chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Addinf Security::filter_terms when showing content in social, messages or forums see BT#2685

Browse Source
skala
Julio Montoya 15 years ago
parent 63c6efc5ba
commit ae9f7e18e7
14 changed files with 69 additions and 59 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      main/inc/lib/group_portal_manager.lib.php
  2. 53
      main/inc/lib/message.lib.php
  3. 4
      main/inc/lib/notification.lib.php
  4. 2
      main/inc/lib/security.lib.php
  5. 5
      main/inc/lib/social.lib.php
  6. 3
      main/install/db_main.sql
  7. 2
      main/messages/new_message.php
  8. 1
      main/messages/send_message.php
  9. 4
      main/social/group_topics.php
  10. 9
      main/social/groups.php
  11. 10
      main/social/invitations.php
  12. 12
      main/social/message_for_group_form.inc.php
  13. 3
      main/social/profile.php
  14. 16
      main/social/search.php

4
main/inc/lib/group_portal_manager.lib.php
Unescape View File

@ -144,7 +144,7 @@ class GroupPortalManager {
$sql = "SELECT id, name, description, picture_uri, url, visibility FROM $table WHERE id = $group_id ";
$res = Database::query($sql);
$item = array();
if (Database::num_rows($res)>0) {
if (Database::num_rows($res)>0) {
$item = Database::fetch_array($res,'ASSOC');
}
return $item;
@ -960,7 +960,7 @@ class GroupPortalManager {
//echo '<div align="center" class="social-menu-title"><span class="social-menu-text1">'.cut($group_info['name'], GROUP_TITLE_LENGTH, true).'</span></div>';
//echo Display::div(get_lang('Actions') ,array('class' => 'social_menu_option'));
echo '<ul class="social-menu-groups">';
echo Display::tag('li', $group_info['description'], array('class'=>'group_description'));
echo Display::tag('li', Security::remove_XSS($group_info['description'], STUDENT, true), array('class'=>'group_description'));
echo $links;
echo '</ul>';
}

