedback').'</b><p>'.$row['feedback1'].'</p>';
+					$feedback_message='<b>'.get_lang('Feedback').'</b><p>'.api_htmlentities($row['feedback1']).'</p>';
 					Display::display_normal_message($feedback_message, false);
 				}
 				elseif($row['progress']==$row['fprogress2'] && !empty($row['fprogress2']))
 				{
-					$feedback_message='<b>'.get_lang('Feedback').'</b><p>'.$row['feedback2'].'</p>';
+					$feedback_message='<b>'.get_lang('Feedback').'</b><p>'.api_htmlentities($row['feedback2']).'</p>';
 					Display::display_normal_message($feedback_message, false);
 				}
 				elseif($row['progress']==$row['fprogress3'] && !empty($row['fprogress3']))
 				{
-					$feedback_message='<b>'.get_lang('Feedback').'</b><p>'.$row['feedback3'].'</p>';
+					$feedback_message='<b>'.get_lang('Feedback').'</b><p>'.api_htmlentities($row['feedback3']).'</p>';
 					Display::display_normal_message($feedback_message, false);
 				}

@ -1442,16 +1438,16 @@ if ($_GET['action']=='edit')

 					$userinfo=Database::get_user_info_from_id($row['is_editing']);

-					$is_being_edited= get_lang('ThisPageisBeginEditedBy').' <a href=../user/userInfo.php?uInfo='.$userinfo['user_id'].'>'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a>. '.get_lang('ThisPageisBeginEditedTryLater').' '.date( "i",$rest_time).' '.get_lang('MinMinutes').'';
+					$is_being_edited= get_lang('ThisPageisBeginEditedBy').' <a href=../user/userInfo.php?uInfo='.$userinfo['user_id'].'>'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a>. '.get_lang('ThisPageisBeginEditedTryLater').' '.date( "i",$rest_time).' '.get_lang('MinMinutes').'';
 					Display::display_normal_message($is_being_edited, false);
 					exit;
 				}
 				//form
-				echo '<form name="form1" method="post" action="'.api_get_self().'?action=showpage&amp;title='.$page.'&group_id='.Security::remove_XSS($_GET['group_id']).'">';
+				echo '<form name="form1" method="post" action="'.api_get_self().'?action=showpage&amp;title='.api_htmlentities(urlencode($page)).'&group_id='.api_htmlentities($_GET['group_id']).'">';


 				echo '<div id="wikititle" >';
-				echo '<div style="width:70%;float:left;">'.$icon_assignment.str_repeat('&nbsp;',3).$title.'</div>';
+				echo '<div style="width:70%;float:left;">'.$icon_assignment.str_repeat('&nbsp;',3).api_htmlentities($title).'</div>';

 				if((api_is_allowed_to_edit(false,true) || api_is_platform_admin()) && $row['reflink']!='index')
 				{
@ -1470,7 +1466,7 @@ if ($_GET['action']=='edit')
 					echo '<td>'.get_lang('DescriptionOfTheTask').'</td>';
 					echo '</tr>';
 					echo '<tr>';
-					echo '<td>'.api_disp_html_area('task', stripslashes($row['task']), '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).'</td>';
+					echo '<td>'.api_disp_html_area('task', $row['task'], '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).'</td>';
 					echo '</tr>';
 					echo '</table>';
 					echo '</div>';
@ -1487,14 +1483,14 @@ if ($_GET['action']=='edit')
 					echo '<td colspan="2">'.get_lang('Feedback3').'</td>';
 					echo '</tr>';
 					echo '<tr>';
-					echo '<td colspan="2"><textarea name="feedback1" cols="23" rows="4" >'.stripslashes($row['feedback1']).'</textarea></td>';
-					echo '<td colspan="2"><textarea name="feedback2" cols="23" rows="4" >'.stripslashes($row['feedback2']).'</textarea></td>';
-					echo '<td colspan="2"><textarea name="feedback3" cols="23" rows="4" >'.stripslashes($row['feedback3']).'</textarea></td>';
+					echo '<td colspan="2"><textarea name="feedback1" cols="23" rows="4" >'.api_htmlentities($row['feedback1']).'</textarea></td>';
+					echo '<td colspan="2"><textarea name="feedback2" cols="23" rows="4" >'.api_htmlentities($row['feedback2']).'</textarea></td>';
+					echo '<td colspan="2"><textarea name="feedback3" cols="23" rows="4" >'.api_htmlentities($row['feedback3']).'</textarea></td>';
 					echo '</tr>';
 					echo '<tr>';
 					echo '<td>'.get_lang('FProgress').':</td>';
 					echo '<td><select name="fprogress1">';
-				 	echo '<option value="'.stripslashes($row['fprogress1']).'" selected>'.stripslashes($row['fprogress1']).'</option>';
+				 	echo '<option value="'.api_htmlentities($row['fprogress1']).'" selected>'.api_htmlentities($row['fprogress1']).'</option>';
 					echo '<option value="10">10</option>
 					   <option value="20">20</option>
 					   <option value="30">30</option>
@ -1508,7 +1504,7 @@ if ($_GET['action']=='edit')
 					   </select> %</td>';
 					echo '<td>'.get_lang('FProgress').':</td>';
 					echo '<td><select name="fprogress2">';
-				 	echo '<option value="'.stripslashes($row['fprogress2']).'" selected>'.stripslashes($row['fprogress2']).'</option>';
+				 	echo '<option value="'.api_htmlentities($row['fprogress2']).'" selected>'.api_htmlentities($row['fprogress2']).'</option>';;
 					echo '<option value="10">10</option>
 					   <option value="20">20</option>
 					   <option value="30">30</option>
@ -1522,7 +1518,7 @@ if ($_GET['action']=='edit')
 					   </select> %</td>';
 					echo '<td>'.get_lang('FProgress').':</td>';
 					echo '<td><select name="fprogress3">';
-				 	echo '<option value="'.stripslashes($row['fprogress3']).'" selected>'.stripslashes($row['fprogress3']).'</option>';
+				 	echo '<option value="'.api_htmlentities($row['fprogress3']).'" selected>'.api_htmlentities($row['fprogress3']).'</option>';
 					echo '<option value="10">10</option>
 					   <option value="20">20</option>
 					   <option value="30">30</option>
@ -1572,7 +1568,7 @@ if ($_GET['action']=='edit')
 					echo '</tr>';
 					echo '<tr>';
 					echo '<td align="right">'.get_lang('AllowLaterSends').':</td>';
-					if (stripslashes($row['delayedsubmit'])==1)
+					if ($row['delayedsubmit']==1)
 					{
 						$check_uncheck='checked';
 					}
@ -1585,7 +1581,7 @@ if ($_GET['action']=='edit')
 					echo '<div>&nbsp;</div><input type="checkbox" value="1" name="checkotherlimit" onclick="if(this.checked==true){document.getElementById(\'option3\').style.display=\'block\';}else{document.getElementById(\'option3\').style.display=\'none\';}"/>&nbsp;'.get_lang('OtherSettings').'';
 					echo '&nbsp;&nbsp;&nbsp;<span id="msg_error3" style="display:none;color:red"></span>';
 					echo '<div id="option3" style="padding:4px; margin:5px; border:1px dotted; display:none;">';
-					echo '<div style="font-weight:normal"; align="center">'.get_lang('NMaxWords').':&nbsp;<input type="text" name="max_text" size="3" value="'.stripslashes($row['max_text']).'">&nbsp;&nbsp;'.get_lang('NMaxVersion').':&nbsp;<input type="text" name="max_version" size="3" value="'.stripslashes($row['max_version']).'"></div>';
+					echo '<div style="font-weight:normal"; align="center">'.get_lang('NMaxWords').':&nbsp;<input type="text" name="max_text" size="3" value="'.$row['max_text'].'">&nbsp;&nbsp;'.get_lang('NMaxVersion').':&nbsp;<input type="text" name="max_version" size="3" value="'.$row['max_version'].'"></div>';
 					echo '</div>';

