chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Added Security::remove_XSS

Browse Source
skala
Ricardo Rodriguez 16 years ago
parent 46eea0129c
commit a65b224e30
9 changed files with 46 additions and 45 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      main/forum/editpost.php
  2. 2
      main/forum/forumbody.inc.php
  3. 4
      main/forum/iframe_thread.php
  4. 25
      main/forum/index.php
  5. 6
      main/forum/newthread.php
  6. 20
      main/forum/reply.php
  7. 16
      main/forum/viewforum.php
  8. 8
      main/forum/viewforumcategory.php
  9. 6
      main/forum/viewthread_threaded.inc.php

4
main/forum/editpost.php
Unescape View File

@ -231,8 +231,8 @@ if ($origin!='learnpath') {
echo "<table class=\"data_table\" width='100%'>\n";
// the forum category
echo "\t<tr>\n\t\t<th align=\"left\" colspan=\"2\">";
echo '<a href="viewforum.php?&origin='.$origin.'&forum='.$current_forum['forum_id'].'" '.class_visible_invisible($current_forum['visibility']).'>'.prepare4display($current_forum['forum_title']).'</a><br />';
echo '<span class="forum_description">'.prepare4display($current_forum['forum_comment']).'</span>';echo "</th>\n";
echo '<a href="viewforum.php?&origin='.$origin.'&forum='.$current_forum['forum_id'].'" '.class_visible_invisible($current_forum['visibility']).'>'.prepare4display(Security::remove_XSS($current_forum['forum_title'])).'</a><br />';
echo '<span class="forum_description">'.prepare4display(Security::remove_XSS($current_forum['forum_comment'],STUDENT)).'</span>';echo "</th>\n";
echo "</th>\n";
echo "\t</tr>\n";
echo '</table>';

2
main/forum/forumbody.inc.php
Unescape View File

@ -72,5 +72,5 @@ $output .= '
</tr>
</form>
</table>
</div>';
</div>';
echo $output;

4
main/forum/iframe_thread.php
Unescape View File

@ -156,11 +156,11 @@ while ($row=Database::fetch_array($result)) {
echo $row['post_date'].'<br /><br />';
echo "</td>\n";
echo "\t\t<td class=\"forum_message_post_title\">".$row['post_title']."</td>\n";
echo "\t\t<td class=\"forum_message_post_title\">".Security::remove_XSS($row['post_title'])."</td>\n";
echo "\t</tr>\n";
echo "\t<tr>\n";
echo "\t\t<td class=\"forum_message_post_text\">".$row['post_text']."</td>\n";
echo "\t\t<td class=\"forum_message_post_text\">".Security::remove_XSS($row['post_text'],STUDENT)."</td>\n";
echo "\t</tr>\n";
}
echo "</table>";

