From 9adc76f893dd757142c3adc46e1b4724b36fc8b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Carlos=20Ra=C3=B1a?= Date: Wed, 30 Jun 2010 20:21:43 +0200 Subject: [PATCH] clean and fix wiki security --- main/inc/lib/internationalization.lib.php | 21 +- main/wiki/export_html2pdf.php | 101 --------- main/wiki/export_mpdf.php | 4 +- main/wiki/index.php | 236 +++++++++++----------- main/wiki/wiki.inc.php | 89 ++++---- 5 files changed, 170 insertions(+), 281 deletions(-) delete mode 100755 main/wiki/export_html2pdf.php mode change 100644 => 100755 main/wiki/export_mpdf.php diff --git a/main/inc/lib/internationalization.lib.php b/main/inc/lib/internationalization.lib.php index 46b2b708cc..a8a9ade740 100755 --- a/main/inc/lib/internationalization.lib.php +++ b/main/inc/lib/internationalization.lib.php @@ -1119,6 +1119,14 @@ function api_htmlentities($string, $quote_style = ENT_COMPAT, $encoding = null) if (!api_is_utf8($encoding) && _api_html_entity_supports($encoding)) { return htmlentities($string, $quote_style, $encoding); } + switch($quote_style) { + case ENT_COMPAT: + $string = str_replace(array('&', '"', '<', '>'), array('&', '"', '<', '>'), $string); + break; + case ENT_QUOTES: + $string = str_replace(array('&', '\'', '"', '<', '>'), array('&', ''', '"', '<', '>'), $string); + break; + } if (_api_mb_supports($encoding)) { if (!api_is_utf8($encoding)) { $string = api_utf8_encode($string, $encoding); @@ -1137,18 +1145,7 @@ function api_htmlentities($string, $quote_style = ENT_COMPAT, $encoding = null) $string = _api_convert_encoding($string, $encoding, 'UTF-8'); } } - else { - // Here the function gives up. - return $string; - } - switch($quote_style) { - case ENT_COMPAT: - $string = str_replace('"', '"', $string); - break; - case ENT_QUOTES: - $string = str_replace(array('\'', '"'), array(''', '"'), $string); - break; - } + return $string; } diff --git a/main/wiki/export_html2pdf.php b/main/wiki/export_html2pdf.php deleted file mode 100755 index fc5dee8641..0000000000 --- a/main/wiki/export_html2pdf.php +++ /dev/null @@ -1,101 +0,0 @@ - -* -*/ - - -include '../inc/global.inc.php'; -api_block_anonymous_users(); - -require '../inc/lib/html2pdf/html2pdf.class.php'; - -$contentPDF = stripslashes(api_html_entity_decode($_POST['contentPDF'], ENT_QUOTES, api_get_system_encoding())); -$titlePDF = stripslashes(api_html_entity_decode($_POST['titlePDF'], ENT_QUOTES, api_get_system_encoding())); - -ob_start();//activate Output -Buffer -/////////////////////// -?> - - -
'?> - - - '; ?> - - - - pdf->IncludeJS($script); -//$html2pdf->pdf->IncludeJS("print(true);"); -//$html2pdf->pdf->IncludeJS("app.alert('Generated by Dokeos to PDF');"); -//$html2pdf->pdf->SetProtection(array('print'), 'guest');//add a password sample: guest -$html2pdf->pdf->SetAuthor('Wiki Dokeos'); -$html2pdf->pdf->SetTitle($titlePDF); -$html2pdf->pdf->SetSubject('Exported from Dokeos Wiki'); -$html2pdf->pdf->SetKeywords('Dokeos Wiki'); -//$html2pdf->WriteHTML(utf8_decode($htmlbuffer)); -$html2pdf->WriteHTML($htmlbuffer); -$html2pdf->Output($titlePDF.'.pdf', 'D'); -?> \ No newline at end of file diff --git a/main/wiki/export_mpdf.php b/main/wiki/export_mpdf.php old mode 100644 new mode 100755 index 5b12e22627..4cab7c5712 --- a/main/wiki/export_mpdf.php +++ b/main/wiki/export_mpdf.php @@ -15,8 +15,8 @@ api_block_anonymous_users(); define('_MPDF_PATH', api_get_path(LIBRARY_PATH).'mpdf/'); require_once _MPDF_PATH.'mpdf.php'; -$content_pdf = stripslashes(api_html_entity_decode($_POST['contentPDF'], ENT_QUOTES, api_get_system_encoding())); -$title_pdf = stripslashes(api_html_entity_decode($_POST['titlePDF'], ENT_QUOTES, api_get_system_encoding())); +$content_pdf = api_html_entity_decode($_POST['contentPDF'], ENT_QUOTES, api_get_system_encoding()); +$title_pdf = api_html_entity_decode($_POST['titlePDF'], ENT_QUOTES, api_get_system_encoding()); $html = ' diff --git a/main/wiki/index.php b/main/wiki/index.php index 114490eeb9..c50334da8d 100755 --- a/main/wiki/index.php +++ b/main/wiki/index.php @@ -2,12 +2,9 @@ /* For licensing terms, see /license.txt */ /** -* The Chamilo wiki is a further development of the CoolWiki plugin. * * @author Patrick Cool , Ghent University, Belgium * @author Juan Carlos Raña -* @copyright Ghent University -* @copyright Patrick Cool * * @package chamilo.wiki */ @@ -138,7 +135,7 @@ INITIALISATION if (!isset($_GET['title'])) { $page = 'index'; } else { - $page = Security::remove_XSS($_GET['title']); + $page = $_GET['title']; } // some titles are not allowed @@ -220,7 +217,6 @@ if (isset($_POST['SaveWikiNew'])) { $return_message=save_new_wiki(); Display::display_confirmation_message($return_message, false); - $page=urlencode(Security::remove_XSS($_POST['reflink'])); } } } @@ -233,13 +229,13 @@ if ($_GET['view']) $result=Database::query($sql); $current_row=Database::fetch_array($result); - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC'; //last version + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC'; //last version $result=Database::query($sql); $last_row=Database::fetch_array($result); if ($_GET['view']<$last_row['id']) { - $message= '
