Security: User FormValidator::addHtmlEditor FormValidator::addElement('html_editor')

AngelFQC · AngelFQC · commit 2c32fdef693e · 2024-10-16T18:48:10.000-05:00
diff --git a/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php b/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php
@@ -163,6 +163,7 @@ public function createAnswersForm($form)
                 ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
             );
             $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
+            $form->applyFilter("answer[$i]", 'attr_on_filter');
 
             if (isset($_POST['answer']) && isset($_POST['answer'][$i])) {
                 $txtAnswer->setValue(Security::remove_XSS($_POST['answer'][$i]));
@@ -177,6 +178,7 @@ public function createAnswersForm($form)
                     ['style' => 'vertical-align:middle;'],
                     ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
                 );
+                $form->applyFilter("comment[$i]", 'attr_on_filter');
 
                 if (isset($_POST['comment']) && isset($_POST['comment'][$i])) {
                     $txtComment->setValue(Security::remove_XSS($_POST['comment'][$i]));
diff --git a/main/exercise/calculated_answer.class.php b/main/exercise/calculated_answer.class.php
@@ -133,6 +133,7 @@ function updateBlanks(e) {
 
         $form->addRule('answer', get_lang('GiveText'), 'required');
         $form->addRule('answer', get_lang('DefineBlanks'), 'regex', '/\[.*\]/');
+        $form->applyFilter('answer', 'attr_on_filter');
 
         $form->addElement('label', null, get_lang('IfYouWantOnlyIntegerValuesWriteBothLimitsWithoutDecimals'));
         $form->addElement('html', '<div id="blanks_weighting"></div>');
diff --git a/main/exercise/exercise_show.php b/main/exercise/exercise_show.php
@@ -659,19 +659,21 @@ function getFCK(vals, marksid) {
             $default = [$textareaId => $comnt];
 
             if ($useAdvancedEditor) {
-                $feedback_form->addElement(
-                    'html_editor',
+                $feedback_form->addHtmlEditor(
                     $textareaId,
-                    null,
-                    ['id' => $textareaId],
+                    '',
+                    false,
+                    false,
                     [
+                        'id' => $textareaId,
                         'ToolbarSet' => 'TestAnswerFeedback',
                         'Width' => '100%',
                         'Height' => '120',
                     ]
                 );
             } else {
                 $feedback_form->addElement('textarea', $textareaId, ['id' => $textareaId]);
+                $feedback_form->applyFilter($textareaId, 'attr_on_filter');
             }
             $feedback_form->setDefaults($default);
             $feedback_form->display();
diff --git a/main/exercise/fill_blanks.class.php b/main/exercise/fill_blanks.class.php
@@ -338,14 +338,16 @@ function trimBlanksBetweenSeparator(inTxt, inSeparatorStart, inSeparatorEnd, add
             null,
             get_lang('TypeTextBelow').', '.get_lang('And').' '.get_lang('UseTagForBlank')
         );
-        $form->addElement(
-            'html_editor',
+        $form->addHtmlEditor(
             'answer',
             Display::return_icon('fill_field.png'),
-            ['id' => 'answer'],
-            ['ToolbarSet' => 'TestQuestionDescription']
+            true,
+            false,
+            [
+                'id' => 'answer',
+                'ToolbarSet' => 'TestQuestionDescription',
+            ]
         );
-        $form->addRule('answer', get_lang('GiveText'), 'required');
 
         //added multiple answers
         $form->addElement('checkbox', 'multiple_answer', '', get_lang('FillInBlankSwitchable'));
diff --git a/main/exercise/global_multiple_answer.class.php b/main/exercise/global_multiple_answer.class.php
@@ -119,23 +119,22 @@ public function createAnswersForm($form)
             $form->addElement('checkbox', 'correct['.$i.']', null, null, 'class="checkbox"');
             $boxes_names[] = 'correct['.$i.']';
 