 					//
@ -1596,10 +1592,10 @@ if ($_GET['action']=='edit')
 				echo '<div id="wikicontent">';

 				echo '<input type="hidden" name="page_id" value="'.$page_id.'">';
-				echo '<input type="hidden" name="reflink" value="'.$page.'">';
-				echo '<input type="hidden" name="title" value="'.stripslashes($title).'">';
+				echo '<input type="hidden" name="reflink" value="'.api_htmlentities($page).'">';
+				echo '<input type="hidden" name="title" value="'.api_htmlentities($title).'">';

-				api_disp_html_area('content', stripslashes($content), '', '', null, api_is_allowed_to_edit(null,true)
+				api_disp_html_area('content', $content, '', '', null, api_is_allowed_to_edit(null,true)
 					? array('ToolbarSet' => 'Wiki', 'Width' => '100%', 'Height' => '400')
 					: array('ToolbarSet' => 'WikiStudent', 'Width' => '100%', 'Height' => '400', 'UserStatus' => 'student')
 				);
@ -1609,16 +1605,16 @@ if ($_GET['action']=='edit')
 				//{
 				echo get_lang('Comments').':&nbsp;&nbsp;<input type="text" name="comment" size="40">&nbsp;&nbsp;&nbsp;';
 				//}
-				echo '<INPUT TYPE="hidden" NAME="assignment" VALUE="'.stripslashes($row['assignment']).'"/>';
-				echo '<INPUT TYPE="hidden" NAME="version" VALUE="'.stripslashes($row['version']).'"/>';
+				echo '<INPUT TYPE="hidden" NAME="assignment" VALUE="'.$row['assignment'].'"/>';
+				echo '<INPUT TYPE="hidden" NAME="version" VALUE="'.$row['version'].'"/>';

 				//hack date for edit
-				echo '<INPUT TYPE="hidden" NAME="startdate_assig" VALUE="'.stripslashes($row['startdate_assig']).'"/>';
-				echo '<INPUT TYPE="hidden" NAME="enddate_assig" VALUE="'.stripslashes($row['enddate_assig']).'"/>';
+				echo '<INPUT TYPE="hidden" NAME="startdate_assig" VALUE="'.$row['startdate_assig'].'"/>';
+				echo '<INPUT TYPE="hidden" NAME="enddate_assig" VALUE="'.$row['enddate_assig'].'"/>';

 				//
 				echo get_lang('Progress').':&nbsp;&nbsp;<select name="progress" id="progress">';
-				echo '<option value="'.stripslashes($row['progress']).'" selected>'.stripslashes($row['progress']).'</option>';
+				echo '<option value="'.api_htmlentities($row['progress']).'" selected>'.api_htmlentities($row['progress']).'</option>';
 				echo '<option value="10">10</option>
 				<option value="20">20</option>
 				<option value="30">30</option>
@ -1643,7 +1639,7 @@ if ($_GET['action']=='edit')
 /////////////////////// page history ///////////////////////


-if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifferences']))
+if ($_GET['action']=='history' or $_POST['HistoryDifferences'])
 {
 	if (!$_GET['title'])
 	{
@ -1656,7 +1652,7 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference

    //First, see the property visibility that is at the last register and therefore we should select descending order. But to give ownership to each record, this is no longer necessary except for the title. TODO: check this

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC';
 	$result=Database::query($sql);

 	while ($row=Database::fetch_array($result))
@ -1686,17 +1682,17 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference
 		if (!$_POST['HistoryDifferences'] && !$_POST['HistoryDifferences2'] )
 		{