'.get_lang('NoAreSeeingTheLastVersion').'
'.get_lang("Version").' ('.$current_row['version'].' / '.$last_row['version'].')
'.get_lang("ConvertToLastVersion").': '.get_lang("Restore").'
'; + $message= '
'.get_lang('NoAreSeeingTheLastVersion').'
'.get_lang("Version").' ('.$current_row['version'].' / '.$last_row['version'].')
'.get_lang("ConvertToLastVersion").': '.get_lang("Restore").'
'; Display::display_warning_message($message,false); } @@ -275,12 +271,12 @@ if ($_GET['view']) } // check if is an assignment - if(stripslashes($current_row['assignment'])==1) + if($current_row['assignment']==1) { Display::display_normal_message(get_lang('EditAssignmentWarning')); $icon_assignment=''.get_lang('AssignmentDescExtra').''; } - elseif(stripslashes($current_row['assignment'])==2) + elseif($current_row['assignment']==2) { $icon_assignment=''.get_lang('AssignmentWorkExtra').''; if((api_get_user_id()==$current_row['user_id'])==false) @@ -325,7 +321,7 @@ if ($_GET['view']) } else { - Display::display_confirmation_message(restore_wikipage($current_row['page_id'], $current_row['reflink'], $current_row['title'], $current_row['content'], $current_row['group_id'], $current_row['assignment'], $current_row['progress'], $current_row['version'], $last_row['version'], $current_row['linksto']).': '.$last_row['title'].'',false); + Display::display_confirmation_message(restore_wikipage($current_row['page_id'], $current_row['reflink'], $current_row['title'], $current_row['content'], $current_row['group_id'], $current_row['assignment'], $current_row['progress'], $current_row['version'], $last_row['version'], $current_row['linksto']).': '.api_htmlentities($last_row['title']).'',false); } } } @@ -392,7 +388,7 @@ echo ''; } } - echo ''.$protect_addnewpage.''; + echo ''.$protect_addnewpage.''; ///menu find echo '
  • '.get_lang('SearchPages').'
    • '; @@ -403,11 +399,11 @@ echo ''; ///menu delete all wiki if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) { - echo '
  • '.get_lang('DeleteWiki').'
    • '; + echo '
  • '.get_lang('DeleteWiki').'
    • '; } ///menu more - echo '
  • '.get_lang('More').'
    • '; + echo '
  • '.get_lang('More').'
    • '; echo ''; echo ''; @@ -429,25 +425,25 @@ if (!in_array($_GET['action'], array('addnew', 'searchpages', 'allpages', 'recen echo "
    "; //menu show page - echo ''.Display::display_icon('lp_document.png',get_lang('ShowThisPage')).' '.get_lang('Page').''; + echo ''.Display::display_icon('lp_document.png',get_lang('ShowThisPage')).' '.get_lang('Page').''; if (api_is_allowed_to_session_edit(false,true) ) { //menu edit page - echo ''.Display::display_icon('lp_quiz.png',get_lang('EditThisPage')).' '.get_lang('EditPage').''; + echo ''.Display::display_icon('lp_quiz.png',get_lang('EditThisPage')).' '.get_lang('EditPage').''; //menu discuss page - echo ''.Display::display_icon('comment_bubble.gif',get_lang('DiscussThisPage')).' '.get_lang('Discuss').''; + echo ''.Display::display_icon('comment_bubble.gif',get_lang('DiscussThisPage')).' '.get_lang('Discuss').''; } //menu history - echo ''.Display::display_icon('history.gif',get_lang('ShowPageHistory')).' '.get_lang('History').''; + echo ''.Display::display_icon('history.gif',get_lang('ShowPageHistory')).' '.get_lang('History').''; //menu linkspages - echo ''.Display::display_icon('lp_link.png',get_lang('ShowLinksPages')).' '.get_lang('LinksPages').''; + echo ''.Display::display_icon('lp_link.png',get_lang('ShowLinksPages')).' '.get_lang('LinksPages').''; //menu delete wikipage if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) { - echo ''.Display::display_icon('delete.gif',get_lang('DeleteThisPage')).' '.get_lang('Delete').''; + echo ''.Display::display_icon('delete.gif',get_lang('DeleteThisPage')).' '.get_lang('Delete').''; } echo '