53
main/inc/lib/message.lib.php
Unescape View File

@ -159,7 +159,7 @@ class MessageManager
} else {
$message[0] = ($result[0]);
}
$result[2] = Security::remove_XSS($result[2]);
$result[2] = Security::remove_XSS($result[2], STUDENT, true);
$result[2] = cut($result[2], 80,true);
if ($request===true) {
@ -708,7 +708,7 @@ class MessageManager
public static function show_message_box($message_id, $source = 'inbox') {
$table_message = Database::get_main_table(TABLE_MESSAGE);
$tbl_message_attach = Database::get_main_table(TABLE_MESSAGE_ATTACHMENT);
$message_id = intval($message_id);
$message_id = intval($message_id);
if ($source == 'outbox') {
if (isset($message_id) && is_numeric($message_id)) {
@ -726,8 +726,8 @@ class MessageManager
}
$path='inbox.php';
}
$row = Database::fetch_array($result);
$row = Database::fetch_array($result, 'ASSOC');
$user_sender_id = $row['user_sender_id'];
// get file attachments by message id
$files_attachments = self::get_links_message_attachment_files($message_id,$source);
@ -736,14 +736,15 @@ class MessageManager
$band=0;
$reply='';
for ($i=0;$i<count($user_con);$i++)
if ($row[1]==$user_con[$i])
if ($user_sender_id == $user_con[$i])
$band=1;
$row[5] = Security::remove_XSS($row[5]);
$title = Security::remove_XSS($row['title'], STUDENT, true);
$content = Security::remove_XSS($row['content'], STUDENT, true);
$from_user = UserManager::get_user_info_by_id($row[1]);
$name = api_get_person_name($from_user['firstname'], $from_user['lastname']);
$user_image = UserManager::get_picture_user($row[1], $from_user['picture_uri'],80);
$from_user = UserManager::get_user_info_by_id($user_sender_id);
$name = api_get_person_name($from_user['firstname'], $from_user['lastname']);
$user_image = UserManager::get_picture_user($row['user_sender_id'], $from_user['picture_uri'],80);
$user_image = Display::img($user_image['file'], $name, array('title'=>$name));
$message_content = '<table>
@ -753,7 +754,7 @@ class MessageManager
<table>
<tr>
<td valign="top" width="100%">
<h1>'.str_replace("\\","",$row[5]).'</h1>
<h1>'.str_replace("\\","",$title).'</h1>
</td>';
if (api_get_setting('allow_social_tool') == 'true') {
$message_content .='<td width="100%">'.$user_image.'</td>';
@ -762,20 +763,20 @@ class MessageManager
$message_content .='<tr>';
if (api_get_setting('allow_social_tool') == 'true') {
if ($source == 'outbox') {
$message_content .='<td>'.get_lang('From').' <a href="'.api_get_path(WEB_PATH).'main/social/profile.php?u='.$row[1].'">'.$name.'</a> '.api_strtolower(get_lang('To')).'&nbsp;<b>'.GetFullUserName($row[2]).'</b> </td>';
$message_content .='<td>'.get_lang('From').': <a href="'.api_get_path(WEB_PATH).'main/social/profile.php?u='.$user_sender_id.'">'.$name.'</a> '.api_strtolower(get_lang('To')).'&nbsp;<b>'.GetFullUserName($row[2]).'</b> </td>';
} else {
$message_content .='<td>'.get_lang('From').' <a href="'.api_get_path(WEB_PATH).'main/social/profile.php?u='.$row[1].'">'.$name.'</a> '.api_strtolower(get_lang('To')).'&nbsp;<b>'.get_lang('Me').'</b> </td>';
$message_content .='<td>'.get_lang('From').' <a href="'.api_get_path(WEB_PATH).'main/social/profile.php?u='.$user_sender_id.'">'.$name.'</a> '.api_strtolower(get_lang('To')).'&nbsp;<b>'.get_lang('Me').'</b> </td>';
}
} else {
if ($source == 'outbox') {
$message_content .='<td>'.get_lang('From').'&nbsp;'.$name.'</b> '.api_strtolower(get_lang('To')).' <b>'.GetFullUserName($row[2]).'</b> </td>';
$message_content .='<td>'.get_lang('From').':&nbsp;'.$name.'</b> '.api_strtolower(get_lang('To')).' <b>'.GetFullUserName($row['user_receiver_id']).'</b> </td>';
} else {
$message_content .='<td>'.get_lang('From').'&nbsp;'.$name.'</b> '.api_strtolower(get_lang('To')).' <b>'.get_lang('Me').'</b> </td>';
$message_content .='<td>'.get_lang('From').':&nbsp;'.$name.'</b> '.api_strtolower(get_lang('To')).' <b>'.get_lang('Me').'</b> </td>';
}
}
$message_content .='</tr>
<tr>
<td>'.get_lang('Date').'&nbsp; '.$row[4].'</td>