25
main/forum/index.php
Unescape View File

@ -232,7 +232,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
------------------------------------------------------------------------------------------------------
Display Forum Categories and the Forums in it
------------------------------------------------------------------------------------------------------
*/
*/
echo '<table class="data_table">'."\n";
// Step 3: we display the forum_categories first
if(is_array($forum_categories_list)) {
@ -242,16 +242,16 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
$session_img = api_get_session_image($forum_category['session_id'], $_user['status']);
if((!isset($_SESSION['id_session']) || $_SESSION['id_session']==0) && !empty($forum_category['session_name'])) {
$session_displayed = ' ('.$forum_category['session_name'].')';
$session_displayed = ' ('.Security::remove_XSS($forum_category['session_name']).')';
} else {
$session_displayed = '';
}
echo "\t<tr>\n\t\t<th style=\"padding-left:5px;\" align=\"left\" colspan=\"5\">";
echo '<a href="viewforumcategory.php?'.api_get_cidreq().'&forumcategory='.prepare4display($forum_category['cat_id']).'" '.class_visible_invisible(prepare4display($forum_category['visibility'])).'>'.prepare4display($forum_category['cat_title']).$session_displayed.'</a>'. $session_img .'<br />';
echo '<a href="viewforumcategory.php?'.api_get_cidreq().'&forumcategory='.prepare4display(Security::remove_XSS($forum_category['cat_id'])).'" '.class_visible_invisible(prepare4display($forum_category['visibility'])).'>'.prepare4display(Security::remove_XSS($forum_category['cat_title'])).$session_displayed.'</a>'. $session_img .'<br />';
if ($forum_category['cat_comment']<>'' AND trim($forum_category['cat_comment'])<>'&nbsp;') {
echo '<span class="forum_description">'.prepare4display($forum_category['cat_comment']).'</span>';
echo '<span class="forum_description">'.prepare4display(Security::remove_XSS($forum_category['cat_comment'],STUDENT)).'</span>';
}
echo "</th>\n";
@ -276,7 +276,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
echo "\t</tr>\n";
// the forums in this category
$forums_in_category=get_forums_in_category($forum_category['cat_id']);
$forums_in_category=get_forums_in_category($forum_category['cat_id']);
// step 5: we display all the forums in this category.
$forum_count=0;
@ -297,7 +297,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
// note: this can be speeded up if we transform the $forum_list to an array that uses the forum_category as the key.
if (prepare4display($forum['forum_category'])==prepare4display($forum_category['cat_id'])) {
// the forum has to be showed if
// the forum has to be showed if
// 1.v it is a not a group forum (teacher and student)
// 2.v it is a group forum and it is public (teacher and student)
// 3. it is a group forum and it is private (always for teachers only if the user is member of the forum
@ -345,8 +345,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
//echo '<hr>';
if ($show_forum) {
if ($show_forum) {
$form_count++;
$mywhatsnew_post_info=isset($whatsnew_post_info[$forum['forum_id']]) ? $whatsnew_post_info[$forum['forum_id']]: null;
echo "\t<tr class=\"forum\">\n";
@ -385,7 +384,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
}
echo "</td>\n";
//validacion when belongs to a session
$session_img = api_get_session_image($forum['session_id'], $_user['status']);
@ -404,8 +403,8 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
$session_displayed = '';
}
$forum['forum_of_group']==0?$groupid='':$groupid=$forum['forum_of_group'];
echo "\t\t<td><a href=\"viewforum.php?".api_get_cidreq()."&gidReq=".Security::remove_XSS($groupid)."&forum=".prepare4display($forum['forum_id'])."\" ".class_visible_invisible(prepare4display($forum['visibility'])).">".prepare4display($forum['forum_title']).$session_displayed.'</a>'.$forum_title_group_addition.'<br />'.prepare4display($forum['forum_comment'])."</td>\n";
echo "\t\t<td><a href=\"viewforum.php?".api_get_cidreq()."&gidReq=".Security::remove_XSS($groupid)."&forum=".prepare4display($forum['forum_id'])."\" ".class_visible_invisible(prepare4display($forum['visibility'])).">".prepare4display(Security::remove_XSS($forum['forum_title'])).$session_displayed.'</a>'.$forum_title_group_addition.'<br />'.prepare4display(Security::remove_XSS($forum['forum_comment'],STUDENT))."</td>\n";
//$number_forum_topics_and_posts=get_post_topics_of_forum($forum['forum_id']); // deprecated
// the number of topics and posts
$number_threads=isset($forum['number_of_threads']) ? $forum['number_of_threads'] : null;
@ -447,7 +446,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
}
echo "</td>\n";
echo "\t</tr>";
}
}
}
}
@ -455,7 +454,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
echo "\t<tr><td>".get_lang('NoForumInThisCategory')."</td>".(api_is_allowed_to_edit(false,true)?'<td colspan="6"></td>':'<td colspan="6"></td>')."</tr>\n";
}
}
}
}
echo "</table>\n";
/*