    '; } @@ -456,7 +452,7 @@ if (!in_array($_GET['action'], array('addnew', 'searchpages', 'allpages', 'recen //In new pages go to new page if (isset($_POST['SaveWikiNew'])) { - display_wiki_entry(Security::remove_XSS($_POST['reflink'])); + display_wiki_entry($_POST['reflink']); } /////////////////////// more options /////////////////////// Juan Carlos Raña Trabado @@ -563,8 +559,8 @@ if ($_GET['action']=='mactiveusers') $userinfo=Database::get_user_info_from_id($obj->user_id); $row = array (); - $row[] = $obj->user_id <>0 ? ''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; - $row[] =''.$obj->NUM_EDIT.''; + $row[] = $obj->user_id <>0 ? ''.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; + $row[] =''.$obj->NUM_EDIT.''; $rows[] = $row; } @@ -581,18 +577,18 @@ if ($_GET['action']=='mactiveusers') if ($_GET['action']=='usercontrib') { - $userinfo=Database::get_user_info_from_id(Security::remove_XSS($_GET['user_id'])); + $userinfo=Database::get_user_info_from_id($_GET['user_id']); - echo '
    '.get_lang('UserContributions').': '.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'
    '; + echo '
    '.get_lang('UserContributions').': '.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'
    '; if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) //only by professors if page is hidden { - $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND user_id="'.Security::remove_XSS($_GET['user_id']).'"'; + $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND user_id="'.Database::escape_string($_GET['user_id']).'"'; } else { - $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND user_id="'.Security::remove_XSS($_GET['user_id']).'" AND visibility=1'; + $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND user_id="'.Database::escape_string($_GET['user_id']).'" AND visibility=1'; } $allpages=Database::query($sql); @@ -632,15 +628,15 @@ if ($_GET['action']=='usercontrib') $row[] = $year.'-'.$month.'-'.$day.' '.$hours.":".$minutes.":".$seconds; $row[] =$ShowAssignment; - $row[] = ''.$obj->title.''; - $row[] =$obj->version; - $row[] =$obj->comment; - //$row[] = api_strlen($obj->comment)>30 ? api_substr($obj->comment,0,30).'...' : $obj->comment; - $row[] =$obj->progress.' %'; - $row[] =$obj->score; + $row[] = ''.api_htmlentities($obj->title).''; + $row[] =Security::remove_XSS($obj->version); + $row[] =Security::remove_XSS($obj->comment); + //$row[] = api_strlen($obj->comment)>30 ? Security::remove_XSS(api_substr($obj->comment,0,30)).'...' : Security::remove_XSS($obj->comment); + $row[] =Security::remove_XSS($obj->progress).' %'; + $row[] =Security::remove_XSS($obj->score); //if(api_is_allowed_to_edit() || api_is_platform_admin()) //{ - //$row[] =$obj->user_ip; + //$row[] =Security::remove_XSS($obj->user_ip); //} $rows[] = $row; @@ -706,7 +702,7 @@ if ($_GET['action']=='mostchanged') $row = array (); $row[] =$ShowAssignment; - $row[] = ''.$obj->title.''; + $row[] = ''.api_htmlentities($obj->title).''; $row[] = $obj->MAX; $rows[] = $row; } @@ -760,7 +756,7 @@ if ($_GET['action']=='mvisited') $row = array (); $row[] =$ShowAssignment; - $row[] = ''.$obj->title.''; + $row[] = ''.api_htmlentities($obj->title).''; $row[] = $obj->tsum; $rows[] = $row; } @@ -815,7 +811,7 @@ if ($_GET['action']=='wanted') { if (trim($v)!="") { - echo '
  • '.str_replace('_',' ',$v).'
    • '; + echo '
  • '.api_htmlentities(str_replace('_',' ',$v)).'
    • '; } } } @@ -873,11 +869,11 @@ if ($_GET['action']=='orphaned') { if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) //only by professors if page is hidden { - $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.$vshow.'" GROUP BY reflink'; + $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.Database::escape_string($vshow).'" GROUP BY reflink'; } else { - $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.$vshow.'" AND visibility=1 GROUP BY reflink'; + $sql='SELECT * FROM '.$tbl_wiki.' WHERE '.$groupfilter.$condition_session.' AND reflink="'.Database::escape_string($vshow).'" AND visibility=1 GROUP BY reflink'; } $allpages=Database::query($sql); @@ -899,7 +895,7 @@ if ($_GET['action']=='orphaned') $ShowAssignment=''; } - echo '
  • '.$ShowAssignment.''.$row['title'].'
    • '; + echo '
  • '.$ShowAssignment.''.api_htmlentities($row['title']).'
    • '; } echo ''; } @@ -927,7 +923,7 @@ if ($_GET['action']=='delete') Display::display_warning_message(get_lang('WarningDeleteMainPage'),false); } - $message = get_lang('ConfirmDeletePage')."