<td>'.get_lang('Date').': '.api_get_local_time($row['send_date']).'</td>
</tr>
</tr>
</table>
@ -783,7 +784,7 @@ class MessageManager
<hr style="color:#ddd" />
<table height="209px" width="100%">
<tr>
<td valign=top class="view-message-content">'.str_replace("\\","",$row['content']).'</td>
<td valign=top class="view-message-content">'.str_replace("\\","",$content).'</td>
</tr>
</table>
<div id="message-attach">'.(!empty($files_attachments)?implode('<br />',$files_attachments):'').'</div>
@ -956,7 +957,7 @@ class MessageManager
if (empty($topic['title'])) {
$topic['title'] = get_lang('Untitled');
}
$title = Display::url('<h3>'.Security::remove_XSS($topic['title']).'</h3>', 'group_topics.php?id='.$group_id.'&topic_id='.$topic['id']);
$title = Display::url('<h3>'.Security::remove_XSS($topic['title'], STUDENT, true).'</h3>', 'group_topics.php?id='.$group_id.'&topic_id='.$topic['id']);
$date = '';
$link = '';
@ -974,7 +975,7 @@ class MessageManager
$user_info .= '<div class="message-group-author"><img src="'.$image_repository.$existing_image.'" alt="'.$name.'" width="32" height="32" title="'.$name.'" /></div>';
$user_info .= '<div class="message-group-author">'.$user.'</div></td>';
//$date.
$html .= Display::div($title.cut($topic['content'], 150).$user_info, array('class'=>'group_discussions_info')).'</td></table>';
$html .= Display::div($title.Security::remove_XSS(cut($topic['content'], 150), STUDENT, true).$user_info, array('class'=>'group_discussions_info')).'</td></table>';
$html .= '</div>'; //rounded_div
@ -994,11 +995,10 @@ class MessageManager
public static function display_message_for_group($group_id, $message_id, $is_member) {
global $my_group_role;
$main_message = self::get_message_by_id($message_id);
$group_info = GroupPortalManager::get_group_data($group_id);
$rows = self::get_messages_by_group_by_message($group_id, $message_id);
$rows = self::calculate_children($rows, $message_id);
$main_message = self::get_message_by_id($message_id);
$group_info = GroupPortalManager::get_group_data($group_id);
$rows = self::get_messages_by_group_by_message($group_id, $message_id);
$rows = self::calculate_children($rows, $message_id);
$current_user_id = api_get_user_id();
@ -1019,7 +1019,7 @@ class MessageManager
//$items_page_nr = intval($_GET['items_'.$topic['id'].'_page_nr']);
$items_page_nr = null;
echo Display::tag('h2', $main_message['title']);
echo Display::tag('h2', Security::remove_XSS($main_message['title'], STUDENT, true));
$user_sender_info = UserManager::get_user_info_by_id($main_message['user_sender_id']);
$files_attachments = self::get_links_message_attachment_files($main_message['id']);
$name = api_get_person_name($user_sender_info['firstname'], $user_sender_info['lastname']);
@ -1048,7 +1048,8 @@ class MessageManager
$date = '<div class="message-group-date"> '.get_lang('Created').' '.date_to_str_ago($main_message['send_date']).'</div>';
}
$attachment = '<div class="message-attach">'.(!empty($files_attachments)?implode('<br />',$files_attachments):'').'</div>';
$main_content.= '<div class="message-group-content">'.$links.$user_link.' '.$date.$main_message['content'].$attachment.'</div>';
$main_content.= '<div class="message-group-content">'.$links.$user_link.' '.$date.$main_message['content'].$attachment.'</div>';
$main_content = Security::remove_XSS($main_content, STUDENT, true);
$html = '';
@ -1094,7 +1095,7 @@ class MessageManager
$date = '<div class="message-group-date"> '.get_lang('Created').' '.date_to_str_ago($topic['send_date']).'</div>';
}
$attachment = '<div class="message-attach">'.(!empty($files_attachments)?implode('<br />',$files_attachments):'').'</div>';
$html_items.= '<div class="message-group-content">'.$links.$user_link.' '.$date.$topic['content'].$attachment.'</div>';
$html_items.= '<div class="message-group-content">'.$links.$user_link.' '.$date.Security::remove_XSS($topic['content'], STUDENT, true).$attachment.'</div>';
$base_padding = 20;

