chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20610] Completly add remove_XSS in Dokeos, this glosary, notebook and survey see FS#4169

Browse Source
skala
Carlos Vargas 16 years ago
parent 9a1b9b4975
commit c77ae1fd70
4 changed files with 56 additions and 97 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 72
      main/glossary/index.php
  2. 37
      main/notebook/index.php
  3. 4
      main/survey/create_new_survey.php
  4. 40
      main/survey/survey.lib.php

72
main/glossary/index.php
Unescape View File

@ -33,7 +33,7 @@ event_access_tool(TOOL_GLOSSARY);
// displaying the header
if ( isset($_GET['action']) && ($_GET['action'] == 'addglossary' || $_GET['action'] == 'edit_glossary')) {
if (isset($_GET['action']) && ($_GET['action'] == 'addglossary' || $_GET['action'] == 'edit_glossary')) {
$tool=get_lang('GlossaryManagement');
$interbreadcrumb[] = array ("url"=>"index.php", "name"=> api_ucfirst(get_lang(TOOL_GLOSSARY)));
}
@ -53,59 +53,46 @@ $fck_attribute['Height'] = '300';
$fck_attribute['ToolbarSet'] = 'Glossary';
if ($_GET['action'] == 'changeview' AND in_array($_GET['view'],array('list','table')))
{
if ($_GET['action'] == 'changeview' AND in_array($_GET['view'],array('list','table'))) {
$_SESSION['glossary_view'] = $_GET['view'];
}
if (api_is_allowed_to_edit())
{
if (api_is_allowed_to_edit()) {
// Adding a glossary
if (isset($_GET['action']) && $_GET['action'] == 'addglossary')
{
if (isset($_GET['action']) && $_GET['action'] == 'addglossary') {
// initiate the object
$form = new FormValidator('glossary','post', api_get_self().'?action='.Security::remove_XSS($_GET['action']));
// settting the form elements
$form->addElement('header', '', get_lang('TermAddNew'));
$form->addElement('text', 'glossary_title', get_lang('TermName'), array('size'=>'95'));
$form->applyFilter('glossary_title', 'html_filter');
//$form->applyFilter('glossary_title', 'html_filter');
$form->addElement('html_editor', 'glossary_comment', get_lang('TermDefinition'));
$form->addElement('style_submit_button', 'SubmitGlossary', get_lang('TermAddButton'), 'class="save"');
// setting the rules
$form->addRule('glossary_title', '<div class="required">'.get_lang('ThisFieldIsRequired'), 'required');
// The validation or display
if ( $form->validate() )
{
if ($form->validate()) {
$check = Security::check_token('post');
if ($check)
{
if ($check) {
$values = $form->exportValues();
save_glossary($values);
}
Security::clear_token();
display_glossary();
}
else
{
} else {
$token = Security::get_token();
$form->addElement('hidden','sec_token');
$form->setConstants(array('sec_token' => $token));
$form->display();
}
}
// Editing a glossary
else if (isset($_GET['action']) && $_GET['action'] == 'edit_glossary' && is_numeric($_GET['glossary_id']))
{
} else if (isset($_GET['action']) && $_GET['action'] == 'edit_glossary' && is_numeric($_GET['glossary_id'])) { // Editing a glossary
// initiate the object
$form = new FormValidator('glossary','post', api_get_self().'?action='.Security::remove_XSS($_GET['action']).'&glossary_id='.Security::remove_XSS($_GET['glossary_id']));
// settting the form elements
$form->addElement('header', '', get_lang('TermEdit'));
$form->addElement('hidden', 'glossary_id');