6
main/forum/newthread.php
Unescape View File

@ -214,14 +214,14 @@ echo "<table class=\"data_table\" width='100%'>\n";
if ($origin != 'learnpath') {
echo "\t<tr>\n\t\t<th align=\"left\" colspan=\"2\">";
echo '<span class="forum_title">'.prepare4display($current_forum['forum_title']).'</span>';
echo '<span class="forum_title">'.prepare4display(Security::remove_XSS($current_forum['forum_title'])).'</span>';
if (!empty ($current_forum['forum_comment'])) {
echo '<br><span class="forum_description">'.prepare4display($current_forum['forum_comment']).'</span>';
echo '<br><span class="forum_description">'.prepare4display(Security::remove_XSS($current_forum['forum_comment'],STUDENT)).'</span>';
}
if (!empty ($current_forum_category['cat_title'])) {
echo '<br /><span class="forum_low_description">'.prepare4display($current_forum_category['cat_title'])."</span><br />";
echo '<br /><span class="forum_low_description">'.prepare4display(Security::remove_XSS($current_forum_category['cat_title']))."</span><br />";
}
echo "</th>\n";
echo "\t</tr>\n";

20
main/forum/reply.php
Unescape View File

@ -102,9 +102,9 @@ $htmlHeadXtra[] = '<script>
// we are getting all the information about the current forum and forum category.
// note pcool: I tried to use only one sql statement (and function) for this
// but the problem is that the visibility of the forum AND forum cateogory are stored in the item_property table
$current_thread=get_thread_information($_GET['thread']); // note: this has to be validated that it is an existing thread
$current_thread=get_thread_information(Security::remove_XSS($_GET['thread'])); // note: this has to be validated that it is an existing thread
$current_forum=get_forum_information($current_thread['forum_id']); // note: this has to be validated that it is an existing forum.
$current_forum_category=get_forumcategory_information($current_forum['forum_category']);
$current_forum_category=get_forumcategory_information(Security::remove_XSS($current_forum['forum_category']));
/*
-----------------------------------------------------------
@ -201,31 +201,31 @@ if ($origin != 'learnpath') {
-----------------------------------------------------------
Display Forum Category and the Forum information
-----------------------------------------------------------
*/
*/
echo "<table class=\"data_table\" width='100%'>\n";
// the forum category
echo "\t<tr>\n\t\t<th style=\"padding-left:5px;\" align=\"left\" colspan=\"2\">";
echo '<span class="forum_title">'.prepare4display($current_thread['thread_title']).'</span><br />';
echo '<span class="forum_title">'.prepare4display(Security::remove_XSS($current_thread['thread_title'])).'</span><br />';
if (!empty ($current_forum_category['cat_title'])) {
echo '<span class="forum_low_description">'.prepare4display($current_forum_category['cat_title'])." - </span>";
echo '<span class="forum_low_description">'.prepare4display(Security::remove_XSS($current_forum_category['cat_title']))." - </span>";
}
echo '<span class="forum_low_description">'.prepare4display($current_forum['forum_title']).'</span>';
//echo '<span class="forum_low_description">'.prepare4display(Security::remove_XSS($current_forum['forum_title'])).'</span>';
echo "</th>\n";
echo "\t</tr>\n";
echo '</table>';
// the form for the reply
$my_action = isset($_GET['action']) ? $_GET['action'] : '';
$my_post = isset($_GET['post']) ? $_GET['post'] : '';
$my_action = isset($_GET['action']) ? Security::remove_XSS($_GET['action']) : '';
$my_post = isset($_GET['post']) ? Security::remove_XSS($_GET['post']) : '';
$my_elements = isset($_SESSION['formelements']) ? $_SESSION['formelements'] : '';
$values=show_add_post_form($my_action,$my_post, $my_elements); // note: this has to be cleaned first
$values=show_add_post_form(Security::remove_XSS($my_action,$my_post, $my_elements)); // note: this has to be cleaned first
if (!empty($values) AND isset($_POST['SubmitPost'])) {
store_reply($values);
store_reply(Security::remove_XSS($values));
}
/*