4
main/inc/lib/notification.lib.php
Unescape View File

@ -66,7 +66,7 @@ class Notification extends Model {
foreach($notifications as $item_to_send) {
//Sending email
api_mail_html($item_to_send['dest_mail'], $item_to_send['dest_mail'], $item_to_send['title'], $item_to_send['content'], $this->admin_name, $this->admin_email);
api_mail_html($item_to_send['dest_mail'], $item_to_send['dest_mail'], Security::filter_terms($item_to_send['title']), Security::filter_terms($item_to_send['content']), $this->admin_name, $this->admin_email);
if ($this->debug) { error_log('Sending message to: '.$item_to_send['dest_mail']); }
//Updating
@ -128,7 +128,7 @@ class Notification extends Model {
case NOTIFY_GROUP_AT_ONCE:
if (!empty($user_info['mail'])) {
$name = api_get_person_name($user_info['firstname'], $user_info['lastname']);
api_mail_html($name, $user_info['mail'], $title, $content, $this->admin_name, $this->admin_email);
api_mail_html($name, $user_info['mail'], Security::filter_terms($title), Security::filter_terms($content), $this->admin_name, $this->admin_email);
}
$params['sent_at'] = api_get_utc_datetime();
//Saving the notification to be sent some day

2
main/inc/lib/security.lib.php
Unescape View File

@ -343,7 +343,7 @@ class Security {
$replace = '***';
if (!empty($bad_terms)) {
//Fast way
$new_text = str_replace($bad_terms, $replace, $text, $count);
$new_text = str_ireplace($bad_terms, $replace, $text, $count);
//We need statistics
/*

5
main/inc/lib/social.lib.php
Unescape View File

@ -634,10 +634,7 @@ class SocialManager extends UserManager {
echo '<span>'.get_lang('Optoi').'</span>';
echo '</div>';*/
echo '<div class="social_menu_items"><ul>';
echo '<div class="social_menu_items"><ul>';
echo '<li><a href="'.api_get_path(WEB_PATH).'main/social/home.php">'.Display::return_icon('home.png',get_lang('Home'),array('hspace'=>'6')).'<span class="'.($show=='home'?'social-menu-text-active':'social-menu-text4').'" >'.get_lang('Home').'</span></a></li>';
echo '<li><a href="'.api_get_path(WEB_PATH).'main/messages/inbox.php?f=social">'.Display::return_icon('instant_message.png',get_lang('Messages'),array('hspace'=>'6')).'<span class="'.($show=='messages'?'social-menu-text-active':'social-menu-text4').'" >'.get_lang('Messages').$count_unread_message.'</span></a></li>';

3
main/install/db_main.sql
Unescape View File

@ -822,7 +822,8 @@ VALUES
('hide_courses_in_sessions',NULL,'radio', 'Platform','false','HideCoursesInSessionsTitle', 'HideCoursesInSessionsComment','platform',NULL, 1),
('enable_quiz_scenario', NULL,'radio','Course','false','EnableQuizScenarioTitle','EnableQuizScenarioComment',NULL,NULL, 1),
('enable_nanogong',NULL,'radio','Tools','false','EnableNanogongTitle','EnableNanogongComment',NULL,NULL, 0),
('chamilo_database_version',NULL,'textfield',NULL, '1.8.8.14911','DokeosDatabaseVersion','', NULL, NULL, 0);
('filter_terms',NULL,'textarea','Security','','FilterTermsTitle','FilterTermsComment',NULL,NULL, 0),
('chamilo_database_version',NULL,'textfield',NULL, '1.9.0.15605','DokeosDatabaseVersion','', NULL, NULL, 0);
UNLOCK TABLES;
/*!40000 ALTER TABLE settings_current ENABLE KEYS */;

2
main/messages/new_message.php
Unescape View File

@ -223,7 +223,7 @@ function manage_form ($default, $select_from_user_list = null) {
//adding reply mail
$user_reply_info = UserManager::get_user_info_by_id($message_reply_info['user_sender_id']);
$default['content'] = '<br />'.sprintf(get_lang('XWroteY'), api_get_person_name($user_reply_info['firstname'], $user_reply_info['lastname']), $message_reply_info['content']);
$default['content'] = '<br />'.sprintf(get_lang('XWroteY'), api_get_person_name($user_reply_info['firstname'], $user_reply_info['lastname']), Security::filter_terms($message_reply_info['content']));
}
if (empty($group_id)) {
$form->addElement('html','<div class="row"><div class="label">'.get_lang('FilesAttachment').'</div><div class="formw">

1
main/messages/send_message.php
Unescape View File

@ -21,6 +21,7 @@ $content_message = $_POST['txt_content'];
$subject_message = $_POST['txt_subject'];
$user_info = array();
$user_info = api_get_user_info($user_id);

4
main/social/group_topics.php
Unescape View File

@ -132,8 +132,8 @@ echo '<div id="social-content">';
//this include the social menu div
SocialManager::show_social_menu('member_list', $group_id);
echo '</div>';
echo '<div id="social-content-right">';
echo '<h1><a href="groups.php?id='.$group_id.'">'.$group_info['name'].'</a> &raquo; '.get_lang('Messages').'</h1>';
echo '<div id="social-content-right">';
echo '<h1><a href="groups.php?id='.$group_id.'">'.Security::remove_XSS($group_info['name'], STUDENT, true).'</a> &raquo; '.get_lang('Messages').'</h1>';
if (!empty($show_message)){
Display::display_confirmation_message($show_message);