-			$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC';
+			$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC';
 			$result=Database::query($sql);

-			$title		= Security::remove_XSS($_GET['title']);
-			$group_id	= Security::remove_XSS($_GET['group_id']);
+			$title		= $_GET['title'];
+			$group_id	= $_GET['group_id'];

 			echo '<div id="wikititle">';
-			echo $icon_assignment.'&nbsp;&nbsp;&nbsp;'.$KeyTitle;
+			echo $icon_assignment.'&nbsp;&nbsp;&nbsp;'.api_htmlentities($KeyTitle);
 			echo '</div>';
 			echo '<div id="wikicontent">';
-			echo '<form id="differences" method="POST" action="index.php?cidReq='.$_course[id].'&action=history&title='.$title.'&group_id='.$group_id.'">';
+			echo '<form id="differences" method="POST" action="index.php?cidReq='.$_course[id].'&action=history&title='.api_htmlentities(urlencode($title)).'&group_id='.api_htmlentities($group_id).'">';

 			echo '<ul style="list-style-type: none;">';
 			echo '<br/>';
@ -1718,8 +1714,8 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference
 				($counter==1) ? $oldchecked=' checked':$oldchecked='';
 				echo '<input name="old" value="'.$row['id'].'" type="radio" '.$oldstyle.' '.$oldchecked.'/> ';
 				echo '<input name="new" value="'.$row['id'].'" type="radio" '.$newstyle.' '.$newchecked.'/> ';
-				echo '<a href="'.api_get_self().'?action=showpage&amp;title='.$page.'&amp;view='.$row['id'].'">';
-				echo '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&amp;title='.$page.'&amp;view='.$row['id'].'&group_id='.$group_id.'">';
+				echo '<a href="'.api_get_self().'?action=showpage&amp;title='.api_htmlentities(urlencode($page)).'&amp;view='.$row['id'].'">';
+				echo '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode($page)).'&amp;view='.$row['id'].'&group_id='.$group_id.'">';

 				echo api_convert_and_format_date($row['dtime'], null, date_default_timezone_get());
 				echo '</a>';
@ -1727,19 +1723,19 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference
 				echo ' '.get_lang('By').' ';
 				if ($row['user_id']<>0)
 				{
-					echo '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a>';
+					echo '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a>';
 				}
 				else
 				{
-					echo get_lang('Anonymous').' ('.$row[user_ip].')';
+					echo get_lang('Anonymous').' ('.api_htmlentities($row[user_ip]).')';
 				}

-				echo ' ( '.get_lang('Progress').': '.$row['progress'].'%, ';
+				echo ' ( '.get_lang('Progress').': '.api_htmlentities($row['progress']).'%, ';
 				$comment=$row['comment'];

 				if (!empty($comment))
 				{
-					echo get_lang('Comments').': '.api_substr(api_htmlentities($row['comment'], ENT_QUOTES, $charset),0,100);
+					echo get_lang('Comments').': '.api_htmlentities(api_substr($row['comment'],0,100));
 					if (api_strlen($row['comment'])>100)
 					{
 						echo '... ';
@ -1774,21 +1770,21 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference
 			{
 				include('diff.inc.php');
 				//title
-				echo '<div id="wikititle">'.stripslashes($version_new['title']).' <font size="-2"><i>('.get_lang('DifferencesNew').'</i> <font style="background-color:#aaaaaa">'.stripslashes($version_new['dtime']).'</font> <i>'.get_lang('DifferencesOld').'</i> <font style="background-color:#aaaaaa">'.stripslashes($version_old['dtime']).'</font>) '.get_lang('Legend').':  <span class="diffAdded" >'.get_lang(WikiDiffAddedLine).'</span> <span class="diffDeleted" >'.get_lang(WikiDiffDeletedLine).'</span> <span class="diffMoved" >'.get_lang(WikiDiffMovedLine).'</span></font></div>';
+				echo '<div id="wikititle">'.api_htmlentities($version_new['title']).' <font size="-2"><i>('.get_lang('DifferencesNew').'</i> <font style="background-color:#aaaaaa">'.$version_new['dtime'].'</font> <i>'.get_lang('DifferencesOld').'</i> <font style="background-color:#aaaaaa">'.$version_old['dtime'].'</font>) '.get_lang('Legend').':  <span class="diffAdded" >'.get_lang(WikiDiffAddedLine).'</span> <span class="diffDeleted" >'.get_lang(WikiDiffDeletedLine).'</span> <span class="diffMoved" >'.get_lang(WikiDiffMovedLine).'</span></font></div>';
 			}
 			if(isset($_POST['HistoryDifferences2']))
 			{
 				require_once 'Text/Diff.php';
   				require_once 'Text/Diff/Renderer/inline.php';
 				//title
-				echo '<div id="wikititle">'.stripslashes($version_new['title']).' <font size="-2"><i>('.get_lang('DifferencesNew').'</i> <font style="background-color:#aaaaaa">'.stripslashes($version_new['dtime']).'</font> <i>'.get_lang('DifferencesOld').'</i> <font style="background-color:#aaaaaa">'.stripslashes($version_old['dtime']).'</font>) '.get_lang('Legend').':  <span class="diffAddedTex" >'.get_lang(WikiDiffAddedTex).'</span> <span class="diffDeletedTex" >'.get_lang(WikiDiffDeletedTex).'</span></font></div>';
+				echo '<div id="wikititle">'.api_htmlentities($version_new['title']).' <font size="-2"><i>('.get_lang('DifferencesNew').'</i> <font style="background-color:#aaaaaa">'.$version_new['dtime'].'</font> <i>'.get_lang('DifferencesOld').'</i> <font style="background-color:#aaaaaa">'.$version_old['dtime'].'</font>) '.get_lang('Legend').':  <span class="diffAddedTex" >'.get_lang(WikiDiffAddedTex).'</span> <span class="diffDeletedTex" >'.get_lang(WikiDiffDeletedTex).'</span></font></div>';
 			}