    "."

    "."".get_lang("No").""."  |  "."".get_lang("Yes").""."

    "; + $message = get_lang('ConfirmDeletePage')."

    "."

    "."".get_lang("No").""."  |  "."".get_lang("Yes").""."

    "; if (!isset ($_GET['delete'])) { @@ -936,14 +932,14 @@ if ($_GET['action']=='delete') if ($_GET['delete'] == 'yes') { - $sql='DELETE '.$tbl_wiki_discuss.' FROM '.$tbl_wiki.', '.$tbl_wiki_discuss.' WHERE '.$tbl_wiki.'.reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_discuss.'.publication_id='.$tbl_wiki.'.id'; + $sql='DELETE '.$tbl_wiki_discuss.' FROM '.$tbl_wiki.', '.$tbl_wiki_discuss.' WHERE '.$tbl_wiki.'.reflink="'.Database::escape_string($page).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_discuss.'.publication_id='.$tbl_wiki.'.id'; Database::query($sql); - $sql='DELETE '.$tbl_wiki_mailcue.' FROM '.$tbl_wiki.', '.$tbl_wiki_mailcue.' WHERE '.$tbl_wiki.'.reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_mailcue.'.id='.$tbl_wiki.'.id'; + $sql='DELETE '.$tbl_wiki_mailcue.' FROM '.$tbl_wiki.', '.$tbl_wiki_mailcue.' WHERE '.$tbl_wiki.'.reflink="'.Database::escape_string($page).'" AND '.$tbl_wiki.'.'.$groupfilter.' AND '.$tbl_wiki_mailcue.'.id='.$tbl_wiki.'.id'; Database::query($sql); - $sql='DELETE FROM '.$tbl_wiki.' WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.''; - Database::query($sql); + $sql='DELETE FROM '.$tbl_wiki.' WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.''; + Database::query($sql); check_emailcue(0, 'E'); @@ -993,7 +989,7 @@ if ($_GET['action']=='searchpages') echo '
    '.get_lang('SearchPages').'
    '; echo '
    '; // initiate the object - $form = new FormValidator('wiki_search','post', api_get_self().'?cidReq='.Security::remove_XSS($_GET['cidReq']).'&action='.Security::remove_XSS($_GET['action']).'&group_id='.Security::remove_XSS($_GET['group_id'])); + $form = new FormValidator('wiki_search','post', api_get_self().'?cidReq='.api_htmlentities($_GET['cidReq']).'&action='.api_htmlentities($_GET['action']).'&group_id='.api_htmlentities($_GET['group_id'])); // settting the form elements @@ -1031,9 +1027,9 @@ if ($_GET['action']=='links') else { - $sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.''; - $result=Database::query($sql); - $row=Database::fetch_array($result); + $sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.''; + $result=Database::query($sql); + $row=Database::fetch_array($result); //get type assignment icon @@ -1058,7 +1054,7 @@ if ($_GET['action']=='links') } echo '
    '; - echo get_lang('LinksPagesFrom').': '.$ShowAssignment.' '.Security::remove_XSS($row['title']).''; + echo get_lang('LinksPagesFrom').': '.$ShowAssignment.' '.api_htmlentities($row['title']).''; echo '
    '; //fix index to title Main page into linksto @@ -1073,14 +1069,14 @@ if ($_GET['action']=='links') { //$sql="SELECT * FROM ".$tbl_wiki." s1 WHERE linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND id=(SELECT MAX(s2.id) FROM ".$tbl_wiki." s2 WHERE s1.reflink = s2.reflink AND ".$groupfilter.")"; //add blank space after like '%" " %' to identify each word. //Old version TODO: Replace by the bottom line - $sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word. // new version + $sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE linksto LIKE '%".Database::escape_string($page)." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word. // new version } else { //$sql="SELECT * FROM ".$tbl_wiki." s1 WHERE visibility=1 AND linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND id=(SELECT MAX(s2.id) FROM ".$tbl_wiki." s2 WHERE s1.reflink = s2.reflink AND ".$groupfilter.")"; //add blank space after like '%" " %' to identify each word //old version TODO: Replace by the bottom line - $sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE visibility=1 AND linksto LIKE '%".html_entity_decode(Database::escape_string(stripslashes(urldecode($page))))." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word // new version + $sql="SELECT * FROM ".$tbl_wiki.", ".$tbl_wiki_conf." WHERE visibility=1 AND linksto LIKE '%".Database::escape_string($page)." %' AND ".$tbl_wiki_conf.".page_id=".$tbl_wiki.".page_id AND ".$tbl_wiki.".".$groupfilter.$condition_session.""; //add blank space after like '%" " %' to identify each word // new version } @@ -1119,8 +1115,8 @@ if ($_GET['action']=='links') $row = array (); $row[] =$ShowAssignment; - $row[] = ''.Security::remove_XSS($obj->title).''; - $row[] = $obj->user_id <>0 ? ''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; + $row[] = ''.api_htmlentities($obj->title).''; + $row[] = $obj->user_id <>0 ? ''.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; $row[] = $year.'-'.$month.'-'.$day.' '.$hours.":".$minutes.":".$seconds; $rows[] = $row; } @@ -1214,8 +1210,8 @@ if ($_GET['action']=='edit') $_clean['group_id']=(int)$_SESSION['_gid']; - $sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$tbl_wiki.'.'.$groupfilter.$condition_session.' ORDER BY id DESC'; - $result=Database::query($sql); + $sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.Database::escape_string($page).'" AND '.$tbl_wiki.'.'.$groupfilter.$condition_session.' ORDER BY id DESC'; + $result=Database::query($sql); $row=Database::fetch_array($result); // we do not need a while loop since we are always displaying the last version @@ -1269,12 +1265,12 @@ if ($_GET['action']=='edit') } // check if is a assignment - if(stripslashes($row['assignment'])==1) + if($row['assignment']==1) { Display::display_normal_message(get_lang('EditAssignmentWarning')); $icon_assignment=''.get_lang('AssignmentDescExtra').''; } - elseif(stripslashes($row['assignment'])==2) + elseif($row['assignment']==2) { $icon_assignment=''.get_lang('AssignmentWorkExtra').''; if((api_get_user_id()==$row['user_id'])==false) @@ -1396,7 +1392,7 @@ if ($_GET['action']=='edit') } //comp message - $message_task=''.get_lang('DescriptionOfTheTask').'

    '.$row['task'].'

    '; + $message_task=''.get_lang('DescriptionOfTheTask').'

    '.api_htmlentities($row['task']).'

    '; $message_task.='

    '.get_lang('StartDate').': '.$message_task_startdate.'

    '; $message_task.='

    '.get_lang('EndDate').': '.$message_task_enddate; $message_task.=' ('.get_lang('AllowLaterSends').') '.$message_task_delayedsubmit.'

    '; @@ -1410,17 +1406,17 @@ if ($_GET['action']=='edit') if($row['progress']==$row['fprogress1'] && !empty($row['fprogress1'])) { - $feedback_message=''.get_lang('Feedback').'

    '.$row['feedback1'].'

    '; + $feedback_message=''.get_lang('Feedback').'

    '.api_htmlentities($row['feedback1']).'

    '; Display::display_normal_message($feedback_message, false); } elseif($row['progress']==$row['fprogress2'] && !empty($row['fprogress2'])) { - $feedback_message=''.get_lang('Feedback').'

    '.$row['feedback2'].'

    '; + $feedback_message=''.get_lang('Feedback').'

    '.api_htmlentities($row['feedback2']).'

    '; Display::display_normal_message($feedback_message, false); } elseif($row['progress']==$row['fprogress3'] && !empty($row['fprogress3'])) { - $feedback_message=''.get_lang('Feedback').'

    '.$row['feedback3'].'

    '; + $feedback_message=''.get_lang('Feedback').'

    '.api_htmlentities($row['feedback3']).'

