chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

added token for feedback form in dropbox tool - partial CT#493

Browse Source
skala
Cristian Fasanando 16 years ago
parent 0c63f3d574
commit d68a113d94
3 changed files with 17 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 6
      main/dropbox/dropbox_class.inc.php
  2. 7
      main/dropbox/dropbox_functions.inc.php
  3. 14
      main/dropbox/index.php

6
main/dropbox/dropbox_class.inc.php
Unescape View File

@ -199,16 +199,16 @@ class Dropbox_Work {
$this->last_upload_date = stripslashes($res["last_upload_date"]); $this->last_upload_date = stripslashes($res["last_upload_date"]);
$this->category = $res['cat_id']; $this->category = $res['cat_id'];
// Getting the feedback on the work. // Getting the feedback on the work.
if ($_GET['action']=='viewfeedback' AND $this->id==$_GET['id']) { if ($_GET['action']=='viewfeedback' AND $this->id==$_GET['id']) {
$feedback2=array(); $feedback2=array();
$sql_feedback = "SELECT * FROM ".dropbox_cnf("tbl_feedback")." WHERE file_id='".$id."' ORDER BY feedback_id ASC"; $sql_feedback = "SELECT * FROM ".dropbox_cnf("tbl_feedback")." WHERE file_id='".$id."' ORDER BY feedback_id ASC";
$result = Database::query($sql_feedback, __FILE__, __LINE__); $result = Database::query($sql_feedback, __FILE__, __LINE__);
while ($row_feedback=Database::fetch_array($result)) { while ($row_feedback=Database::fetch_array($result)) {
$row_feedback['feedback'] = Security::remove_XSS($row_feedback['feedback']);
$feedback2[]=$row_feedback; $feedback2[]=$row_feedback;
} }
$this->feedback2=$feedback2; $this->feedback2= $feedback2;
} }
/* /*
// RH: Feedback // RH: Feedback

7
main/dropbox/dropbox_functions.inc.php
Unescape View File

@ -1152,8 +1152,11 @@ function feedback_form()
$number_users_who_see_file=Database::num_rows($result); $number_users_who_see_file=Database::num_rows($result);
if ($number_users_who_see_file>1) if ($number_users_who_see_file>1)
{ {
$return .= '<textarea name="feedback" style="width: 80%; height: 80px;"></textarea><br /><button type="submit" class="add" name="store_feedback" value="'.get_lang('Ok').'" $token = Security::get_token();
onclick="document.form_tablename.attributes.action.value = document.location;">'.get_lang('AddComment').'</button>'; $return .= '<textarea name="feedback" style="width: 80%; height: 80px;"></textarea>';
$return .= '<input type="text" name="sec_token" value="'.$token.'"/>';
$return .= '<br /><button type="submit" class="add" name="store_feedback" value="'.get_lang('Ok').'"
onclick="document.form_tablename.attributes.action.value = document.location;">'.get_lang('AddComment').'</button>';
} }
else else
{ {

14
main/dropbox/index.php
Unescape View File

@ -235,15 +235,19 @@ if (!isset($_POST['feedback']) && (strstr($_POST['action'],'move_received') OR
} }
// *** Store Feedback *** // *** Store Feedback ***
if ($_POST['feedback']) {
if ($_POST['feedback']) {
if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) { if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) {
api_not_allowed(); api_not_allowed();
} }
$display_message = store_feedback(); $check = Security::check_token();
Display :: display_normal_message($display_message); if ($check) {
$display_message = store_feedback();
Display :: display_normal_message($display_message);
Security::check_token();
}
} }
// *** Error Message *** // *** Error Message ***
if (isset($_GET['error']) AND !empty($_GET['error'])) { if (isset($_GET['error']) AND !empty($_GET['error'])) {
Display :: display_normal_message(get_lang($_GET['error'])); Display :: display_normal_message(get_lang($_GET['error']));

Write Preview
Loading…
Cancel
Save