 			echo '<div class="diff"><br /><br />';

 			if(isset($_POST['HistoryDifferences']))
 			{
-				echo '<table>'.diff( stripslashes($version_old['content']), stripslashes($version_new['content']), true, 'format_table_line' ).'</table>'; // format_line mode is better for words
+				echo '<table>'.diff( $version_old['content'], $version_new['content'], true, 'format_table_line' ).'</table>'; // format_line mode is better for words
 				echo '</div>';

 				echo '<br />';
@ -1860,7 +1856,7 @@ if ($_GET['action']=='recentchanges') {
 	}

 	echo '<div class="actions"><span style="float: right;">';
-	echo '<a href="index.php?action=recentchanges&amp;actionpage='.$lock_unlock_notify_all.'&amp;title='.$page.'">'.$notify_all.'</a>';
+	echo '<a href="index.php?action=recentchanges&amp;actionpage='.$lock_unlock_notify_all.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$notify_all.'</a>';
 	echo '</span>'.get_lang('RecentChanges').'</div>';


@ -1916,9 +1912,9 @@ if ($_GET['action']=='recentchanges') {
 			$row = array ();
 			$row[] = api_convert_and_format_date($obj->dtime, null, date_default_timezone_get());
 			$row[] = $ShowAssignment.$icon_task;
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($obj->reflink).'&amp;view='.$obj->id.'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$obj->title.'</a>';
-			$row[] = $obj->version>1 ? get_lang('EditedBy') : get_lang('AddedBy');
-			$row[] = $obj->user_id <> 0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&amp;view='.$obj->id.'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($obj->title).'</a>';
+ 			$row[] = $obj->version>1 ? get_lang('EditedBy') : get_lang('AddedBy');
+			$row[] = $obj->user_id <> 0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a>' : get_lang('Anonymous').' ('.api_htmlentities($obj->user_ip).')';
 			$rows[] = $row;
 		}

@ -1996,16 +1992,16 @@ if ($_GET['action']=='allpages')

 			$row = array ();
 			$row[] =$ShowAssignment.$icon_task;
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.Security::remove_XSS($obj->title).'</a>';
-			$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'">'.api_htmlentities($obj->title).'</a>';
+			$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a>' : get_lang('Anonymous').' ('.api_htmlentities($obj->user_ip).')';
 			$row[] = api_convert_and_format_date($obj->dtime, null, date_default_timezone_get());

 			if(api_is_allowed_to_edit(false,true)|| api_is_platform_admin())
 			{
-				$showdelete=' <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=delete&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/delete.gif" title="'.get_lang('Delete').'" alt="'.get_lang('Delete').'" />';
+				$showdelete=' <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=delete&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/delete.gif" title="'.get_lang('Delete').'" alt="'.get_lang('Delete').'" />';
 			}
 			if (api_is_allowed_to_session_edit(false,true) )
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=edit&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/lp_quiz.png" title="'.get_lang('EditPage').'" alt="'.get_lang('EditPage').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=discuss&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/comment_bubble.gif" title="'.get_lang('Discuss').'" alt="'.get_lang('Discuss').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=history&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/history.gif" title="'.get_lang('History').'" alt="'.get_lang('History').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=links&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/lp_link.png" title="'.get_lang('LinksPages').'" alt="'.get_lang('LinksPages').'" /></a>'.$showdelete;
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=edit&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/lp_quiz.png" title="'.get_lang('EditPage').'" alt="'.get_lang('EditPage').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=discuss&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/comment_bubble.gif" title="'.get_lang('Discuss').'" alt="'.get_lang('Discuss').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=history&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/history.gif" title="'.get_lang('History').'" alt="'.get_lang('History').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=links&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/lp_link.png" title="'.get_lang('LinksPages').'" alt="'.get_lang('LinksPages').'" /></a>'.$showdelete;
 			$rows[] = $row;
 		}

@ -2037,25 +2033,25 @@ if ($_GET['action']=='discuss')
    }

 	//first extract the date of last version
-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);
 	$lastversiondate=api_convert_and_format_date($row['dtime'], null, date_default_timezone_get());
 	$lastuserinfo=Database::get_user_info_from_id($row['user_id']);

 	//select page to discuss
-    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id ASC';
+    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id ASC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);
 	$id=$row['id'];
 	$firstuserid=$row['user_id'];

 	//mode assignment: previous to show  page type
-	if(stripslashes($row['assignment'])==1)
+	if($row['assignment']==1)
 	    {
 		$icon_assignment='<img src="../img/wiki/assignment.gif" title="'.get_lang('AssignmentDescExtra').'" alt="'.get_lang('AssignmentDescExtra').'" />';
 	    }
-	elseif(stripslashes($row['assignment'])==2)
+	elseif($row['assignment']==2)
 	{
 		$icon_assignment='<img src="../img/wiki/works.gif" title="'.get_lang('AssignmentWorkExtra').'" alt="'.get_lang('AssignmentWorkExtra').'" />';
 	}
@ -2085,7 +2081,7 @@ if ($_GET['action']=='discuss')
 				}
 			}
 			echo '<span style="float:right">';
-			echo '<a href="index.php?action=discuss&amp;actionpage='.$lock_unlock_disc.'&amp;title='.$page.'">'.$addlock_disc.'</a>';
+			echo '<a href="index.php?action=discuss&amp;actionpage='.$lock_unlock_disc.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$addlock_disc.'</a>';
 			echo '</span>';