    '; Display::display_normal_message($feedback_message, false); } @@ -1442,16 +1438,16 @@ if ($_GET['action']=='edit') $userinfo=Database::get_user_info_from_id($row['is_editing']); - $is_being_edited= get_lang('ThisPageisBeginEditedBy').' '.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'. '.get_lang('ThisPageisBeginEditedTryLater').' '.date( "i",$rest_time).' '.get_lang('MinMinutes').''; + $is_being_edited= get_lang('ThisPageisBeginEditedBy').' '.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'. '.get_lang('ThisPageisBeginEditedTryLater').' '.date( "i",$rest_time).' '.get_lang('MinMinutes').''; Display::display_normal_message($is_being_edited, false); exit; } //form - echo '
    '; + echo ''; echo '
    '; - echo '
    '.$icon_assignment.str_repeat(' ',3).$title.'
    '; + echo '
    '.$icon_assignment.str_repeat(' ',3).api_htmlentities($title).'
    '; if((api_is_allowed_to_edit(false,true) || api_is_platform_admin()) && $row['reflink']!='index') { @@ -1470,7 +1466,7 @@ if ($_GET['action']=='edit') echo ''.get_lang('DescriptionOfTheTask').''; echo ''; echo ''; - echo ''.api_disp_html_area('task', stripslashes($row['task']), '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).''; + echo ''.api_disp_html_area('task', $row['task'], '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).''; echo ''; echo ''; echo '
    '; @@ -1487,14 +1483,14 @@ if ($_GET['action']=='edit') echo ''.get_lang('Feedback3').''; echo ''; echo ''; - echo ''; - echo ''; - echo ''; + echo ''; + echo ''; + echo ''; echo ''; echo ''; echo ''.get_lang('FProgress').':'; echo ' %'; echo ''.get_lang('FProgress').':'; echo ' %'; echo ''.get_lang('FProgress').':'; echo ' '.get_lang('OtherSettings').''; echo '   '; echo ''; // @@ -1596,10 +1592,10 @@ if ($_GET['action']=='edit') echo '
    '; echo ''; - echo ''; - echo ''; + echo ''; + echo ''; - api_disp_html_area('content', stripslashes($content), '', '', null, api_is_allowed_to_edit(null,true) + api_disp_html_area('content', $content, '', '', null, api_is_allowed_to_edit(null,true) ? array('ToolbarSet' => 'Wiki', 'Width' => '100%', 'Height' => '400') : array('ToolbarSet' => 'WikiStudent', 'Width' => '100%', 'Height' => '400', 'UserStatus' => 'student') ); @@ -1609,16 +1605,16 @@ if ($_GET['action']=='edit') //{ echo get_lang('Comments').':     '; //} - echo ''; - echo ''; + echo ''; + echo ''; //hack date for edit - echo ''; - echo ''; + echo ''; + echo ''; // echo get_lang('Progress').':   '; echo ' '; - echo ''; - echo ''; + echo ''; + echo ''; echo api_convert_and_format_date($row['dtime'], null, date_default_timezone_get()); echo ''; @@ -1727,19 +1723,19 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference echo ' '.get_lang('By').' '; if ($row['user_id']<>0) { - echo ''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).''; + echo ''.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).''; } else { - echo get_lang('Anonymous').' ('.$row[user_ip].')'; + echo get_lang('Anonymous').' ('.api_htmlentities($row[user_ip]).')'; } - echo ' ( '.get_lang('Progress').': '.$row['progress'].'%, '; + echo ' ( '.get_lang('Progress').': '.api_htmlentities($row['progress']).'%, '; $comment=$row['comment']; if (!empty($comment)) { - echo get_lang('Comments').': '.api_substr(api_htmlentities($row['comment'], ENT_QUOTES, $charset),0,100); + echo get_lang('Comments').': '.api_htmlentities(api_substr($row['comment'],0,100)); if (api_strlen($row['comment'])>100) { echo '... '; @@ -1774,21 +1770,21 @@ if ($_GET['action']=='history' or Security::remove_XSS($_POST['HistoryDifference { include('diff.inc.php'); //title - echo '
    '.stripslashes($version_new['title']).' ('.get_lang('DifferencesNew').' '.stripslashes($version_new['dtime']).' '.get_lang('DifferencesOld').' '.stripslashes($version_old['dtime']).') '.get_lang('Legend').': '.get_lang(WikiDiffAddedLine).' '.get_lang(WikiDiffDeletedLine).' '.get_lang(WikiDiffMovedLine).'
    '; + echo '
    '.api_htmlentities($version_new['title']).' ('.get_lang('DifferencesNew').' '.$version_new['dtime'].' '.get_lang('DifferencesOld').' '.$version_old['dtime'].') '.get_lang('Legend').': '.get_lang(WikiDiffAddedLine).' '.get_lang(WikiDiffDeletedLine).' '.get_lang(WikiDiffMovedLine).'
    '; } if(isset($_POST['HistoryDifferences2'])) { require_once 'Text/Diff.php'; require_once 'Text/Diff/Renderer/inline.php'; //title - echo '
    '.stripslashes($version_new['title']).' ('.get_lang('DifferencesNew').' '.stripslashes($version_new['dtime']).' '.get_lang('DifferencesOld').' '.stripslashes($version_old['dtime']).') '.get_lang('Legend').': '.get_lang(WikiDiffAddedTex).' '.get_lang(WikiDiffDeletedTex).'
    '; + echo '
    '.api_htmlentities($version_new['title']).' ('.get_lang('DifferencesNew').' '.$version_new['dtime'].' '.get_lang('DifferencesOld').' '.$version_old['dtime'].') '.get_lang('Legend').': '.get_lang(WikiDiffAddedTex).' '.get_lang(WikiDiffDeletedTex).'
    '; } echo '