16
main/forum/viewforum.php
Unescape View File

@ -149,13 +149,13 @@ if (!empty($_SESSION['toolgroup'])) {
$interbreadcrumb[] = array ("url"=>"../group/group_space.php?gidReq=".$_SESSION['toolgroup'], "name"=> get_lang('GroupSpace').' ('.$group_properties['name'].')');
//$interbreadcrumb[]=array("url" => "index.php?search=".Security::remove_XSS($my_search),"name" => $nameTools);
//$interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id']."&amp;search=".Security::remove_XSS(urlencode($my_search)),"name" => prepare4display($current_forum_category['cat_title']));
$interbreadcrumb[]=array("url" => "#","name" => prepare4display($current_forum['forum_title']));
$interbreadcrumb[]=array("url" => "#","name" => prepare4display(Security::remove_XSS($current_forum['forum_title'])));
//viewforum.php?forum=".Security::remove_XSS($my_forum)."&amp;origin=".$origin."&amp;gidReq=".$_SESSION['toolgroup']."&amp;search=".Security::remove_XSS(urlencode($my_search)),
} else {
$interbreadcrumb[]=array("url" => "index.php?gradebook=$gradebook&search=".Security::remove_XSS($my_search),"name" => $nameTools);
$interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id']."&amp;search=".Security::remove_XSS(urlencode($my_search)),"name" => prepare4display($current_forum_category['cat_title']));
$interbreadcrumb[]=array("url" => "#","name" => prepare4display($current_forum['forum_title']));
$interbreadcrumb[]=array("url" => "viewforumcategory.php?forumcategory=".$current_forum_category['cat_id']."&amp;search=".Security::remove_XSS(urlencode($my_search)),"name" => prepare4display(Security::remove_XSS($current_forum_category['cat_title'])));
$interbreadcrumb[]=array("url" => "#","name" => prepare4display(Security::remove_XSS($current_forum['forum_title'])));
//viewforum.php?forum=".Security::remove_XSS($my_forum)."&amp;origin=".$origin."&amp;search=".Security::remove_XSS(urlencode($my_search))
}
@ -218,7 +218,7 @@ if ($my_action == 'liststd' AND isset($_GET['content']) AND isset($_GET['id']) A
}
$table_list = '<p><br /><h3>'.get_lang('ThreadUsersList').'&nbsp;:'.get_name_thread_by_id($_GET['id']).'</h3>';
if ($nrorow3>0 || $nrorow3==-2) {
$url = 'cidReq='.Security::remove_XSS($_GET['cidReq']).'&forum='.Security::remove_XSS($my_forum).'&action='.Security::remove_XSS($_GET['action']).'&content='.Security::remove_XSS($_GET['content']).'&id='.Security::remove_XSS($_GET['id']);
$url = 'cidReq='.Security::remove_XSS($_GET['cidReq']).'&forum='.Security::remove_XSS($my_forum).'&action='.Security::remove_XSS($_GET['action']).'&content='.Security::remove_XSS($_GET['content'],STUDENT).'&id='.Security::remove_XSS($_GET['id']);
$table_list.= '<br />
<div style="width:50%">
<table class="data_table" border="0">
@ -349,14 +349,14 @@ echo "<table class=\"data_table\" >\n";
// the current forum
if ($origin != 'learnpath') {
echo "\t<tr>\n\t\t<th align=\"left\" colspan=\"7\">";
echo '<span class="forum_title">'.prepare4display($current_forum['forum_title']).'</span>';
echo '<span class="forum_title">'.prepare4display(Security::remove_XSS($current_forum['forum_title'])).'</span>';
if (!empty ($current_forum['forum_comment'])) {
echo '<br><span class="forum_description">'.prepare4display($current_forum['forum_comment']).'</span>';
echo '<br><span class="forum_description">'.prepare4display(Security::remove_XSS($current_forum['forum_comment'],STUDENT)).'</span>';
}
if (!empty ($current_forum_category['cat_title'])) {
echo '<br /><span class="forum_low_description">'.prepare4display($current_forum_category['cat_title'])."</span><br />";
echo '<br /><span class="forum_low_description">'.prepare4display(Security::remove_XSS($current_forum_category['cat_title']))."</span><br />";
}
echo "</th>\n";
echo "\t</tr>\n";
@ -405,7 +405,7 @@ if(is_array($threads)) {
}
echo "</td>\n";
echo "\t\t<td>";
echo "<a href=\"viewthread.php?".api_get_cidreq()."&gradebook=".Security::remove_XSS($_GET['gradebook'])."&forum=".Security::remove_XSS($my_forum)."&amp;origin=".$origin."&amp;thread=".$row['thread_id'].$origin_string."&amp;search=".Security::remove_XSS(urlencode($my_search))."\" ".class_visible_invisible($row['visibility']).">".prepare4display($row['thread_title'])."</a></td>\n";
echo "<a href=\"viewthread.php?".api_get_cidreq()."&gradebook=".Security::remove_XSS($_GET['gradebook'])."&forum=".Security::remove_XSS($my_forum)."&amp;origin=".$origin."&amp;thread=".$row['thread_id'].$origin_string."&amp;search=".Security::remove_XSS(urlencode($my_search))."\" ".class_visible_invisible($row['visibility']).">".prepare4display(Security::remove_XSS($row['thread_title']))."</a></td>\n";
echo "\t\t<td>".$row['thread_replies']."</td>\n";
if ($row['user_id']=='0') {
$name=prepare4display($row['thread_poster_name']);