 			// discussion action: visibility.  Show discussion to students if isn't hidden. Show page to all teachers if is hidden.
@ -2111,7 +2107,7 @@ if ($_GET['action']=='discuss')
 				}
 			}
 			echo '<span style="float:right">';
-			echo '<a href="index.php?action=discuss&amp;actionpage='.$hide_show_disc.'&amp;title='.$page.'">'.$visibility_disc.'</a>';
+			echo '<a href="index.php?action=discuss&amp;actionpage='.$hide_show_disc.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$visibility_disc.'</a>';
 			echo '</span>';

 			//discussion action: check add rating lock. Show/Hide list to rating for all student
@ -2131,7 +2127,7 @@ if ($_GET['action']=='discuss')
 			}

 			echo '<span style="float:right">';
-			echo '<a href="index.php?action=discuss&amp;actionpage='.$lock_unlock_rating_disc.'&amp;title='.$page.'">'.$ratinglock_disc.'</a>';
+			echo '<a href="index.php?action=discuss&amp;actionpage='.$lock_unlock_rating_disc.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$ratinglock_disc.'</a>';
 			echo '</span>';

 			//discussion action: email notification
@ -2146,12 +2142,12 @@ if ($_GET['action']=='discuss')
 				$lock_unlock_notify_disc='locknotifydisc';
 			}
 			echo '<span style="float:right">';
-			echo '<a href="index.php?action=discuss&amp;actionpage='.$lock_unlock_notify_disc.'&amp;title='.$page.'">'.$notify_disc.'</a>';
+			echo '<a href="index.php?action=discuss&amp;actionpage='.$lock_unlock_notify_disc.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$notify_disc.'</a>';
 			echo '</span>';

-			echo $icon_assignment.'&nbsp;&nbsp;&nbsp;'.$row['title'];
+			echo $icon_assignment.'&nbsp;&nbsp;&nbsp;'.api_htmlentities($row['title']);

-			echo ' ('.get_lang('MostRecentVersionBy').' <a href="../user/userInfo.php?uInfo='.$lastuserinfo['user_id'].'">'.api_get_person_name($lastuserinfo['firstname'], $lastuserinfo['lastname']).'</a> '.$lastversiondate.$countWPost.')'.$avg_WPost_score.' '; //TODO: read avg score
+			echo ' ('.get_lang('MostRecentVersionBy').' <a href="../user/userInfo.php?uInfo='.$lastuserinfo['user_id'].'">'.api_htmlentities(api_get_person_name($lastuserinfo['firstname'], $lastuserinfo['lastname'])).'</a> '.$lastversiondate.$countWPost.')'.$avg_WPost_score.' '; //TODO: read avg score

 			echo '</div>';

@ -2246,7 +2242,7 @@ if ($_GET['action']=='discuss')

 			echo ' - '.get_lang('RatingMedia').': '.$avg_WPost_score; // average rating

-			$sql='UPDATE '.$tbl_wiki.' SET score="'.Database::escape_string($avg_WPost_score).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session;	// check if work ok. TODO:
+			$sql='UPDATE '.$tbl_wiki.' SET score="'.Database::escape_string($avg_WPost_score).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session;	// check if work ok. TODO:
 				Database::query($sql);

 			echo '<hr noshade size="1">';
@ -2273,12 +2269,12 @@ if ($_GET['action']=='discuss')
 					$image_path = UserManager::get_user_picture_path_by_id($user_id,'web',false, true);
 					$image_repository = $image_path['dir'];
 					$existing_image = $image_path['file'];
-					$author_photo= '<img src="'.$image_repository.$existing_image.'" alt="'.$name.'"  width="40" height="50" align="top" title="'.$name.'"  />';
+					$author_photo= '<img src="'.$image_repository.$existing_image.'" alt="'.api_htmlentities($name).'"  width="40" height="50" align="top" title="'.api_htmlentities($name).'"  />';

 				}
 				else
 				{
-					$author_photo= '<img src="'.api_get_path(WEB_CODE_PATH)."img/unknown.jpg".'" alt="'.$name.'"  width="40" height="50" align="top"  title="'.$name.'"  />';
+					$author_photo= '<img src="'.api_get_path(WEB_CODE_PATH)."img/unknown.jpg".'" alt="'.api_htmlentities($name).'"  width="40" height="50" align="top"  title="'.api_htmlentities($name).'"  />';
 				}

 				//stars
@ -2322,10 +2318,10 @@ if ($_GET['action']=='discuss')
 			echo '<p><table>';
 			echo '<tr>';
 			echo '<td rowspan="2">'.$author_photo.'</td>';
-			echo '<td style=" color:#999999"><a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a> ('.$author_status.') '.api_convert_and_format_date($row['dtime'], null, date_default_timezone_get()).' - '.get_lang('Rating').': '.$row['p_score'].' '.$imagerating.' </td>';
+			echo '<td style=" color:#999999"><a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a> ('.$author_status.') '.api_convert_and_format_date($row['dtime'], null, date_default_timezone_get()).' - '.get_lang('Rating').': '.$row['p_score'].' '.$imagerating.' </td>';
 			echo '</tr>';
 			echo '<tr>';
-			echo '<td>'.$row['comment'].'</td>';
+			echo '<td>'.api_htmlentities($row['comment']).'</td>';
 			echo '</tr>';
 			echo "</table>";
 			echo '<hr noshade size="1">';
--- a/main/wiki/wiki.inc.php
+++ b/main/wiki/wiki.inc.php
@ -2,12 +2,9 @@
 /* For licensing terms, see /license.txt */

 /**
-*	The Dokeos wiki is a further development of the CoolWiki plugin.
 *
 *	@Author Patrick Cool <patrick.cool@UGent.be>, Ghent University, Belgium
 * 	@Author Juan Carlos Raña <herodoto@telefonica.net>
-*	@Copyright Ghent University
-*	@Copyright Patrick Cool
 *
 * 	@package chamilo.wiki
 */
@ -45,7 +42,7 @@ function checktitle($paramwk)
 	global $tbl_wiki;
 	global $groupfilter;