$form->addElement('text', 'glossary_title', get_lang('TermName'),array('size'=>'100'));
$form->applyFilter('glossary_title', 'html_filter');
//$form->applyFilter('glossary_title', 'html_filter');
$form->addElement('html_editor', 'glossary_comment', get_lang('TermDefinition'));
$form->addElement('style_submit_button', 'SubmitGlossary', get_lang('TermUpdateButton'), 'class="save"');
@ -117,42 +104,27 @@ if (api_is_allowed_to_edit())
$form->addRule('glossary_title', '<div class="required">'.get_lang('ThisFieldIsRequired'), 'required');
// The validation or display
if ( $form->validate() )
{
if ($form->validate()) {
$check = Security::check_token('post');
if ($check)
{
if ($check) {
$values = $form->exportValues();
update_glossary($values);
}
Security::clear_token();
display_glossary();
}
else
{
} else {
$token = Security::get_token();
$form->addElement('hidden','sec_token');
$form->setConstants(array('sec_token' => $token));
$form->display();
}
}
// deleting a glossary
else if (isset($_GET['action']) && $_GET['action'] == 'delete_glossary' && is_numeric($_GET['glossary_id']))
{
} else if (isset($_GET['action']) && $_GET['action'] == 'delete_glossary' && is_numeric($_GET['glossary_id'])) {// deleting a glossary
delete_glossary(Security::remove_XSS($_GET['glossary_id']));
display_glossary();
}
// moving a glossary term up
else if (isset($_GET['action']) && $_GET['action'] == 'moveup' && is_numeric($_GET['glossary_id']))
{
} else if (isset($_GET['action']) && $_GET['action'] == 'moveup' && is_numeric($_GET['glossary_id'])) { // moving a glossary term up
move_glossary('up',$_GET['glossary_id']);
display_glossary();
}
// moving a glossary term up
else if (isset($_GET['action']) && $_GET['action'] == 'movedown' && is_numeric($_GET['glossary_id']))
{
} else if (isset($_GET['action']) && $_GET['action'] == 'movedown' && is_numeric($_GET['glossary_id'])) {// moving a glossary term up
move_glossary('down',$_GET['glossary_id']);
display_glossary();
} else {
@ -188,13 +160,11 @@ function save_glossary($values)
{
// display the feedback message
Display::display_error_message('GlossaryTermAlreadyExistsYouShouldEditIt');
}
else
{
} else {
$sql = "INSERT INTO $t_glossary (name, description,display_order)
VALUES(
'".Database::escape_string($values['glossary_title'])."',
'".Database::escape_string($values['glossary_comment'])."',
'".Database::escape_string(Security::remove_XSS($values['glossary_title']))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['glossary_comment'])),COURSEMANAGER))."',
'".(int)($max_glossary_item + 1)."')";
$result = api_sql_query($sql, __FILE__, __LINE__);
$id = Database::get_last_insert_id();
@ -232,8 +202,8 @@ function update_glossary($values)
else
{
$sql = "UPDATE $t_glossary SET
name = '".Database::escape_string($values['glossary_title'])."',
description = '".Database::escape_string($values['glossary_comment'])."'
name = '".Database::escape_string(Security::remove_XSS($values['glossary_title']))."',
description = '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['glossary_comment'])),COURSEMANAGER))."'
WHERE glossary_id = ".Database::escape_string($values['glossary_id']);
$result = api_sql_query($sql, __FILE__, __LINE__);
//update glossary into item_property