-            $form->addElement(
-                'html_editor',
-                'answer['.$i.']',
-                null,
-                [],
+            $form->addHtmlEditor(
+                "answer[$i]",
+                '',
+                false,
+                false,
                 [
                     'ToolbarSet' => 'TestProposedAnswer',
                     'Width' => '100%',
                     'Height' => '100',
                 ]
             );
-            $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
-            $form->addElement(
-                'html_editor',
-                'comment['.$i.']',
-                null,
-                [],
+            $form->addHtmlEditor(
+                "comment[$i]",
+                '',
+                false,
+                false,
                 [
                     'ToolbarSet' => 'TestProposedAnswer',
                     'Width' => '100%',
diff --git a/main/exercise/multiple_answer_combination.class.php b/main/exercise/multiple_answer_combination.class.php
@@ -121,20 +121,19 @@ public function createAnswersForm($form)
             );
             $boxes_names[] = 'correct['.$i.']';
 
-            $form->addElement(
-                'html_editor',
-                'answer['.$i.']',
-                null,
-                [],
+            $form->addHtmlEditor(
+                "answer[$i]",
+                '',
+                true,
+                false,
                 ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
             );
-            $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
 
-            $form->addElement(
-                'html_editor',
-                'comment['.$i.']',
-                null,
-                [],
+            $form->addHtmlEditor(
+                "comment[$i]",
+                '',
+                false,
+                false,
                 ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100']
             );
 
diff --git a/main/exercise/multiple_answer_true_false.class.php b/main/exercise/multiple_answer_true_false.class.php
@@ -162,6 +162,7 @@ public function createAnswersForm($form)
                         'Height' => '100',
                     ]
                 );
+                $form->applyFilter("comment[$i]", 'attr_on_filter');
 
                 if (isset($_POST['comment']) && isset($_POST['comment'][$i])) {
                     $txtComment->setValue(Security::remove_XSS($_POST['comment'][$i]));
diff --git a/main/exercise/unique_answer_no_option.class.php b/main/exercise/unique_answer_no_option.class.php
@@ -190,9 +190,9 @@ public function createAnswersForm($form)
             $answer_number->freeze();
 
             $form->addElement('radio', 'correct', null, null, $i, 'class="checkbox" style="margin-left: 0em;"');
-            $form->addElement('html_editor', 'answer['.$i.']', null, [], $editor_config);
+            $form->addHtmlEditor("answer[$i]", '', false, false, $editor_config);
 
-            $form->addElement('html_editor', 'comment['.$i.']', null, [], $editor_config);
+            $form->addHtmlEditor("comment[$i]", '', false, false, $editor_config);
             $form->addElement('text', 'weighting['.$i.']', null, ['style' => 'width: 60px;', 'value' => '0']);
             $form->addElement('html', '</tr>');
             $i++;
@@ -240,10 +240,10 @@ public function createAnswersForm($form)
 
         $form->addElement('hidden', 'position['.$i.']', '666');
         $form->addElement('radio', 'correct', null, null, $i, ['class' => 'checkbox', 'disabled' => true]);
-        $form->addElement('html_editor', 'answer['.$i.']', null, [], $editor_config);
+        $form->addHtmlEditor("answer[$i]", '', false, false, $editor_config);
 
         $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required');
-        $form->addElement('html_editor', 'comment['.$i.']', null, [], $editor_config);
+        $form->addHtmlEditor("comment[$i]", '', false, false, $editor_config);
         $form->addElement('text', "weighting[$i]", null)->freeze();
 
         $form->addHTml('</tr>');
diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php
@@ -202,11 +202,11 @@ function show_add_forumcategory_form($lp_id)
     $form->addElement('header', get_lang('AddForumCategory'));
     $form->addElement('text', 'forum_category_title', get_lang('Title'), ['autofocus']);
     $form->applyFilter('forum_category_title', 'html_filter');
-    $form->addElement(
-        'html_editor',
+    $form->addHtmlEditor(
         'forum_category_comment',
         get_lang('Description'),
-        null,
+        false,
+        false,
         ['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200']
     );
 