-	$sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($paramwk)))).'" AND '.$groupfilter.''; // TODO: check if need entity
+	$sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.Database::escape_string($paramwk).'" AND '.$groupfilter.'';
 	$result=Database::query($sql);
 	$numberofresults=Database::num_rows($result);

@ -236,17 +233,17 @@ function make_wiki_link_clickable($input)
 			if ($link==get_lang('DefaultTitle')){
 				$link='index';
 			}
-
+			$link = api_html_entity_decode($link);

 			// note: checkreflink checks if the link is still free. If it is not used then it returns true, if it is used, then it returns false. Now the title may be different
 			if (checktitle(strtolower(str_replace(' ','_',$link))))
 			{
-				$input_array[$key]='<a href="'.api_get_path(WEB_PATH).'main/wiki/index.php?cidReq='.$_course[id].'&action=addnew&amp;title='.urldecode($link).'&group_id='.$_clean['group_id'].'" class="new_wiki_link">'.$title.$titleg_ex.'</a>';
+				$input_array[$key]='<a href="'.api_get_path(WEB_PATH).'main/wiki/index.php?cidReq='.$_course[id].'&action=addnew&amp;title='.api_htmlentities(urlencode($link)).'&group_id='.$_clean['group_id'].'" class="new_wiki_link">'.$title.$titleg_ex.'</a>';
 			}
 			else
 			{

-				$input_array[$key]='<a href="'.api_get_path(WEB_PATH).'main/wiki/index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.strtolower(str_replace(' ','_',$link)).'&group_id='.$_clean['group_id'].'" class="wiki_link">'.$title.$titleg_ex.'</a>';
+				$input_array[$key]='<a href="'.api_get_path(WEB_PATH).'main/wiki/index.php?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode(strtolower(str_replace(' ','_',$link)))).'&group_id='.$_clean['group_id'].'" class="wiki_link">'.$title.$titleg_ex.'</a>';
 			}
 			unset($input_array[$key-1]);
 			unset($input_array[$key+1]);
@ -426,6 +423,7 @@ function save_new_wiki() {
 	global $tbl_wiki;
    global $assig_user_id; //need for assignments mode
 	global $tbl_wiki_conf;
+	global $page;

 	// cleaning the variables
 	$_clean['assignment']=Database::escape_string($_POST['assignment']);
@ -434,11 +432,11 @@ function save_new_wiki() {
 	$session_id = api_get_session_id();

 	if($_clean['assignment']==2 || $_clean['assignment']==1) {// Unlike ordinary pages of pages of assignments. Allow create a ordinary page although there is a assignment with the same name
-		$_clean['reflink']=Database::escape_string(str_replace(' ','_',trim($_POST['title'])."_uass".$assig_user_id));
+		$page = str_replace(' ','_',$_POST['title']."_uass".$assig_user_id);
    } else {
-	 	$_clean['reflink']=Database::escape_string(str_replace(' ','_',trim($_POST['title'])));
+	 	$page = str_replace(' ','_',$_POST['title']);
 	}
-
+	$_clean['reflink']=Database::escape_string($page);
 	$_clean['title']=Database::escape_string(trim($_POST['title']));
 	$_clean['content']= Database::escape_string($_POST['content']);

@ -528,7 +526,7 @@ function save_new_wiki() {

 		   check_emailcue(0, 'A');

-		   $_POST['reflink']=$_clean['reflink'];
+		   // $_POST['reflink']=$_clean['reflink']; //JUAN CARLOS REVISAME ESTA LINEA LA BORRA Y NO TENGO CLARO EL RESULTADO. TAMBIEN HAY UNAS CUANTAS VARIABLES $PAGE QUE CREA QUE HABRÍA QUE REVISAR

 		   return get_lang('NewWikiSaved');

@ -544,7 +542,7 @@ function save_new_wiki() {
 **/
 function display_new_wiki_form()
 {
-global $_course;
+global $_course, $page;
 ?>
 <script type="text/javascript">
 function CheckSend()
@ -566,9 +564,9 @@ return true;
 </script>
 <?php
 	//form
-	echo '<form name="form1" method="post" onsubmit="return CheckSend()" action="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&amp;title='.$page.'&group_id='.Security::remove_XSS($_GET['group_id']).'">';
+	echo '<form name="form1" method="post" onsubmit="return CheckSend()" action="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&amp;title='.api_htmlentities(urlencode(strtolower(str_replace(' ','_',$page)))).'&group_id='.api_htmlentities($_GET['group_id']).'">';
 	echo '<div id="wikititle" style="min-height:30px;">';
-	echo  '<div style="width:70%;float:left;"><span class="form_required">*</span> '.get_lang(Title).': <input type="text" id="wiki_title" name="title" value="'.urldecode($_GET['title']).'" size="40"></div>';
+	echo  '<div style="width:70%;float:left;"><span class="form_required">*</span> '.get_lang(Title).': <input type="text" id="wiki_title" name="title" value="'.api_htmlentities($_GET['title']).'" size="40"></div>';

 	if(api_is_allowed_to_edit(false,true) || api_is_platform_admin())
 	{
@ -589,7 +587,7 @@ return true;
 		echo '</tr>';
 		echo '<tr>';
 		//echo '<td><textarea name="task" cols="60" rows="4" >'.stripslashes($row['task']).'</textarea></td>';	// TODO: ¿delete?
-		echo '<td>'.api_disp_html_area('task', stripslashes($row['task']), '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).'</td>';
+		echo '<td>'.api_disp_html_area('task', $row['task'], '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).'</td>';
 		echo '</tr>';
 		echo '</table>';
 		echo '</div>';
@ -750,13 +748,13 @@ function display_wiki_entry($newtitle)
 	}

