Add database::escape_string, Security::remove_XSS

Author: jmontoyaa

Diff for: main/exercice/adminhp.php

@@ -20,26 +20,25 @@
 }
 
 $newName = !empty($_REQUEST['newName']) ? $_REQUEST['newName'] : '';
-$hotpotatoesName = !empty($_REQUEST['hotpotatoesName']) ? $_REQUEST['hotpotatoesName'] : '';
-
-$is_allowedToEdit=api_is_allowed_to_edit(null,true);
+$hotpotatoesName = !empty($_REQUEST['hotpotatoesName']) ? Security::remove_XSS($_REQUEST['hotpotatoesName']) : '';
+$is_allowedToEdit = api_is_allowed_to_edit(null,true);
 
 // document path
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
 
 // picture path
-$picturePath=$documentPath.'/images';
+$picturePath = $documentPath.'/images';
 
 // audio path
-$audioPath=$documentPath.'/audio';
+$audioPath = $documentPath.'/audio';
 
 // Database table definitions
 if (!$is_allowedToEdit) {
     api_not_allowed(true);
 }
 
 if (isset($_SESSION['gradebook'])) {
-    $gradebook=	$_SESSION['gradebook'];
+    $gradebook =	$_SESSION['gradebook'];
 }
 
 if (!empty($gradebook) && $gradebook == 'view') {

Diff for: main/exercice/hotpotatoes_exercise_report.php

@@ -1,29 +1,28 @@
 <?php
 /* For licensing terms, see /license.txt */
+
+use ChamiloSession as Session;
+
 /**
  *	Exercise list: This script shows the list of exercises for administrators and students.
  *	@package chamilo.exercise
  *	@author hubert.borderiou
  *
  */
 
-use ChamiloSession as Session;
-
-// including the global library
 require_once '../inc/global.inc.php';
 
 // Setting the tabs
 $this_section = SECTION_COURSES;
-
 $htmlHeadXtra[] = api_get_jqgrid_js();
+$_course = api_get_course_info();
 
 // Access control
 api_protect_course_script(true, false, true);
 
 // including additional libraries
 require_once 'hotpotatoes.lib.php';
 
-
 // document path
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path']."/document";
 
@@ -37,7 +36,7 @@
 $TBL_LP_ITEM_VIEW = Database :: get_course_table(TABLE_LP_ITEM_VIEW);
 
 $course_id = api_get_course_int_id();
-$hotpotatoes_path = isset($_REQUEST['path']) ? $_REQUEST['path'] : null;
+$hotpotatoes_path = isset($_REQUEST['path']) ? Security::remove_XSS($_REQUEST['path']) : null;
 $filter_user = isset($_REQUEST['filter_by_user']) ? intval($_REQUEST['filter_by_user']) : null;
 
 if (empty($hotpotatoes_path)) {
@@ -73,10 +72,12 @@
 if ($is_allowedToEdit && $origin != 'learnpath') {
     // the form
     if (api_is_platform_admin() || api_is_course_admin() || api_is_course_tutor() || api_is_course_coach()) {
-        $actions .= '<a id="export_opener" href="'.api_get_self().'?export_report=1&path='.Security::remove_XSS($hotpotatoes_path).' ">'.Display::return_icon('save.png',   get_lang('Export'),'',ICON_SIZE_MEDIUM).'</a>';
+        $actions .= '<a id="export_opener" href="'.api_get_self().'?export_report=1&path='.$hotpotatoes_path.' ">'.
+            Display::return_icon('save.png',   get_lang('Export'),'',ICON_SIZE_MEDIUM).'</a>';
     }
 } else {
-    $actions .= '<a href="exercise.php">' . Display :: return_icon('back.png', get_lang('GoBackToQuestionList'),'',ICON_SIZE_MEDIUM).'</a>';
+    $actions .= '<a href="exercise.php">' .
+        Display :: return_icon('back.png', get_lang('GoBackToQuestionList'),'',ICON_SIZE_MEDIUM).'</a>';
 }
 