    '; if(isset($_POST['HistoryDifferences'])) { - echo ''.diff( stripslashes($version_old['content']), stripslashes($version_new['content']), true, 'format_table_line' ).'
    '; // format_line mode is better for words + echo ''.diff( $version_old['content'], $version_new['content'], true, 'format_table_line' ).'
    '; // format_line mode is better for words echo '
    '; echo '
    '; @@ -1860,7 +1856,7 @@ if ($_GET['action']=='recentchanges') { } echo '
    '; - echo ''.$notify_all.''; + echo ''.$notify_all.''; echo ''.get_lang('RecentChanges').'
    '; @@ -1916,9 +1912,9 @@ if ($_GET['action']=='recentchanges') { $row = array (); $row[] = api_convert_and_format_date($obj->dtime, null, date_default_timezone_get()); $row[] = $ShowAssignment.$icon_task; - $row[] = ''.$obj->title.''; - $row[] = $obj->version>1 ? get_lang('EditedBy') : get_lang('AddedBy'); - $row[] = $obj->user_id <> 0 ? ''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; + $row[] = ''.api_htmlentities($obj->title).''; + $row[] = $obj->version>1 ? get_lang('EditedBy') : get_lang('AddedBy'); + $row[] = $obj->user_id <> 0 ? ''.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'' : get_lang('Anonymous').' ('.api_htmlentities($obj->user_ip).')'; $rows[] = $row; } @@ -1996,16 +1992,16 @@ if ($_GET['action']=='allpages') $row = array (); $row[] =$ShowAssignment.$icon_task; - $row[] = ''.Security::remove_XSS($obj->title).''; - $row[] = $obj->user_id <>0 ? ''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; + $row[] = ''.api_htmlentities($obj->title).''; + $row[] = $obj->user_id <>0 ? ''.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'' : get_lang('Anonymous').' ('.api_htmlentities($obj->user_ip).')'; $row[] = api_convert_and_format_date($obj->dtime, null, date_default_timezone_get()); if(api_is_allowed_to_edit(false,true)|| api_is_platform_admin()) { - $showdelete=' '.get_lang('Delete').''; + $showdelete=' '.get_lang('Delete').''; } if (api_is_allowed_to_session_edit(false,true) ) - $row[] = ''.get_lang('EditPage').' '.get_lang('Discuss').' '.get_lang('History').' '.get_lang('LinksPages').''.$showdelete; + $row[] = ''.get_lang('EditPage').' '.get_lang('Discuss').' '.get_lang('History').' '.get_lang('LinksPages').''.$showdelete; $rows[] = $row; } @@ -2037,25 +2033,25 @@ if ($_GET['action']=='discuss') } //first extract the date of last version - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id DESC'; $result=Database::query($sql); $row=Database::fetch_array($result); $lastversiondate=api_convert_and_format_date($row['dtime'], null, date_default_timezone_get()); $lastuserinfo=Database::get_user_info_from_id($row['user_id']); //select page to discuss - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); $id=$row['id']; $firstuserid=$row['user_id']; //mode assignment: previous to show page type - if(stripslashes($row['assignment'])==1) + if($row['assignment']==1) { $icon_assignment=''.get_lang('AssignmentDescExtra').''; } - elseif(stripslashes($row['assignment'])==2) + elseif($row['assignment']==2) { $icon_assignment=''.get_lang('AssignmentWorkExtra').''; } @@ -2085,7 +2081,7 @@ if ($_GET['action']=='discuss') } } echo ''; - echo ''.$addlock_disc.''; + echo ''.$addlock_disc.''; echo ''; // discussion action: visibility. Show discussion to students if isn't hidden. Show page to all teachers if is hidden. @@ -2111,7 +2107,7 @@ if ($_GET['action']=='discuss') } } echo ''; - echo ''.$visibility_disc.''; + echo ''.$visibility_disc.''; echo ''; //discussion action: check add rating lock. Show/Hide list to rating for all student @@ -2131,7 +2127,7 @@ if ($_GET['action']=='discuss') } echo ''; - echo ''.$ratinglock_disc.''; + echo ''.$ratinglock_disc.''; echo ''; //discussion action: email notification @@ -2146,12 +2142,12 @@ if ($_GET['action']=='discuss') $lock_unlock_notify_disc='locknotifydisc'; } echo ''; - echo ''.$notify_disc.''; + echo ''.$notify_disc.''; echo ''; - echo $icon_assignment.'   '.$row['title']; + echo $icon_assignment.'   '.api_htmlentities($row['title']); - echo ' ('.get_lang('MostRecentVersionBy').' '.api_get_person_name($lastuserinfo['firstname'], $lastuserinfo['lastname']).' '.$lastversiondate.$countWPost.')'.$avg_WPost_score.' '; //TODO: read avg score + echo ' ('.get_lang('MostRecentVersionBy').' '.api_htmlentities(api_get_person_name($lastuserinfo['firstname'], $lastuserinfo['lastname'])).' '.$lastversiondate.$countWPost.')'.$avg_WPost_score.' '; //TODO: read avg score echo '
    '; @@ -2246,7 +2242,7 @@ if ($_GET['action']=='discuss') echo ' - '.get_lang('RatingMedia').': '.$avg_WPost_score; // average rating - $sql='UPDATE '.$tbl_wiki.' SET score="'.Database::escape_string($avg_WPost_score).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.$condition_session; // check if work ok. TODO: + $sql='UPDATE '.$tbl_wiki.' SET score="'.Database::escape_string($avg_WPost_score).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.$condition_session; // check if work ok. TODO: Database::query($sql); echo '
    '; @@ -2273,12 +2269,12 @@ if ($_GET['action']=='discuss') $image_path = UserManager::get_user_picture_path_by_id($user_id,'web',false, true); $image_repository = $image_path['dir']; $existing_image = $image_path['file']; - $author_photo= ''.$name.''; + $author_photo= ''.api_htmlentities($name).''; } else { - $author_photo= ''.$name.''; + $author_photo= ''.api_htmlentities($name).''; } //stars @@ -2322,10 +2318,10 @@ if ($_GET['action']=='discuss') echo '

    '; echo ''; echo ''; - echo ''; + echo ''; echo ''; echo ''; - echo ''; + echo ''; echo ''; echo "
    '.$author_photo.''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).' ('.$author_status.') '.api_convert_and_format_date($row['dtime'], null, date_default_timezone_get()).' - '.get_lang('Rating').': '.$row['p_score'].' '.$imagerating.' '.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).' ('.$author_status.') '.api_convert_and_format_date($row['dtime'], null, date_default_timezone_get()).' - '.get_lang('Rating').': '.$row['p_score'].' '.$imagerating.'
    '.$row['comment'].''.api_htmlentities($row['comment']).'
    "; echo '

