chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20249] style changes - added Security::remove_XSS - (partial FS#4132)

Browse Source
skala
Isaac Flores 16 years ago
parent c2dc075006
commit b388c40cda
2 changed files with 11 additions and 11 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 16
      main/dropbox/dropbox_functions.inc.php
  2. 6
      main/dropbox/index.php

16
main/dropbox/dropbox_functions.inc.php
Unescape View File

@ -375,15 +375,15 @@ function store_addcategory()
if (!$_POST['edit_id']) if (!$_POST['edit_id'])
{ {
// step 3a, we check if the category doesn't already exist // step 3a, we check if the category doesn't already exist
$sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE user_id='".$_user['user_id']."' AND cat_name='".Database::escape_string($_POST['category_name'])."' AND received='".$received."' AND sent='".$sent."'"; $sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE user_id='".$_user['user_id']."' AND cat_name='".Database::escape_string(Security::remove_XSS($_POST['category_name']))."' AND received='".$received."' AND sent='".$sent."'";
$result=api_sql_query($sql); $result=api_sql_query($sql);
// step 3b, we add the category if it does not exist yet. // step 3b, we add the category if it does not exist yet.
if (mysql_num_rows($result)==0) if (Database::num_rows($result)==0)
{ {
$sql="INSERT INTO ".$dropbox_cnf['tbl_category']." (cat_name, received, sent, user_id) $sql="INSERT INTO ".$dropbox_cnf['tbl_category']." (cat_name, received, sent, user_id)
VALUES ('".Database::escape_string($_POST['category_name'])."', '".Database::escape_string($received)."', '".Database::escape_string($sent)."', '".Database::escape_string($_user['user_id'])."')"; VALUES ('".Database::escape_string(Security::remove_XSS($_POST['category_name']))."', '".Database::escape_string($received)."', '".Database::escape_string($sent)."', '".Database::escape_string($_user['user_id'])."')";
api_sql_query($sql); api_sql_query($sql);
return get_lang('CategoryStored'); return get_lang('CategoryStored');
} }
@ -394,9 +394,9 @@ function store_addcategory()
} }
else else
{ {
$sql="UPDATE ".$dropbox_cnf['tbl_category']." SET cat_name='".Database::escape_string($_POST['category_name'])."', received='".Database::escape_string($received)."' , sent='".Database::escape_string($sent)."' $sql="UPDATE ".$dropbox_cnf['tbl_category']." SET cat_name='".Database::escape_string(Security::remove_XSS($_POST['category_name']))."', received='".Database::escape_string($received)."' , sent='".Database::escape_string($sent)."'
WHERE user_id='".Database::escape_string($_user['user_id'])."' WHERE user_id='".Database::escape_string($_user['user_id'])."'
AND cat_id='".Database::escape_string($_POST['edit_id'])."'"; AND cat_id='".Database::escape_string(Security::remove_XSS($_POST['edit_id']))."'";
api_sql_query($sql); api_sql_query($sql);
return get_lang('CategoryModified'); return get_lang('CategoryModified');
} }
@ -422,7 +422,7 @@ function display_addcategory_form($category_name='', $id='')
// retrieve the category we are editing // retrieve the category we are editing
$sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE cat_id='".Database::escape_string($id)."'"; $sql="SELECT * FROM ".$dropbox_cnf['tbl_category']." WHERE cat_id='".Database::escape_string($id)."'";
$result=api_sql_query($sql); $result=api_sql_query($sql);
$row=mysql_fetch_array($result); $row=Database::fetch_array($result);
if ($category_name=='') // after an edit with an error we do not want to return to the original name but the name we already modified. (happens when createinrecievedfiles AND createinsentfiles are not checked) if ($category_name=='') // after an edit with an error we do not want to return to the original name but the name we already modified. (happens when createinrecievedfiles AND createinsentfiles are not checked)
{ {
@ -456,10 +456,10 @@ function display_addcategory_form($category_name='', $id='')
} }
echo "<form name=\"add_new_category\" method=\"post\" action=\"".api_get_self()."?view=".$_GET['view']."\">\n"; echo "<form name=\"add_new_category\" method=\"post\" action=\"".api_get_self()."?view=".Security::remove_XSS($_GET['view'])."\">\n";
if (isset($id) AND $id<>'') if (isset($id) AND $id<>'')
{ {
echo '<input name="edit_id" type="hidden" value="'.$id.'">'; echo '<input name="edit_id" type="hidden" value="'.Security::remove_XSS($id).'">';
} }
echo '<input name="target" type="hidden" value="'.$target.'">'; echo '<input name="target" type="hidden" value="'.$target.'">';