 if ($is_allowedToEdit) {

Diff for: main/exercice/hotpotatoes_exercise_result.class.php

@@ -121,7 +121,7 @@ public function getExercisesReporting($document_path, $hotpotato_name)
 	 * @param	boolean		Whether to include user fields or not
 	 * @return	boolean		False on error
 	 */
-	public function exportCompleteReportCSV($document_path='', $hotpotato_name)
+	public function exportCompleteReportCSV($document_path = '', $hotpotato_name)
     {
 		global $charset;
 		$this->getExercisesReporting($document_path, $hotpotato_name);

Diff for: main/exercice/hotspot_admin.inc.php

@@ -1,13 +1,14 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use \ChamiloSession as Session;
+
 /**
  * This script allows to manage answers. It is included from the
  * script admin.php
  * @package chamilo.exercise
  * @author Toon Keppens
  */
-use \ChamiloSession as Session;
 
 $modifyAnswers = intval($_GET['hotspotadmin']);
 
@@ -246,11 +247,11 @@
         }  // end for()
 
         //now the noerror section
-        $selectQuestionNoError = $_POST['select_question_noerror'];
-        $lp_noerror = $_POST['lp_noerror'];
-        $try_noerror = isset($_POST['try_noerror']) ? $_POST['try_noerror'] : null;
-        $url_noerror = $_POST['url_noerror'];
-        $comment_noerror = $_POST['comment_noerror'];
+        $selectQuestionNoError = Security::remove_XSS($_POST['select_question_noerror']);
+        $lp_noerror = Security::remove_XSS($_POST['lp_noerror']);
+        $try_noerror = isset($_POST['try_noerror']) ? Security::remove_XSS($_POST['try_noerror']) : null;
+        $url_noerror = Security::remove_XSS($_POST['url_noerror']);
+        $comment_noerror = Security::remove_XSS($_POST['comment_noerror']);
         $threadhold_total = '0;0;0';
 
         if ($try_noerror == 'on') {
@@ -292,6 +293,7 @@
                 if ($weighting[$i]) {
                     $questionWeighting+=$weighting[$i];
                 }
+
                 // creates answer
                 $objAnswer->createAnswer(
                     $reponse[$i],
@@ -324,7 +326,6 @@
 
             $editQuestion = $questionId;
             unset($modifyAnswers);
-
             echo '<script type="text/javascript">window.location.href="' . $hotspot_admin_url . '&message=ItemUpdated"</script>';
         }
     }

Diff for: main/forum/forumqualify.php

@@ -171,7 +171,7 @@ function hidecontent(content){
     // Show max qualify in my form
     $maxQualify = showQualify('2', $userIdToQualify, $threadId);
 
-    $score = isset($_POST['idtextqualify']) ? $_POST['idtextqualify'] : '';
+    $score = isset($_POST['idtextqualify']) ? Security::remove_XSS($_POST['idtextqualify']) : '';
 
     if ($score > $maxQualify) {
         Display:: display_error_message(
@@ -292,7 +292,7 @@ function hidecontent(content){
                 $realname = $attachment_list['path'];
                 $user_filename = $attachment_list['filename'];
 
-                echo Display::return_icon('attachment.gif',get_lang('Attachment'));
+                echo Display::return_icon('attachment.gif', get_lang('Attachment'));
                 echo '<a href="download.php?file=';
                 echo $realname;
                 echo ' "> '.$user_filename.' </a>';

Diff for: main/inc/lib/fileUpload.lib.php

@@ -1202,7 +1202,7 @@ function filter_extension(&$filename)
  * @param int $group_id
  * @param int $session_id Session ID, if any
  * @param int $userId creator id
- * 
+ *
  * @return int id if inserted document
  */
 function add_document(
@@ -1542,13 +1542,12 @@ function create_unexisting_directory(
                     WHERE
                         c_id = $course_id AND
                         (
-                            path = '" . $systemFolderName . "'
+                            path = '" . Database::escape_string($systemFolderName). "'
                         )
             ";
 