    '; diff --git a/main/wiki/wiki.inc.php b/main/wiki/wiki.inc.php index 379ed4d65b..b48593241a 100755 --- a/main/wiki/wiki.inc.php +++ b/main/wiki/wiki.inc.php @@ -2,12 +2,9 @@ /* For licensing terms, see /license.txt */ /** -* The Dokeos wiki is a further development of the CoolWiki plugin. * * @Author Patrick Cool , Ghent University, Belgium * @Author Juan Carlos Raña -* @Copyright Ghent University -* @Copyright Patrick Cool * * @package chamilo.wiki */ @@ -45,7 +42,7 @@ function checktitle($paramwk) global $tbl_wiki; global $groupfilter; - $sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($paramwk)))).'" AND '.$groupfilter.''; // TODO: check if need entity + $sql='SELECT * FROM '.$tbl_wiki.' WHERE reflink="'.Database::escape_string($paramwk).'" AND '.$groupfilter.''; $result=Database::query($sql); $numberofresults=Database::num_rows($result); @@ -236,17 +233,17 @@ function make_wiki_link_clickable($input) if ($link==get_lang('DefaultTitle')){ $link='index'; } - + $link = api_html_entity_decode($link); // note: checkreflink checks if the link is still free. If it is not used then it returns true, if it is used, then it returns false. Now the title may be different if (checktitle(strtolower(str_replace(' ','_',$link)))) { - $input_array[$key]=''.$title.$titleg_ex.''; + $input_array[$key]=''.$title.$titleg_ex.''; } else { - $input_array[$key]=''.$title.$titleg_ex.''; + $input_array[$key]=''.$title.$titleg_ex.''; } unset($input_array[$key-1]); unset($input_array[$key+1]); @@ -426,6 +423,7 @@ function save_new_wiki() { global $tbl_wiki; global $assig_user_id; //need for assignments mode global $tbl_wiki_conf; + global $page; // cleaning the variables $_clean['assignment']=Database::escape_string($_POST['assignment']); @@ -434,11 +432,11 @@ function save_new_wiki() { $session_id = api_get_session_id(); if($_clean['assignment']==2 || $_clean['assignment']==1) {// Unlike ordinary pages of pages of assignments. Allow create a ordinary page although there is a assignment with the same name - $_clean['reflink']=Database::escape_string(str_replace(' ','_',trim($_POST['title'])."_uass".$assig_user_id)); + $page = str_replace(' ','_',$_POST['title']."_uass".$assig_user_id); } else { - $_clean['reflink']=Database::escape_string(str_replace(' ','_',trim($_POST['title']))); + $page = str_replace(' ','_',$_POST['title']); } - + $_clean['reflink']=Database::escape_string($page); $_clean['title']=Database::escape_string(trim($_POST['title'])); $_clean['content']= Database::escape_string($_POST['content']); @@ -528,7 +526,7 @@ function save_new_wiki() { check_emailcue(0, 'A'); - $_POST['reflink']=$_clean['reflink']; + // $_POST['reflink']=$_clean['reflink']; //JUAN CARLOS REVISAME ESTA LINEA LA BORRA Y NO TENGO CLARO EL RESULTADO. TAMBIEN HAY UNAS CUANTAS VARIABLES $PAGE QUE CREA QUE HABRÍA QUE REVISAR return get_lang('NewWikiSaved'); @@ -544,7 +542,7 @@ function save_new_wiki() { **/ function display_new_wiki_form() { -global $_course; +global $_course, $page; ?> '; + echo ''; echo '
    '; - echo '
    * '.get_lang(Title).':
    '; + echo '
    * '.get_lang(Title).':
    '; if(api_is_allowed_to_edit(false,true) || api_is_platform_admin()) { @@ -589,7 +587,7 @@ return true; echo ''; echo ''; //echo ''; // TODO: ¿delete? - echo ''.api_disp_html_area('task', stripslashes($row['task']), '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).''; + echo ''.api_disp_html_area('task', $row['task'], '', '', null, array('ToolbarSet' => 'wiki_task', 'Width' => '600', 'Height' => '200')).''; echo ''; echo ''; echo '
    '; @@ -750,13 +748,13 @@ function display_wiki_entry($newtitle) } //first, check page visibility in the first page version - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($pageMIX)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($pageMIX).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); $KeyVisibility=$row['visibility']; // second, show the last version - $sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.api_html_entity_decode(Database::escape_string(stripslashes(urldecode($pageMIX)))).'" AND '.$tbl_wiki.'.'.$groupfilter.' '.$filter.' ORDER BY id DESC'; + $sql='SELECT * FROM '.$tbl_wiki.', '.$tbl_wiki_conf.' WHERE '.$tbl_wiki_conf.'.page_id='.$tbl_wiki.'.page_id AND '.$tbl_wiki.'.reflink="'.Database::escape_string($pageMIX).'" AND '.$tbl_wiki.'.'.$groupfilter.' '.$filter.' ORDER BY id DESC'; $result=Database::query($sql); $row=Database::fetch_array($result); // we do not need a while loop since we are always displaying the last version @@ -789,16 +787,16 @@ function display_wiki_entry($newtitle) else { $content=Security::remove_XSS($row['content'],COURSEMANAGERLOWSECURITY); - $title= Security::remove_XSS($row['title']); + $title= $row['title']; } //assignment mode: identify page type - if(stripslashes($row['assignment'])==1) + if($row['assignment']==1) { $icon_assignment=''.get_lang('AssignmentDescExtra').''; } - elseif(stripslashes($row['assignment'])==2) + elseif($row['assignment']==2) { $icon_assignment=''.get_lang('AssignmentWorkExtra').''; } @@ -830,7 +828,7 @@ function display_wiki_entry($newtitle) } } echo ''; - echo ''.$protect_page.''; + echo ''.$protect_page.''; echo ''; //page action: visibility @@ -854,7 +852,7 @@ function display_wiki_entry($newtitle) } } echo ''; - echo ''.$visibility_page.''; + echo ''.$visibility_page.''; echo ''; //page action: notification @@ -870,7 +868,7 @@ function display_wiki_entry($newtitle) } } echo ''; - echo ''.$notify_page.''; + echo ''.$notify_page.''; echo ''; //page action: export to pdf @@ -924,17 +922,17 @@ function display_wiki_entry($newtitle) if (wiki_exist($title)) { - echo $icon_assignment.' '.$icon_task.' '.stripslashes($title); + echo $icon_assignment.' '.$icon_task.' '.api_htmlentities($title); } else { - echo stripslashes($title); + echo api_htmlentities($title); } echo '
