chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Exercises: add remove_xss

Browse Source
pull/3690/head^2
Julio Montoya 4 years ago
parent b8cf026f61
commit f94d9f6ed7
3 changed files with 14 additions and 6 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 10
      main/exercise/exercise.class.php
  2. 6
      main/exercise/question_list_admin.inc.php
  3. 4
      main/inc/lib/exercise_show_functions.lib.php

10
main/exercise/exercise.class.php
Unescape View File

@ -3879,8 +3879,18 @@ class Exercise
$answerDestination = null; $answerDestination = null;
$userAnsweredQuestion = false; $userAnsweredQuestion = false;
$correctAnswerId = []; $correctAnswerId = [];
$userStatus = STUDENT;
// Allows to do a remove_XSS in question of exercise with user status COURSEMANAGER
// see BT#18242
if (api_get_configuration_value('question_exercise_html_strict_filtering')) {
$userStatus = COURSEMANAGERLOWSECURITY;
}
for ($answerId = 1; $answerId <= $nbrAnswers; $answerId++) { for ($answerId = 1; $answerId <= $nbrAnswers; $answerId++) {
$answer = $objAnswerTmp->selectAnswer($answerId); $answer = $objAnswerTmp->selectAnswer($answerId);
$answer = Security::remove_XSS($answer, $userStatus);
$answerComment = $objAnswerTmp->selectComment($answerId); $answerComment = $objAnswerTmp->selectComment($answerId);
$answerCorrect = $objAnswerTmp->isCorrect($answerId); $answerCorrect = $objAnswerTmp->isCorrect($answerId);
$answerWeighting = (float) $objAnswerTmp->selectWeighting($answerId); $answerWeighting = (float) $objAnswerTmp->selectWeighting($answerId);

6
main/exercise/question_list_admin.inc.php
Unescape View File

@ -337,8 +337,7 @@ if (!$inATest) {
[$edit_link, $clone_link, $addImageLink, $delete_link] [$edit_link, $clone_link, $addImageLink, $delete_link]
); );
$title = Security::remove_XSS($objQuestionTmp->selectTitle()); $title = Security::remove_XSS(strip_tags($objQuestionTmp->selectTitle()));
$title = strip_tags($title);
$move = '&nbsp;'; $move = '&nbsp;';
if ($allowQuestionOrdering) { if ($allowQuestionOrdering) {
$move = Display::returnFontAwesomeIcon('arrows moved', 1, true); $move = Display::returnFontAwesomeIcon('arrows moved', 1, true);
@ -346,14 +345,13 @@ if (!$inATest) {
// Question name // Question name
$questionName = $questionName =
'<a href="#" title = "'.Security::remove_XSS($title).'"> '<a href="#" title = "'.$title.'">
'.$move.' '.cut($title, 42).' '.$move.' '.cut($title, 42).'
</a>'; </a>';
// Question type // Question type
$typeImg = $objQuestionTmp->getTypePicture(); $typeImg = $objQuestionTmp->getTypePicture();
$typeExpl = $objQuestionTmp->getExplanation(); $typeExpl = $objQuestionTmp->getExplanation();
$questionType = Display::return_icon($typeImg, $typeExpl); $questionType = Display::return_icon($typeImg, $typeExpl);
// Question category // Question category

4
main/inc/lib/exercise_show_functions.lib.php
Unescape View File

@ -282,7 +282,7 @@ class ExerciseShowFunctions
if (EXERCISE_FEEDBACK_TYPE_EXAM != $feedback_type) { if (EXERCISE_FEEDBACK_TYPE_EXAM != $feedback_type) {
$content .= '<td class="text-left" width="60%">'; $content .= '<td class="text-left" width="60%">';
if ($studentChoice) { if ($studentChoice) {
$content .= '<span style="font-weight: bold; color: #008000;">'.nl2br($answerComment).'</span>'; $content .= '<span style="font-weight: bold; color: #008000;">'.Security::remove_XSS(nl2br($answerComment)).'</span>';
} else { } else {
$content .= '&nbsp;'; $content .= '&nbsp;';
} }
@ -575,7 +575,7 @@ class ExerciseShowFunctions
if ($hide_expected_answer) { if ($hide_expected_answer) {
$color = ''; $color = '';
} }
$content .= '<span style="font-weight: bold; color: '.$color.';">'.nl2br($answerComment).'</span>'; $content .= '<span style="font-weight: bold; color: '.$color.';">'.Security::remove_XSS(nl2br($answerComment)).'</span>';
} }
$content .= '</td>'; $content .= '</td>';
} }

Write Preview
Loading…
Cancel
Save