8
main/forum/viewforumcategory.php
Unescape View File

@ -238,8 +238,8 @@ if ($action_forums!='add') {
$my_session=isset($_SESSION['id_session']) ? $_SESSION['id_session'] : null;
$forum_categories_list='';
echo "\t<tr>\n\t\t<th align=\"left\" ".(api_is_allowed_to_edit(null,true)?"colspan='5'":"colspan='6'").">";
echo '<span class="forum_title">'.prepare4display($forum_category['cat_title']).'</span><br />';
echo '<span class="forum_description">'.prepare4display($forum_category['cat_comment']).'</span>';
echo '<span class="forum_title">'.prepare4display(Security::remove_XSS($forum_category['cat_title'])).'</span><br />';
echo '<span class="forum_description">'.prepare4display(Security::remove_XSS($forum_category['cat_comment'],STUDENT)).'</span>';
echo "</th>\n";
if (api_is_allowed_to_edit(false,true) && !($forum_category['session_id']==0 && intval($my_session)!=0)) {
echo '<th style="vertical-align: top;" align="center" >';
@ -351,7 +351,7 @@ if ($action_forums!='add') {
} else {
$session_displayed = '';
}
echo "\t\t<td><a href=\"viewforum.php?".api_get_cidreq()."&forum=".$forum['forum_id']."&amp;origin=".$origin."&amp;search=".Security::remove_XSS(urlencode(isset($_GET['search'])?$_GET['search']:''))."\" ".class_visible_invisible($forum['visibility']).">".prepare4display($forum['forum_title']).$session_displayed.'</a>'.$forum_title_group_addition.'<br />'.prepare4display($forum['forum_comment'])."</td>\n";
echo "\t\t<td><a href=\"viewforum.php?".api_get_cidreq()."&forum=".$forum['forum_id']."&amp;origin=".$origin."&amp;search=".Security::remove_XSS(urlencode(isset($_GET['search'])?$_GET['search']:''))."\" ".class_visible_invisible($forum['visibility']).">".prepare4display(Security::remove_XSS($forum['forum_title'])).$session_displayed.'</a>'.$forum_title_group_addition.'<br />'.prepare4display(Security::remove_XSS($forum['forum_comment'],STUDENT))."</td>\n";
//$number_forum_topics_and_posts=get_post_topics_of_forum($forum['forum_id']); // deprecated
// the number of topics and posts
@ -373,6 +373,7 @@ if ($action_forums!='add') {
}
echo "</td>\n";
echo "\t\t<td NOWRAP align='center'>";
if (api_is_allowed_to_edit(false,true) && !($forum['session_id']==0 && intval(isset($_SESSION['id_session'])?$_SESSION['id_session']:null)!=0)) {
echo "<a href=\"".api_get_self()."?".api_get_cidreq()."&forumcategory=".Security::remove_XSS($_GET['forumcategory'])."&amp;action=edit&amp;content=forum&amp;id=".$forum['forum_id']."\">".icon('../img/edit.gif',get_lang('Edit'))."</a>";
echo "<a href=\"".api_get_self()."?".api_get_cidreq()."&forumcategory=".Security::remove_XSS($_GET['forumcategory'])."&amp;action=delete&amp;content=forum&amp;id=".$forum['forum_id']."\" onclick=\"javascript:if(!confirm('".addslashes(api_htmlentities(get_lang("DeleteForum"),ENT_QUOTES,$charset))."')) return false;\">".icon('../img/delete.gif',get_lang('Delete'))."</a>";
@ -380,6 +381,7 @@ if ($action_forums!='add') {
display_lock_unlock_icon('forum',$forum['forum_id'], $forum['locked'], array("forumcategory"=>$_GET['forumcategory']));
display_up_down_icon('forum',$forum['forum_id'], $forums_in_category);
}
$iconnotify = 'send_mail.gif';
if (is_array(isset($_SESSION['forum_notification']['forum'])?$_SESSION['forum_notification']['forum']:null)) {
if (in_array($forum['forum_id'],$_SESSION['forum_notification']['forum'])) {