9
main/social/groups.php
Unescape View File

@ -219,7 +219,7 @@ if ($group_id != 0 ) {
echo '<div class="head_group">';
echo '<div id="social-group-details">';
//Group's title
echo '<h1><a href="groups.php?id='.$group_id.'">'.$group_info['name'].'</a></h1>';
echo '<h1><a href="groups.php?id='.$group_id.'">'.Security::remove_XSS($group_info['name'], STUDENT, true).'</a></h1>';
//echo '<div class="social-group-details-info"><a target="_blank" href="'.$group_info['url'].'">'.$group_info['url'].'</a></div>';
@ -329,6 +329,8 @@ if ($group_id != 0 ) {
if (is_array($results) && count($results) > 0) {
foreach ($results as $result) {
$id = $result['id'];
$result['name'] = Security::remove_XSS($result['name'], STUDENT, true);
$result['description'] = Security::remove_XSS($result['description'], STUDENT, true);
$my_group_list[] = $id;
$url_open = '<a href="groups.php?id='.$id.'">';
$url_close = '</a>';
@ -372,7 +374,8 @@ if ($group_id != 0 ) {
$results = GroupPortalManager::get_groups_by_age(4,false);
$grid_newest_groups = array();
foreach ($results as $result) {
$result['name'] = Security::remove_XSS($result['name'], STUDENT, true);
$result['description'] = Security::remove_XSS($result['description'], STUDENT, true);
$id = $result['id'];
$url_open = '<a href="groups.php?id='.$id.'">';
$url_close = '</a>';
@ -416,6 +419,8 @@ if ($group_id != 0 ) {
if (is_array($results) && count($results) > 0) {
foreach ($results as $result) {
$result['name'] = Security::remove_XSS($result['name'], STUDENT, true);
$result['description'] = Security::remove_XSS($result['description'], STUDENT, true);
$id = $result['id'];
$url_open = '<a href="groups.php?id='.$id.'">';
$url_close = '</a>';

10
main/social/invitations.php
Unescape View File

@ -137,8 +137,8 @@ echo '<div id="social-content">';
$picture = UserManager::get_user_picture_path_by_id($sender_user_id,'web',false,true);
$friends_profile = SocialManager::get_picture_user($sender_user_id, $picture['file'], 92);
$user_info = api_get_user_info($sender_user_id);
$title = Security::remove_XSS($invitation['title']);
$content = Security::remove_XSS($invitation['content']);
$title = Security::remove_XSS($invitation['title'], STUDENT, true);
$content = Security::remove_XSS($invitation['content'], STUDENT, true);
$date = api_convert_and_format_date($invitation['send_date'], DATE_TIME_FORMAT_LONG);
?>
<table cellspacing="0" border="0">
@ -182,9 +182,9 @@ echo '<div id="social-content">';
$friends_profile = SocialManager::get_picture_user($sender_user_id, $picture['file'], 92);
$user_info = api_get_user_info($sender_user_id);
$title = Security::remove_XSS($invitation['title']);
$content = Security::remove_XSS($invitation['content']);
$date = api_convert_and_format_date($invitation['send_date'], $invitation['send_date'], DATE_TIME_FORMAT_LONG);
$title = Security::remove_XSS($invitation['title'], STUDENT, true);
$content = Security::remove_XSS($invitation['content'], STUDENT, true);
$date = api_convert_and_format_date($invitation['send_date'], DATE_TIME_FORMAT_LONG);
?>
<table cellspacing="0" border="0">
<tbody>