37
main/notebook/index.php
Unescape View File

@ -80,8 +80,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'addnote')
// settting the form elements
$form->addElement('header', '', get_lang('NoteAddNew'));
$form->addElement('text', 'note_title', get_lang('NoteTitle'),array('size'=>'95'));
$form->applyFilter('note_title', 'html_filter');
//$form->applyFilter('note_title', 'html_filter');
$form->addElement('html_editor', 'note_comment', get_lang('NoteComment'));
$form->addElement('style_submit_button', 'SubmitNote', get_lang('AddNote'), 'class="add"');
@ -125,7 +124,7 @@ else if (isset($_GET['action']) && $_GET['action'] == 'editnote' && is_numeric($
$form->addElement('header', '', get_lang('ModifyNote'));
$form->addElement('hidden', 'notebook_id');
$form->addElement('text', 'note_title', get_lang('NoteTitle'),array('size'=>'100'));
$form->applyFilter('note_title', 'html_filter');
//$form->applyFilter('note_title', 'html_filter');
$form->addElement('html_editor', 'note_comment', get_lang('NoteComment'));
$form->addElement('style_submit_button', 'SubmitNote', get_lang('ModifyNote'), 'class="save"');
@ -207,8 +206,7 @@ function javascript_notebook()
* @author Patrick Cool <patrick.cool@ugent.be>, Ghent University, Belgium
* @version januari 2009, dokeos 1.8.6
*/
function save_note($values)
{
function save_note($values) {
// Database table definition
$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
@ -217,8 +215,8 @@ function save_note($values)
'".Database::escape_string(api_get_user_id())."',
'".Database::escape_string(api_get_course_id())."',
'".Database::escape_string($_SESSION['id_session'])."',
'".Database::escape_string($values['note_title'])."',
'".Database::escape_string($values['note_comment'])."',
'".Database::escape_string(Security::remove_XSS($values['note_title']))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['note_comment'])),COURSEMANAGER))."',
'".Database::escape_string(date('Y-m-d H:i:s'))."',
'".Database::escape_string(date('Y-m-d H:i:s'))."',
'0')";
@ -227,8 +225,7 @@ function save_note($values)
Display::display_confirmation_message(get_lang('NoteAdded'));
}
function get_note_information($notebook_id)
{
function get_note_information($notebook_id) {
// Database table definition
$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
@ -250,8 +247,7 @@ function get_note_information($notebook_id)
* @author Patrick Cool <patrick.cool@ugent.be>, Ghent University, Belgium
* @version januari 2009, dokeos 1.8.6
*/
function update_note($values)
{
function update_note($values) {
// Database table definition
$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
@ -259,8 +255,8 @@ function update_note($values)
user_id = '".Database::escape_string(api_get_user_id())."',
course = '".Database::escape_string(api_get_course_id())."',
session_id = '".Database::escape_string($_SESSION['id_session'])."',
title = '".Database::escape_string($values['note_title'])."',
description = '".Database::escape_string($values['note_comment'])."',
title = '".Database::escape_string(Security::remove_XSS($values['note_title']))."',
description = '".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['note_comment'])),COURSEMANAGER))."',
update_date = '".Database::escape_string(date('Y-m-d H:i:s'))."'
WHERE notebook_id = '".Database::escape_string($values['notebook_id'])."'";
$result = api_sql_query($sql, __FILE__, __LINE__);
@ -268,8 +264,7 @@ function update_note($values)
Display::display_confirmation_message(get_lang('NoteUpdated'));
}
function delete_note($notebook_id)
{
function delete_note($notebook_id) {
// Database table definition
$t_notebook = Database :: get_course_table(TABLE_NOTEBOOK);
@ -278,8 +273,7 @@ function delete_note($notebook_id)
Display::display_confirmation_message(get_lang('NoteDeleted'));
}
function display_notes()
{
function display_notes() {
// action links
echo '<div class="actions" style="margin-bottom:20px">';
//if (api_is_allowed_to_edit())
@ -295,8 +289,7 @@ function display_notes()
echo '<a href="index.php?'.api_get_cidreq().'&action=changeview&view=title">'.Display::return_icon('comment.gif',get_lang('OrderByTitle')).get_lang('OrderByTitle').'</a>';
echo '</div>';
if (!in_array($_SESSION['notebook_view'],array('creation_date','update_date', 'title')))
{
if (!in_array($_SESSION['notebook_view'],array('creation_date','update_date', 'title'))) {
$_SESSION['notebook_view'] = 'creation_date';
}
@ -313,12 +306,10 @@ function display_notes()
$sql = "SELECT * FROM $t_notebook WHERE user_id = '".Database::escape_string(api_get_user_id())."' $cond_extra $order_by";
$result = api_sql_query($sql, __FILE__, __LINE__);
while ($row = Database::fetch_array($result))
{
while ($row = Database::fetch_array($result)) {
echo '<div class="sectiontitle">';
echo '<span style="float: right;"> ('.get_lang('CreationDate').': '.date_to_str_ago($row['creation_date']).'&nbsp;&nbsp;<span class="dropbox_date">'.$row['creation_date'].'</span>';
if ($row['update_date'] <> $row['creation_date'])
{
if ($row['update_date'] <> $row['creation_date']) {
echo ', '.get_lang('UpdateDate').': '.date_to_str_ago($row['update_date']).'&nbsp;&nbsp;<span class="dropbox_date">'.$row['update_date'].'</span>';
}
echo ')</span>';