@@ -283,11 +283,11 @@ function show_add_forum_form($inputvalues = [], $lp_id = 0)
     $form->applyFilter('forum_title', 'html_filter');
 
     // The comment of the forum.
-    $form->addElement(
-        'html_editor',
+    $form->addHtmlEditor(
         'forum_comment',
         get_lang('Description'),
-        null,
+        false,
+        false,
         ['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200']
     );
 
@@ -533,11 +533,11 @@ function show_edit_forumcategory_form($inputvalues = [])
     $form->addElement('text', 'forum_category_title', get_lang('Title'));
     $form->applyFilter('forum_category_title', 'html_filter');
 
-    $form->addElement(
-        'html_editor',
+    $form->addHtmlEditor(
         'forum_category_comment',
         get_lang('Comment'),
-        null,
+        false,
+        false,
         ['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200']
     );
 
@@ -4047,11 +4047,11 @@ function show_edit_post_form(
 
     $form->addElement('text', 'post_title', get_lang('Title'));
     $form->applyFilter('post_title', 'html_filter');
-    $form->addElement(
-        'html_editor',
+    $form->addHtmlEditor(
         'post_text',
         get_lang('Text'),
-        null,
+        true,
+        false,
         api_is_allowed_to_edit(null, true) ? [
             'ToolbarSet' => 'Forum',
             'Width' => '100%',
@@ -4063,7 +4063,6 @@ function show_edit_post_form(
             'UserStatus' => 'student',
         ]
     );
-    $form->addRule('post_text', get_lang('ThisFieldIsRequired'), 'required');
 
     $extraFields = new ExtraField('forum_post');
     $extraFields->addElements($form, $current_post['post_id']);
diff --git a/main/glossary/index.php b/main/glossary/index.php
@@ -98,11 +98,11 @@ function sorter($item1, $item2)
             $form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']);
         }
 
-        $form->addElement(
-            'html_editor',
+        $form->addHtmlEditor(
             'description',
             get_lang('TermDefinition'),
-            null,
+            false,
+            false,
             ['ToolbarSet' => 'Glossary', 'Height' => '300']
         );
         $form->addButtonCreate(get_lang('TermAddButton'), 'SubmitGlossary');
@@ -162,11 +162,11 @@ function sorter($item1, $item2)
                 $form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']);
             }
 
-            $form->addElement(
-                'html_editor',
+            $form->addHtmlEditor(
                 'description',
                 get_lang('TermDefinition'),
-                null,
+                false,
+                false,
                 ['ToolbarSet' => 'Glossary', 'Height' => '300']
             );
 
diff --git a/main/inc/lib/agenda.lib.php b/main/inc/lib/agenda.lib.php
@@ -3106,12 +3106,13 @@ public function getForm($params = [])
             $toolbar = 'AgendaStudent';
         }
 
-        $form->addElement(
-            'html_editor',
+        $form->addHtmlEditor(
             'content',
             get_lang('Description'),
-            null,
+            false,
+            false,
             [
+                'style' => 'vertical-align:middle;',
                 'ToolbarSet' => $toolbar,
                 'Width' => '100%',
                 'Height' => '200',
diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php
@@ -384,6 +384,7 @@ public function addTextarea($name, $label, $attributes = [], $required = false)
         if ($required) {
             $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
         }
+        $this->applyFilter($name, 'attr_on_filter');
 
         return $element;
     }
diff --git a/main/lp/learnpath.class.php b/main/lp/learnpath.class.php
@@ -9054,7 +9054,7 @@ public function display_item_form(
                 'BaseHref' => api_get_path(WEB_COURSE_PATH).api_get_course_path().$item_path_fck,
             ];
 