    '; - echo '
    '. make_wiki_link_clickable(detect_external_link(detect_anchor_link(detect_mail_link(detect_ftp_link(detect_irc_link(detect_news_link(stripslashes($content)))))))).'
    '; + echo '
    '. make_wiki_link_clickable(detect_external_link(detect_anchor_link(detect_mail_link(detect_ftp_link(detect_irc_link(detect_news_link($content))))))).'
    '; - echo '
    '.get_lang('Progress').': '.stripslashes($row['progress']).'%   '.get_lang('Rating').': '.stripslashes($row['score']).'   '.get_lang('Words').': '.word_count($content).'
    '; + echo '
    '.get_lang('Progress').': '.$row['progress'].'%   '.get_lang('Rating').': '.$row['score'].'   '.get_lang('Words').': '.word_count($content).'
    '; }//end filter visibility } // end function display_wiki_entry @@ -1081,7 +1079,7 @@ function check_protect_page() $_clean['group_id']=(int)$_SESSION['_gid']; - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1105,7 +1103,7 @@ function check_protect_page() $sql='UPDATE '.$tbl_wiki.' SET editlock="'.Database::escape_string($status_editlock).'" WHERE id="'.$id.'"'; Database::query($sql); - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $$sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1132,7 +1130,7 @@ function check_visibility_page() $_clean['group_id']=(int)$_SESSION['_gid']; - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1153,11 +1151,11 @@ function check_visibility_page() $status_visibility=0; } - $sql='UPDATE '.$tbl_wiki.' SET visibility="'.Database::escape_string($status_visibility).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter; + $sql='UPDATE '.$tbl_wiki.' SET visibility="'.Database::escape_string($status_visibility).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter; Database::query($sql); //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1188,7 +1186,7 @@ function check_visibility_discuss() $_clean['group_id']=(int)$_SESSION['_gid']; - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1206,11 +1204,11 @@ function check_visibility_discuss() $status_visibility_disc=0; } - $sql='UPDATE '.$tbl_wiki.' SET visibility_disc="'.Database::escape_string($status_visibility_disc).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter; + $sql='UPDATE '.$tbl_wiki.' SET visibility_disc="'.Database::escape_string($status_visibility_disc).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter; Database::query($sql); //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1234,7 +1232,7 @@ function check_addlock_discuss() $_clean['group_id']=(int)$_SESSION['_gid']; - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1253,11 +1251,11 @@ function check_addlock_discuss() $status_addlock_disc=0; } - $sql='UPDATE '.$tbl_wiki.' SET addlock_disc="'.Database::escape_string($status_addlock_disc).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter; + $sql='UPDATE '.$tbl_wiki.' SET addlock_disc="'.Database::escape_string($status_addlock_disc).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter; Database::query($sql); //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1282,7 +1280,7 @@ function check_ratinglock_discuss() $_clean['group_id']=(int)$_SESSION['_gid']; - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1301,11 +1299,11 @@ function check_ratinglock_discuss() $status_ratinglock_disc=0; } - $sql='UPDATE '.$tbl_wiki.' SET ratinglock_disc="'.Database::escape_string($status_ratinglock_disc).'" WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter; //Visibility. Value to all,not only for the first + $sql='UPDATE '.$tbl_wiki.' SET ratinglock_disc="'.Database::escape_string($status_ratinglock_disc).'" WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter; //Visibility. Value to all,not only for the first Database::query($sql); //Although the value now is assigned to all (not only the first), these three lines remain necessary. They do that by changing the page state is made when you press the button and not have to wait to change his page - $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.html_entity_decode(Database::escape_string(stripslashes(urldecode($page)))).'" AND '.$groupfilter.' ORDER BY id ASC'; + $sql='SELECT * FROM '.$tbl_wiki.'WHERE reflink="'.Database::escape_string($page).'" AND '.$groupfilter.' ORDER BY id ASC'; $result=Database::query($sql); $row=Database::fetch_array($result); @@ -1722,7 +1720,6 @@ function export2doc($wikiTitle, $wikiContents, $groupId) $exportDir = api_get_path(SYS_COURSE_PATH).api_get_course_path(). '/document'.$groupPath; $exportFile = replace_dangerous_char($wikiTitle, 'strict') . $groupPart; - $wikiContents = stripslashes($wikiContents); $wikiContents = trim(preg_replace("/\[\[|\]\]/", " ", $wikiContents)); $wikiContents = str_replace('{CONTENT}', $wikiContents, $template); @@ -1988,15 +1985,15 @@ function display_wiki_search_results($search_term, $search_content=0) $row = array (); $row[] =$ShowAssignment; - $row[] = ''.$obj->title.''; - $row[] = $obj->user_id <>0 ? ''.api_get_person_name($userinfo['firstname'], $userinfo['lastname']).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; + $row[] = ''.$obj->title.''; + $row[] = $obj->user_id <>0 ? ''.api_htmlentities(api_get_person_name($userinfo['firstname'], $userinfo['lastname'])).'' : get_lang('Anonymous').' ('.$obj->user_ip.')'; $row[] = $year.'-'.$month.'-'.$day.' '.$hours.":".$minutes.":".$seconds; if(api_is_allowed_to_edit(false,true)|| api_is_platform_admin()) { - $showdelete=' '.get_lang('Delete').''; + $showdelete=' '.get_lang('Delete').''; } - $row[] = ''.get_lang('EditPage').' '.get_lang('Discuss').' '.get_lang('History').' '.get_lang('LinksPages').''.$showdelete; + $row[] = ''.get_lang('EditPage').' '.get_lang('Discuss').' '.get_lang('History').' '.get_lang('LinksPages').''.$showdelete; $rows[] = $row; }