4
main/survey/create_new_survey.php
Unescape View File

@ -25,7 +25,7 @@
* @author unknown, the initial survey that did not make it in 1.8 because of bad code
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code
* @author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
* @version $Id: create_new_survey.php 20470 2009-05-11 09:46:59Z ivantcholakov $
* @version $Id: create_new_survey.php 20610 2009-05-13 21:53:48Z cvargas1 $
*
* @todo only the available platform languages should be used => need an api get_languages and and api_get_available_languages (or a parameter)
*/
@ -147,7 +147,7 @@ if ($_GET['action'] == 'edit' AND isset($survey_id) AND is_numeric($survey_id))
}
$survey_code = $form->addElement('text', 'survey_code', get_lang('SurveyCode'), array('size' => '40'));
$form->applyFilter('survey_code', 'html_filter');
//$form->applyFilter('survey_code', 'html_filter');
if ($_GET['action'] == 'edit') {
$survey_code->freeze();

40
main/survey/survey.lib.php
Unescape View File

@ -24,7 +24,7 @@
* @package dokeos.survey
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code
@author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
* @version $Id: survey.lib.php 20506 2009-05-11 22:10:18Z aportugal $
* @version $Id: survey.lib.php 20610 2009-05-13 21:53:48Z cvargas1 $
*
* @todo move this file to inc/lib
* @todo use consistent naming for the functions (save vs store for instance)
@ -239,26 +239,24 @@ class survey_manager
}
}
}
$sql = "INSERT INTO $table_survey (code, title, subtitle, author, lang, avail_from, avail_till, is_shared, template, intro, surveythanks, creation_date, anonymous".$additional['columns'].", session_id) VALUES (
'".Database::escape_string($values['survey_code'])."',
'".Database::escape_string($values['survey_title'])."',
'".Database::escape_string($values['survey_subtitle'])."',
'".Database::escape_string($_user['user_id'])."',
'".Database::escape_string($values['survey_language'])."',
'".Database::escape_string($values['start_date'])."',
'".Database::escape_string($values['end_date'])."',
'".Database::escape_string($shared_survey_id)."',
'".Database::escape_string('template')."',
'".Database::escape_string($values['survey_introduction'])."',
'".Database::escape_string($values['survey_thanks'])."',
'".date('Y-m-d H:i:s')."',
'".Database::escape_string($values['anonymous'])."'".$additional['values'].",
".intval($_SESSION['id_session'])."
)";
$result = api_sql_query($sql, __FILE__, __LINE__);
$survey_id = Database::insert_id();
$sql = "INSERT INTO $table_survey (code, title, subtitle, author, lang, avail_from, avail_till, is_shared, template, intro, surveythanks, creation_date, anonymous".$additional['columns'].", session_id) VALUES (
'".Database::escape_string(Security::remove_XSS($values['survey_code']))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_title'])),COURSEMANAGER))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_subtitle'])),COURSEMANAGER))."',
'".Database::escape_string($_user['user_id'])."',
'".Database::escape_string($values['survey_language'])."',
'".Database::escape_string($values['start_date'])."',
'".Database::escape_string($values['end_date'])."',
'".Database::escape_string($shared_survey_id)."',
'".Database::escape_string('template')."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_introduction'])),COURSEMANAGER))."',
'".Database::escape_string(Security::remove_XSS(stripslashes(api_html_entity_decode($values['survey_thanks'])),COURSEMANAGER))."',
'".date('Y-m-d H:i:s')."',
'".Database::escape_string($values['anonymous'])."'".$additional['values'].",
".intval($_SESSION['id_session'])."
)";
$result = api_sql_query($sql, __FILE__, __LINE__);
$survey_id = Database::insert_id();
if($values['survey_type']==1 && !empty($values['parent_id'])){
survey_manager::copy_survey($values['parent_id'],$survey_id);
}

Write Preview
Loading…
Cancel
Save