             $rs = Database::query($sql);
             if (Database::num_rows($rs) == 0) {
-        
                 $document_id = add_document(
                     $_course,
                     $systemFolderName,
@@ -1566,7 +1565,6 @@ function create_unexisting_directory(
                 if ($document_id) {
                     // Update document item_property
                     if (!empty($visibility)) {
-
                         $visibilities = array(
                             0 => 'invisible',
                             1 => 'visible',

Diff for: main/upload/upload.document.php

@@ -10,6 +10,7 @@
  * @author Yannick Warnier <ywarnier@beeznest.org>
  */
 
+$_course = api_get_course_info();
 $courseDir = $_course['path'] . "/document";
 $sys_course_path = api_get_path(SYS_COURSE_PATH);
 $base_work_dir = $sys_course_path . $courseDir;
@@ -18,7 +19,7 @@
 
 //what's the current path?
 if (isset($_POST['curdirpath'])) {
-    $path = $_POST['curdirpath'];
+    $path = Security::remove_XSS($_POST['curdirpath']);
 } else {
     $path = '/';
 }
@@ -34,7 +35,7 @@
  */
 $nameTools = get_lang('UplUploadDocument');
 $interbreadcrumb[] = array(
-    "url" => "./document.php?curdirpath=" . urlencode($path) . '&'.api_get_cidreq(),
+    "url" => api_get_path(WEB_CODE_PATH)."document/document.php?curdirpath=" . urlencode($path) . '&'.api_get_cidreq(),
     "name" => $langDocuments
 );
 Display::display_header($nameTools, "Doc");
@@ -54,14 +55,14 @@
             $_FILES['user_upload'],
             $base_work_dir,
             $_POST['curdirpath'],
-            $_user['user_id'],
+            api_get_user_id(),
             $to_group_id,
             $to_user_id,
             $_POST['unzip'],
             $_POST['if_exists']
         );
-    	$new_comment = isset($_POST['comment']) ? trim($_POST['comment']) : '';
-    	$new_title = isset($_POST['title']) ? trim($_POST['title']) : '';
+    	$new_comment = isset($_POST['comment']) ? Database::escape_string(trim($_POST['comment'])) : '';
+    	$new_title = isset($_POST['title']) ? Database::escape_string(trim($_POST['title'])) : '';
 
     	if ($new_path && ($new_comment || $new_title))
     	if (($docid = DocumentManager::get_document_id($_course, $new_path))) {
@@ -99,7 +100,7 @@
         $img_directory = str_replace('.', '_', $_POST['related_file']."_files");
         $folderData = create_unexisting_directory(
             $_course,
-            $_user['user_id'],
+            api_get_user_id(),
             api_get_session_id(),
             $to_group_id,
             $to_user_id,
@@ -131,11 +132,11 @@
 }
 //they want to create a directory
 if (isset($_POST['create_dir']) && $_POST['dirname']!='') {
-    $added_slash = ($path == '/') ? '' : '/';
+    $added_slash = $path == '/' ? '' : '/';
 	$dir_name = $path.$added_slash.api_replace_dangerous_char($_POST['dirname']);
     $created_dir = create_unexisting_directory(
         $_course,
-        $_user['user_id'],
+        api_get_user_id(),
         api_get_session_id(),
         $to_group_id,
         $to_user_id,
@@ -206,7 +207,6 @@
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="nothing" title="<?php echo (get_lang('UplDoNothingLong'));?>" checked="checked"/>  <?php echo (get_lang('UplDoNothing'));?><br/>
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="overwrite" title="<?php echo (get_lang('UplOverwriteLong'));?>"/> <?php echo (get_lang('UplOverwrite'));?><br/>
 &nbsp;&nbsp;&nbsp;<input type="radio" name="if_exists" value="rename" title="<?php echo (get_lang('UplRenameLong'));?>"/> <?php echo (get_lang('UplRename'));?>
-
 </td>
 </tr>
 </table>