 	//first, check page visibility in the first page version
-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($pageMIX)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($pageMIX).'" AND '.$groupfilter.' ORDER BY id ASC';
 		$result=Database::query($sql);
 		$row=Database::fetch_array($result);
 		$KeyVisibility=$row['visibility'];

 	// second, show the last version
-	$sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.api_html_entity_decode(Database::escape_string(stripslashes(urldecode($pageMIX)))).'" AND '.$tbl_wiki.'.'.$groupfilter.' '.$filter.' ORDER BY id DESC';
+	$sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.Database::escape_string($pageMIX).'" AND '.$tbl_wiki.'.'.$groupfilter.' '.$filter.' ORDER BY id DESC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result); // we do not need a while loop since we are always displaying the last version

@ -789,16 +787,16 @@ function display_wiki_entry($newtitle)
 	else
 	{
  		$content=Security::remove_XSS($row['content'],COURSEMANAGERLOWSECURITY);
-		$title= Security::remove_XSS($row['title']);
+		$title= $row['title'];
 	}


 	//assignment mode: identify page type
-	if(stripslashes($row['assignment'])==1)
+	if($row['assignment']==1)
 	{
 		$icon_assignment='<img src="../img/wiki/assignment.gif" title="'.get_lang('AssignmentDescExtra').'" alt="'.get_lang('AssignmentDescExtra').'" />';
 	}
-	elseif(stripslashes($row['assignment'])==2)
+	elseif($row['assignment']==2)
 	{
 		$icon_assignment='<img src="../img/wiki/works.gif" title="'.get_lang('AssignmentWorkExtra').'" alt="'.get_lang('AssignmentWorkExtra').'" />';
 	}
@ -830,7 +828,7 @@ function display_wiki_entry($newtitle)
 			}
 		}
 		echo '<span style="float:right;padding:4px 3px 4px 3px;">';
-		echo '<a href="index.php?action=showpage&amp;actionpage='.$lock_unlock_protect.'&amp;title='.$page.'">'.$protect_page.'</a>';
+		echo '<a href="index.php?action=showpage&amp;actionpage='.$lock_unlock_protect.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$protect_page.'</a>';
 		echo '</span>';

 		//page action: visibility
@ -854,7 +852,7 @@ function display_wiki_entry($newtitle)
 			}
 		}
 		echo '<span style="float:right;padding:4px 3px 4px 3px;">';
-		echo '<a href="index.php?action=showpage&amp;actionpage='.$lock_unlock_visibility.'&amp;title='.$page.'">'.$visibility_page.'</a>';
+		echo '<a href="index.php?action=showpage&amp;actionpage='.$lock_unlock_visibility.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$visibility_page.'</a>';
 		echo '</span>';

 		//page action: notification
@ -870,7 +868,7 @@ function display_wiki_entry($newtitle)
 			}
 		}
 		echo '<span style="float:right;padding:4px 3px 4px 3px;">';
-		echo '<a href="index.php?action=showpage&amp;actionpage='.$lock_unlock_notify_page.'&amp;title='.$page.'">'.$notify_page.'</a>';
+		echo '<a href="index.php?action=showpage&amp;actionpage='.$lock_unlock_notify_page.'&amp;title='.api_htmlentities(urlencode($page)).'">'.$notify_page.'</a>';
 		echo '</span>';

 		//page action: export to pdf
@ -924,17 +922,17 @@ function display_wiki_entry($newtitle)

 		if (wiki_exist($title))
 		{
-			echo $icon_assignment.'&nbsp;'.$icon_task.'&nbsp;'.stripslashes($title);
+			echo $icon_assignment.'&nbsp;'.$icon_task.'&nbsp;'.api_htmlentities($title);
 		}
 		else
 		{
-			echo stripslashes($title);
+			echo api_htmlentities($title);
 		}

 			echo '</div>';
-			echo '<div id="wikicontent">'. make_wiki_link_clickable(detect_external_link(detect_anchor_link(detect_mail_link(detect_ftp_link(detect_irc_link(detect_news_link(stripslashes($content)))))))).'</div>';
+			echo '<div id="wikicontent">'. make_wiki_link_clickable(detect_external_link(detect_anchor_link(detect_mail_link(detect_ftp_link(detect_irc_link(detect_news_link($content))))))).'</div>';

-		echo '<div id="wikifooter">'.get_lang('Progress').': '.stripslashes($row['progress']).'%&nbsp;&nbsp;&nbsp;'.get_lang('Rating').': '.stripslashes($row['score']).'&nbsp;&nbsp;&nbsp;'.get_lang('Words').': '.word_count($content).'</div>';
+		echo '<div id="wikifooter">'.get_lang('Progress').': '.$row['progress'].'%&nbsp;&nbsp;&nbsp;'.get_lang('Rating').': '.$row['score'].'&nbsp;&nbsp;&nbsp;'.get_lang('Words').': '.word_count($content).'</div>';

 	}//end filter visibility
 } // end function display_wiki_entry
@ -1081,7 +1079,7 @@ function check_protect_page()

 	$_clean['group_id']=(int)$_SESSION['_gid'];

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';

 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);
@ -1105,7 +1103,7 @@ function check_protect_page()
 		$sql='UPDATE '.$tbl_wiki.' SET editlock="'.Database::escape_string($status_editlock).'" WHERE id="'.$id.'"';
 	    Database::query($sql);

-	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	    $$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';

 	    $result=Database::query($sql);
 	    $row=Database::fetch_array($result);
@ -1132,7 +1130,7 @@ function check_visibility_page()

 	$_clean['group_id']=(int)$_SESSION['_gid'];

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);

@ -1153,11 +1151,11 @@ function check_visibility_page()
 			$status_visibility=0;
 		}