12
main/social/message_for_group_form.inc.php
Unescape View File

@ -24,10 +24,10 @@ $tok = Security::get_token();
if (isset($_REQUEST['user_friend'])) {
$info_user_friend=array();
$info_path_friend=array();
$userfriend_id=Security::remove_XSS($_REQUEST['user_friend']);
$userfriend_id = intval($_REQUEST['user_friend']);
// panel=1 send message
// panel=2 send invitation
$panel=Security::remove_XSS($_REQUEST['view_panel']);
$panel = Security::remove_XSS($_REQUEST['view_panel']);
$info_user_friend = api_get_user_info($userfriend_id);
$info_path_friend = UserManager::get_user_picture_path_by_id($userfriend_id,'web',false,true);
}
@ -43,7 +43,7 @@ $to_group = '';
$subject = '';
$message = '';
if (!empty($group_id) && $allowed_action) {
$group_info = GroupPortalManager::get_group_data($group_id);
$group_info = GroupPortalManager::get_group_data($group_id);
$is_member = GroupPortalManager::is_group_member($group_id);
if ($group_info['visibility'] == GROUP_PERMISSION_CLOSED && !$is_member) {
@ -52,9 +52,10 @@ if (!empty($group_id) && $allowed_action) {
$to_group = $group_info['name'];
if (!empty($message_id)) {
$message_info = MessageManager::get_message_by_id($message_id);
$message_info = MessageManager::get_message_by_id($message_id);
if ($allowed_action == 'reply_message_group') {
$subject = get_lang('Reply').': '.api_xml_http_response_encode($message_info['title']);
//$message = api_xml_http_response_encode($message_info['content']);
} else {
$subject = api_xml_http_response_encode($message_info['title']);
$message = api_xml_http_response_encode($message_info['content']);
@ -96,7 +97,8 @@ $page_topic = !empty($_GET['topics_page_nr'])?intval($_GET['topics_page_nr']):1
$oFCKeditor->ToolbarSet = 'messages';
$oFCKeditor->Width = '100%';
$oFCKeditor->Height = $height;
$oFCKeditor->Value = $message;
$oFCKeditor->Value = $message;
$return = $oFCKeditor->CreateHtml();
echo $return;
if ($allowed_action == 'add_message_group') {

3
main/social/profile.php
Unescape View File

@ -16,7 +16,6 @@ if (api_get_setting('allow_social_tool') !='true') {
api_not_allowed();
}
$user_id = api_get_user_id();
$show_full_profile = true;
@ -569,7 +568,7 @@ if ($show_full_profile) {
$user_invitation_info = api_get_user_info($user_invitation_id);
echo '<a href="'.api_get_path(WEB_PATH).'main/social/profile.php?u='.$user_invitation_id.'">'.api_get_person_name($user_invitation_info['firstname'], $user_invitation_info['lastname']).'</a>';
echo '<br />';
echo ' '.(substr($pending_invitations[$i]['content'],0,50));
echo Security::remove_XSS(cut($pending_invitations[$i]['content'], 50), STUDENT, true);
echo '<br />';
echo '<a id="btn_accepted_'.$user_invitation_id.'" onclick="register_friend(this)" href="javascript:void(0)">'.get_lang('SocialAddToFriends').'</a>';
echo '<div id="id_response"></div>';

16
main/social/search.php
Unescape View File

@ -43,7 +43,7 @@ echo '<div id="social-content">';
//get users from tags
$users = UserManager::get_all_user_tags($_GET['q'], 0, 0, 5);
$groups = GroupPortalManager::get_all_group_tags($_GET['q']);
if (empty($users) && empty($groups)) {
echo get_lang('SorryNoResults');
}
@ -79,10 +79,12 @@ echo '<div id="social-content">';
echo '</div>';
}
//Get users from tags
//Get users from tags this loop does not make sense for now ...
/*
if (is_array($results) && count($results) > 0) {
foreach ($results as $result) {
$id = $result['id'];
foreach ($results as $result) {
$id = $result['id'];
$url_open = '<a href="groups.php?id='.$id.'">';
$url_close = '</a>';
@ -116,12 +118,14 @@ echo '<div id="social-content">';
$grid_item_2 = $item_1.$item_2.$item_3.$item_4;
$grid_my_groups[]= array($grid_item_1,$grid_item_2);
}
}
}*/
$grid_groups = array();
if (is_array($groups) && count($groups)>0) {
echo '<h2>'.get_lang('Groups').'</h2>';
foreach($groups as $group) {
foreach($groups as $group) {
$group['name'] = Security::remove_XSS($group['name'], STUDENT, true);
$$group['description'] = Security::remove_XSS($group['description'], STUDENT, true);
$id = $group['id'];
$url_open = '<a href="groups.php?id='.$id.'">';
$url_close = '</a>';

Write Preview
Loading…
Cancel
Save