6
main/dropbox/index.php
Unescape View File

@ -237,7 +237,7 @@ if (!$_GET['view'] OR $_GET['view']=='received' OR $dropbox_cnf['sent_received_t
// This is for the categories // This is for the categories
if (isset($_GET['view_received_category']) AND $_GET['view_received_category']<>'') { if (isset($_GET['view_received_category']) AND $_GET['view_received_category']<>'') {
$view_dropbox_category_received=$_GET['view_received_category']; $view_dropbox_category_received=Security::remove_XSS($_GET['view_received_category']);
} else { } else {
$view_dropbox_category_received=0; $view_dropbox_category_received=0;
} }
@ -247,7 +247,7 @@ if (!$_GET['view'] OR $_GET['view']=='received' OR $dropbox_cnf['sent_received_t
echo '<div class="actions">'; echo '<div class="actions">';
if ($view_dropbox_category_received<>0) { if ($view_dropbox_category_received<>0) {
echo get_lang('CurrentlySeeing').': <strong>'.$dropbox_categories[$view_dropbox_category_received]['cat_name'].'</strong> '; echo get_lang('CurrentlySeeing').': <strong>'.$dropbox_categories[$view_dropbox_category_received]['cat_name'].'</strong> ';
echo '<img src="../img/folder_up.gif" alt="'.get_lang('Up').'" align="absmiddle" /><a href="'.api_get_self().'?'.api_get_cidreq().'&view_received_category=0&amp;view_sent_category='.$_GET['view_sent_category'].'&amp;view='.$_GET['view'].'">'.get_lang('Root')."</a>\n"; echo '<img src="../img/folder_up.gif" alt="'.get_lang('Up').'" align="absmiddle" /><a href="'.api_get_self().'?'.api_get_cidreq().'&view_received_category=0&amp;view_sent_category='.Security::remove_XSS($_GET['view_sent_category']).'&amp;view='.Security::remove_XSS($_GET['view']).'">'.get_lang('Root')."</a>\n";
$movelist[0] = 'Root'; // move_received selectbox content $movelist[0] = 'Root'; // move_received selectbox content
} else { } else {
echo '<a href="'.api_get_self().'?'.api_get_cidreq().'&action=addreceivedcategory"><img src="../img/folder_new.gif" align=\"absmiddle\"/> '.get_lang('AddNewCategory').'</a>'; echo '<a href="'.api_get_self().'?'.api_get_cidreq().'&action=addreceivedcategory"><img src="../img/folder_new.gif" align=\"absmiddle\"/> '.get_lang('AddNewCategory').'</a>';
@ -558,7 +558,7 @@ if ($_GET['view']=='sent' OR $dropbox_cnf['sent_received_tabs']==false) {
} }
} }
// Displaying the table // Displaying the table
$additional_get_parameters=array('view'=>$_GET['view'], 'view_received_category'=>$_GET['view_received_category'],'view_sent_category'=>$_GET['view_sent_category']); $additional_get_parameters=array('view'=>Security::remove_XSS($_GET['view']), 'view_received_category'=>Security::remove_XSS($_GET['view_received_category']),'view_sent_category'=>Security::remove_XSS($_GET['view_sent_category']));
Display::display_sortable_config_table($column_header, $dropbox_data_sent, $sorting_options, $paging_options, $additional_get_parameters,$column_show,$column_order, array ('delete_received' => get_lang('Delete'),'download_received'=>get_lang('Download'))); Display::display_sortable_config_table($column_header, $dropbox_data_sent, $sorting_options, $paging_options, $additional_get_parameters,$column_show,$column_order, array ('delete_received' => get_lang('Delete'),'download_received'=>get_lang('Download')));
} }
} }

Write Preview
Loading…
Cancel
Save