6
main/forum/viewthread_threaded.inc.php
Unescape View File

@ -303,7 +303,7 @@ if ($rows[$display_post_id]['post_notification']=='1' AND $rows[$display_post_id
$post_image.=icon('../img/forumnotification.gif',get_lang('YouWillBeNotified'));
}
// The post title
echo "\t\t<td class=\"$titleclass\">".prepare4display($rows[$display_post_id]['post_title'])."</td>\n";
echo "\t\t<td class=\"$titleclass\">".prepare4display(Security::remove_XSS($rows[$display_post_id]['post_title']))."</td>\n";
echo "\t</tr>\n";
// The post message
@ -311,7 +311,7 @@ echo "\t</tr>\n";
$rows[$display_post_id]['post_text']= Security::remove_XSS($rows[$display_post_id]['post_text']);
echo "\t<tr>\n";
echo "\t\t<td class=\"$messageclass\">".prepare4display($rows[$display_post_id]['post_text'])."</td>\n";
echo "\t\t<td class=\"$messageclass\">".prepare4display(Security::remove_XSS($rows[$display_post_id]['post_text']))."</td>\n";
echo "\t</tr>\n";
// The check if there is an attachment
@ -327,7 +327,7 @@ if (!empty($attachment_list))
echo '<a href="download.php?file=';
echo $realname;
echo ' "> '.$user_filename.' </a>';
echo '<span class="forum_attach_comment" >'.$attachment_list['comment'].'</span>';
echo '<span class="forum_attach_comment" >'.Security::remove_XSS($attachment_list['comment'],STUDENT).'</span>';
if (($current_forum['allow_edit']==1 AND $rows[$display_post_id]['user_id']==$_user['user_id']) or (api_is_allowed_to_edit(false,true) && !(api_is_course_coach() && $current_forum['session_id']!=$_SESSION['id_session']))) {
echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
}

Write Preview
Loading…
Cancel
Save