diff --git a/main/admin/course_request_edit.php b/main/admin/course_request_edit.php index 9705ab5068..6d7f052cf8 100644 --- a/main/admin/course_request_edit.php +++ b/main/admin/course_request_edit.php @@ -148,7 +148,7 @@ if ($course_validation_feature) { // Filter incoming data. foreach ($course_request_values as &$value) { - $value = trim(Security::remove_XSS($value)); + $value = trim(Security::remove_XSS(stripslashes($value))); } // Detection which submit button has been pressed. diff --git a/main/create_course/add_course.php b/main/create_course/add_course.php index d79cbf05b8..6dbabeb9a9 100755 --- a/main/create_course/add_course.php +++ b/main/create_course/add_course.php @@ -180,38 +180,22 @@ $form->setDefaults($values); if ($form->validate()) { $course_values = $form->exportValues(); - $wanted_code = Security::remove_XSS($course_values['wanted_code']); - $tutor_name = $course_values['tutor_name']; + $wanted_code = trim(Security::remove_XSS(stripslashes($course_values['wanted_code']))); + $tutor_name = stripslashes($course_values['tutor_name']); $category_code = $course_values['category_code']; - $title = Security::remove_XSS($course_values['title']); + $title = Security::remove_XSS(stripslashes($course_values['title'])); $course_language = $course_values['course_language']; $exemplary_content = !empty($course_values['exemplary_content']); if ($course_validation_feature) { - $description = Security::remove_XSS($course_values['description']); - $objetives = Security::remove_XSS($course_values['objetives']); - $target_audience = Security::remove_XSS($course_values['target_audience']); + $description = Security::remove_XSS(stripslashes($course_values['description'])); + $objetives = Security::remove_XSS(stripslashes($course_values['objetives'])); + $target_audience = Security::remove_XSS(stripslashes($course_values['target_audience'])); $status = '0'; - - // TODO: Why escaping quotes is needed here? - $description = str_replace('"', '', $description); - $objetives = str_replace('"', '', $objetives); - $target_audience = str_replace('"', '', $target_audience); - } - - $wanted_code = Database::escape_string($wanted_code); - $title = Database::escape_string($title); - - if ($course_validation_feature) { - $description = Database::escape_string($description); - $objetives = Database::escape_string($objetives); - $target_audience = Database::escape_string($target_audience); } - $wanted_code = trim($wanted_code); if ($wanted_code == '') { $wanted_code = generate_course_code(api_substr($title, 0, $maxlength)); - $wanted_code = Database::escape_string($wanted_code); } // Check whether the requested course code has already been occupied. @@ -246,7 +230,7 @@ if ($form->validate()) { // Preparing a confirmation message. $link = api_get_path(WEB_COURSE_PATH).$directory.'/'; $message = get_lang('JustCreated'); - $message .= ' '.$title.''; + $message .= ' '.api_htmlentities($title, ENT_QUOTES).''; Display :: display_confirmation_message($message, false); echo '
' . @@ -270,9 +254,7 @@ if ($form->validate()) { if ($request_id) { $course_request_info = CourseRequestManager::get_course_request_info($request_id); - $visual_code = is_array($course_request_info) ? $course_request_info['visual_code'] : ''; - $message = get_lang('CourseRequestCreated'); - $message .= ' '.$visual_code.''; + $message = (is_array($course_request_info) ? ''.$course_request_info['code'].' : ' : '').get_lang('CourseRequestCreated'); Display :: display_confirmation_message($message, false); echo '
' . ''.get_lang('Enter').'' . diff --git a/main/inc/lib/course_request.lib.php b/main/inc/lib/course_request.lib.php index b638433f05..de8f3a10e6 100644 --- a/main/inc/lib/course_request.lib.php +++ b/main/inc/lib/course_request.lib.php @@ -52,13 +52,7 @@ class CourseRequestManager { */ public static function create_course_request($wanted_code, $title, $description, $category_code, $course_language, $objetives, $target_audience, $user_id, $exemplary_content) { - $wanted_code = trim(Database::escape_string($wanted_code)); - $title = Database::escape_string($title); - $description = Database::escape_string($description); - $category_code = Database::escape_string($category_code); - $course_language = Database::escape_string($course_language); - $objetives = Database::escape_string($objetives); - $target_audience = Database::escape_string($target_audience); + $wanted_code = trim($wanted_code); $user_id = (int)$user_id; $exemplary_content = (bool)$exemplary_content ? 1 : 0; @@ -103,10 +97,10 @@ class CourseRequestManager { "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s");', Database::get_main_table(TABLE_MAIN_COURSE_REQUEST), - $code, $user_id, $directory, $db_name, - $course_language, $title, $description, $category_code, - $tutor_name, $visual_code, $request_date, - $objetives, $target_audience, $status, $info, $exemplary_content); + Database::escape_string($code), Database::escape_string($user_id), Database::escape_string($directory), Database::escape_string($db_name), + Database::escape_string($course_language), Database::escape_string($title), Database::escape_string($description), Database::escape_string($category_code), + Database::escape_string($tutor_name), Database::escape_string($visual_code), Database::escape_string($request_date), + Database::escape_string($objetives), Database::escape_string($target_audience), Database::escape_string($status), Database::escape_string($info), Database::escape_string($exemplary_content)); $result_sql = Database::query($sql); if (!$result_sql) { @@ -188,13 +182,7 @@ class CourseRequestManager { public static function update_course_request($id, $wanted_code, $title, $description, $category_code, $course_language, $objetives, $target_audience, $user_id, $exemplary_content) { $id = (int)$id; - $wanted_code = trim(Database::escape_string($wanted_code)); - $title = Database::escape_string($title); - $description = Database::escape_string($description); - $category_code = Database::escape_string($category_code); - $course_language = Database::escape_string($course_language); - $objetives = Database::escape_string($objetives); - $target_audience = Database::escape_string($target_audience); + $wanted_code = trim($wanted_code); $user_id = (int)$user_id; $exemplary_content = (bool)$exemplary_content ? 1 : 0; @@ -258,10 +246,10 @@ class CourseRequestManager { tutor_name = "%s", visual_code = "%s", request_date = "%s", objetives = "%s", target_audience = "%s", status = "%s", info = "%s", exemplary_content = "%s" WHERE id = '.$id, Database::get_main_table(TABLE_MAIN_COURSE_REQUEST), - $code, $user_id, $directory, $db_name, - $course_language, $title, $description, $category_code, - $tutor_name, $visual_code, $request_date, - $objetives, $target_audience, $status, $info, $exemplary_content); + Database::escape_string($code), Database::escape_string($user_id), Database::escape_string($directory), Database::escape_string($db_name), + Database::escape_string($course_language), Database::escape_string($title), Database::escape_string($description), Database::escape_string($category_code), + Database::escape_string($tutor_name), Database::escape_string($visual_code), Database::escape_string($request_date), + Database::escape_string($objetives), Database::escape_string($target_audience), Database::escape_string($status), Database::escape_string($info), Database::escape_string($exemplary_content)); $result_sql = Database::query($sql); return $result_sql !== false;