-            $form->addElement('html_editor', 'content_lp', '', null, $editor_config);
+            $form->addHtmlEditor('content_lp', '', true, true, $editor_config);
             $content_path = api_get_path(SYS_COURSE_PATH).api_get_course_path().$item_path_fck;
             $defaults['content_lp'] = file_get_contents($content_path);
         }
diff --git a/main/lp/lp_edit.php b/main/lp/lp_edit.php
@@ -104,11 +104,11 @@ function activate_end_date() {
 }
 
 // Author
-$form->addElement(
-    'html_editor',
+$form->addHtmlEditor(
     'lp_author',
     get_lang('Author'),
-    ['size' => 80],
+    false,
+    false,
     ['ToolbarSet' => 'LearningPathAuthor', 'Width' => '100%', 'Height' => '200px']
 );
 $form->applyFilter('lp_author', 'html_filter');
diff --git a/main/notebook/index.php b/main/notebook/index.php
@@ -91,11 +91,12 @@ function setFocus(){
     $form->addElement('header', '', get_lang('NoteAddNew'));
     $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']);
     $form->applyFilter('text', 'html_filter');
-    $form->addElement(
-        'html_editor',
+    $form->applyFilter('text', 'attr_on_filter');
+    $form->addHtmlEditor(
         'note_comment',
         get_lang('NoteComment'),
-        null,
+        false,
+        false,
         api_is_allowed_to_edit() ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300'] : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
     );
     $form->addButtonCreate(get_lang('AddNote'), 'SubmitNote');
@@ -158,14 +159,15 @@ function setFocus(){
     $form->addElement('hidden', 'notebook_id');
     $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['size' => '100']);
     $form->applyFilter('text', 'html_filter');
-    $form->addElement(
-        'html_editor',
+    $form->applyFilter('text', 'attr_on_filter');
+    $form->addHtmlEditor(
         'note_comment',
         get_lang('NoteComment'),
-        null,
+        false,
+        false,
         api_is_allowed_to_edit()
-        ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300']
-        : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
+            ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300']
+            : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']
     );
     $form->addButtonUpdate(get_lang('ModifyNote'), 'SubmitNote');
 
diff --git a/main/survey/create_new_survey.php b/main/survey/create_new_survey.php
diff --git a/plugin/notebookteacher/src/NotebookTeacher.php b/plugin/notebookteacher/src/NotebookTeacher.php

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,7 @@ public function createAnswersForm($form)`
`162`	`162`	`'Height' => '100',`
`163`	`163`	`]`
`164`	`164`	`);`
	`165`	`+ $form->applyFilter("comment[$i]", 'attr_on_filter');`
`165`	`166`
`166`	`167`	`if (isset($_POST['comment']) && isset($_POST['comment'][$i])) {`
`167`	`168`	`$txtComment->setValue(Security::remove_XSS($_POST['comment'][$i]));`
Original file line number	Diff line number	Diff line change
`@@ -384,6 +384,7 @@ public function addTextarea($name, $label, $attributes = [], $required = false)`
`384`	`384`	`if ($required) {`
`385`	`385`	`$this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');`
`386`	`386`	`}`
	`387`	`+ $this->applyFilter($name, 'attr_on_filter');`
`387`	`388`
`388`	`389`	`return $element;`
`389`	`390`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9054,7 +9054,7 @@ public function display_item_form(`
`9054`	`9054`	`'BaseHref' => api_get_path(WEB_COURSE_PATH).api_get_course_path().$item_path_fck,`
`9055`	`9055`	`];`
`9056`	`9056`
`9057`		`- $form->addElement('html_editor', 'content_lp', '', null, $editor_config);`
	`9057`	`+ $form->addHtmlEditor('content_lp', '', true, true, $editor_config);`
`9058`	`9058`	`$content_path = api_get_path(SYS_COURSE_PATH).api_get_course_path().$item_path_fck;`
`9059`	`9059`	`$defaults['content_lp'] = file_get_contents($content_path);`
`9060`	`9060`	`}`