-		$sql='UPDATE '.$tbl_wiki.' SET visibility="'.Database::escape_string($status_visibility).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter;
+		$sql='UPDATE '.$tbl_wiki.' SET visibility="'.Database::escape_string($status_visibility).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter;
 	    Database::query($sql);

 	    //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page
-	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	    $result=Database::query($sql);
 	    $row=Database::fetch_array($result);

@ -1188,7 +1186,7 @@ function check_visibility_discuss()

 	$_clean['group_id']=(int)$_SESSION['_gid'];

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);

@ -1206,11 +1204,11 @@ function check_visibility_discuss()
 			$status_visibility_disc=0;
 		}

-		$sql='UPDATE '.$tbl_wiki.' SET visibility_disc="'.Database::escape_string($status_visibility_disc).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter;
+		$sql='UPDATE '.$tbl_wiki.' SET visibility_disc="'.Database::escape_string($status_visibility_disc).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter;
 	    Database::query($sql);

 	   //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page
-	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	    $result=Database::query($sql);
 	    $row=Database::fetch_array($result);

@ -1234,7 +1232,7 @@ function check_addlock_discuss()

 	$_clean['group_id']=(int)$_SESSION['_gid'];

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);

@ -1253,11 +1251,11 @@ function check_addlock_discuss()
 			$status_addlock_disc=0;
 		}

-		$sql='UPDATE '.$tbl_wiki.' SET addlock_disc="'.Database::escape_string($status_addlock_disc).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter;
+		$sql='UPDATE '.$tbl_wiki.' SET addlock_disc="'.Database::escape_string($status_addlock_disc).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter;
 	    Database::query($sql);

 	  	//Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page
-	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	    $result=Database::query($sql);
 	    $row=Database::fetch_array($result);

@ -1282,7 +1280,7 @@ function check_ratinglock_discuss()

 	$_clean['group_id']=(int)$_SESSION['_gid'];

-	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	$result=Database::query($sql);
 	$row=Database::fetch_array($result);

@ -1301,11 +1299,11 @@ function check_ratinglock_discuss()
 			$status_ratinglock_disc=0;
 		}

-		$sql='UPDATE '.$tbl_wiki.' SET ratinglock_disc="'.Database::escape_string($status_ratinglock_disc).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter; //Visibility. Value to all,not only for the first
+		$sql='UPDATE '.$tbl_wiki.' SET ratinglock_disc="'.Database::escape_string($status_ratinglock_disc).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter; //Visibility. Value to all,not only for the first
 	    Database::query($sql);

 	  	//Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page
-	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC';
+	    $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC';
 	    $result=Database::query($sql);
 	    $row=Database::fetch_array($result);

@ -1722,7 +1720,6 @@ function export2doc($wikiTitle, $wikiContents, $groupId)
 	$exportDir = api_get_path(SYS_COURSE_PATH).api_get_course_path(). '/document'.$groupPath;
 	$exportFile = replace_dangerous_char($wikiTitle, 'strict') . $groupPart;

-	$wikiContents = stripslashes($wikiContents);
 	$wikiContents = trim(preg_replace("/\[\[|\]\]/", " ", $wikiContents));

 	$wikiContents = str_replace('{CONTENT}', $wikiContents, $template);
@ -1988,15 +1985,15 @@ function display_wiki_search_results($search_term, $search_content=0)

 			$row = array ();
 			$row[] =$ShowAssignment;
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.urlencode($obj->reflink).'&group_id='.Security::remove_XSS($_GET['group_id']).'">'.$obj->title.'</a>';
-			$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'</a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=showpage&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'">'.$obj->title.'</a>';
+			$row[] = $obj->user_id <>0 ? '<a href="../user/userInfo.php?uInfo='.$userinfo['user_id'].'">'.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'</a>' : get_lang('Anonymous').' ('.$obj->user_ip.')';
 			$row[] = $year.'-'.$month.'-'.$day.' '.$hours.":".$minutes.":".$seconds;

 			if(api_is_allowed_to_edit(false,true)|| api_is_platform_admin())
 			{
-				$showdelete=' <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=delete&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/delete.gif" title="'.get_lang('Delete').'" alt="'.get_lang('Delete').'" />';
+				$showdelete=' <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=delete&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/delete.gif" title="'.get_lang('Delete').'" alt="'.get_lang('Delete').'" />';
 			}
-			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=edit&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/lp_quiz.png" title="'.get_lang('EditPage').'" alt="'.get_lang('EditPage').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=discuss&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/comment_bubble.gif" title="'.get_lang('Discuss').'" alt="'.get_lang('Discuss').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=history&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/history.gif" title="'.get_lang('History').'" alt="'.get_lang('History').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=links&title='.urlencode(Security::remove_XSS($obj->reflink)).'&group_id='.Security::remove_XSS($_GET['group_id']).'"><img src="../img/lp_link.png" title="'.get_lang('LinksPages').'" alt="'.get_lang('LinksPages').'" /></a>'.$showdelete;
+			$row[] = '<a href="'.api_get_self().'?cidReq='.$_course[id].'&action=edit&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/lp_quiz.png" title="'.get_lang('EditPage').'" alt="'.get_lang('EditPage').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=discuss&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/comment_bubble.gif" title="'.get_lang('Discuss').'" alt="'.get_lang('Discuss').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=history&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/history.gif" title="'.get_lang('History').'" alt="'.get_lang('History').'" /></a> <a href="'.api_get_self().'?cidReq='.$_course[id].'&action=links&title='.api_htmlentities(urlencode($obj->reflink)).'&group_id='.api_htmlentities($_GET['group_id']).'"><img src="../img/lp_link.png" title="'.get_lang('LinksPages').'" alt="'.get_lang('LinksPages').'" /></a>'.$showdelete;

 			$rows[] = $row;
 		}