Skip to content

Commit 6c935a6

Browse files
jmontoyaajmontoyaa
committed
Blogs: Add remove_xss
1 parent 0d9add8 commit 6c935a6

File tree

4 files changed

+37
-36
lines changed

4 files changed

+37
-36
lines changed

main/blog/blog.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -315,7 +315,7 @@
315315
}
316316
break;
317317
case 'view_post':
318-
$postArticle = Blog::getSinglePost($blog_id, intval($_GET['post_id']));
318+
$postArticle = Blog::getSinglePost($blog_id, $_GET['post_id']);
319319
$tpl->assign('post', $postArticle);
320320
$blogLayout = $tpl->get_template('blog/post.tpl');
321321
break;
@@ -390,7 +390,7 @@
390390
break;
391391
case 'execute_task':
392392
if (isset($_GET['post_id'])) {
393-
$post = Blog::getSinglePost($blog_id, intval($_GET['post_id']));
393+
$post = Blog::getSinglePost($blog_id, $_GET['post_id']);
394394
$tpl->assign('post', $post);
395395
$blogLayout = $tpl->get_template('blog/post.tpl');
396396
} else {

main/inc/lib/blog.lib.php

Lines changed: 13 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1045,9 +1045,9 @@ public static function getPosts($blog_id, $filter = '1=1', $max_number_of_posts
10451045
'id_autor' => $blog_post['author_id'],
10461046
'autor' => $blog_post['firstname'].' '.$blog_post['lastname'],
10471047
'username' => $blog_post['username'],
1048-
'title' => stripslashes($blog_post['title']),
1048+
'title' => Security::remove_XSS($blog_post['title']),
10491049
'extract' => self::getPostExtract($blog_post['full_text'], BLOG_MAX_PREVIEW_CHARS),
1050-
'content' => stripslashes($blog_post['full_text']),
1050+
'content' => Security::remove_XSS($blog_post['full_text']),
10511051
'post_date' => Display::dateToStringAgoAndLongDate($blog_post['date_creation']),
10521052
'n_comments' => $blog_post_comments['number_of_comments'],
10531053
'files' => $fileArray,
@@ -1104,7 +1104,6 @@ public static function getSinglePost($blog_id, $post_id)
11041104
global $charset;
11051105

11061106
$course_id = api_get_course_int_id();
1107-
$courseParams = api_get_cidreq();
11081107
$blog_id = intval($blog_id);
11091108
$post_id = intval($post_id);
11101109

@@ -1182,9 +1181,9 @@ class="btn btn-default"
11821181
'id_author' => $blog_post['author_id'],
11831182
'author' => $blog_post['firstname'].' '.$blog_post['lastname'],
11841183
'username' => $blog_post['username'],
1185-
'title' => stripslashes($blog_post['title']),
1184+
'title' => Security::remove_XSS($blog_post['title']),
11861185
'extract' => api_get_short_text_from_html(
1187-
stripslashes($blog_post['full_text']),
1186+
Security::remove_XSS($blog_post['full_text']),
11881187
400
11891188
),
11901189
'content' => $post_text,
@@ -1252,7 +1251,7 @@ public static function getThreadedComments(
12521251
$commentActions = null;
12531252
$ratingSelect = null;
12541253
$comment_text = make_clickable(stripslashes($comment['comment']));
1255-
$comment_text = stripslashes($comment_text);
1254+
$comment_text = Security::remove_XSS($comment_text);
12561255
$commentActions .= Display::toolbarButton(
12571256
get_lang('ReplyToThisComment'),
12581257
'#',
@@ -1300,7 +1299,7 @@ class="btn btn-default"
13001299
'iid' => $comment['iid'],
13011300
'id_comment' => $comment['comment_id'],
13021301
'id_curso' => $comment['c_id'],
1303-
'title' => $comment['title'],
1302+
'title' => Security::remove_XSS($comment['title']),
13041303
'content' => $comment_text,
13051304
'id_author' => $comment['author_id'],
13061305
'comment_date' => Display::dateToStringAgoAndLongDate($comment['date_creation']),
@@ -1881,11 +1880,6 @@ public static function displayAssignedTasksList($blog_id)
18811880
$css_class = (($counter % 2) == 0) ? "row_odd" : "row_even";
18821881
$delete_icon = ($assignment['system_task'] == '1') ? "delete_na.png" : "delete.png";
18831882
$delete_title = ($assignment['system_task'] == '1') ? get_lang('DeleteSystemTask') : get_lang('DeleteTask');
1884-
$delete_link = ($assignment['system_task'] == '1') ? '#' : api_get_self().'?action=manage_tasks&blog_id='.$assignment['blog_id'].'&do=delete&task_id='.$assignment['task_id'].'&'.api_get_cidreq();
1885-
$delete_confirm = ($assignment['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(
1886-
api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset)
1887-
).'\')) return false;"';
1888-
18891883
$username = api_htmlentities(sprintf(get_lang('LoginX'), $assignment['username']), ENT_QUOTES);
18901884

18911885
$return .= '<tr class="'.$css_class.'" valign="top">';
@@ -1894,8 +1888,8 @@ public static function displayAssignedTasksList($blog_id)
18941888
api_get_person_name($assignment['firstname'], $assignment['lastname']),
18951889
['title' => $username]
18961890
).'</td>';
1897-
$return .= '<td>'.stripslashes($assignment['title']).'</td>';
1898-
$return .= '<td>'.stripslashes($assignment['description']).'</td>';
1891+
$return .= '<td>'.Security::remove_XSS($assignment['title']).'</td>';
1892+
$return .= '<td>'.Security::remove_XSS($assignment['description']).'</td>';
18991893
$return .= '<td>'.$assignment['target_date'].'</td>';
19001894
$return .= '<td width="50">';
19011895
$return .= '<a
@@ -2414,6 +2408,7 @@ public static function displayPostSelectionForTask($blog_id, $task_id)
24142408
AND c_id = $course_id";
24152409
$result = Database::query($sql);
24162410
$row = Database::fetch_assoc($result);
2411+
24172412
// Get posts and authors
24182413
$sql = "SELECT post.*, user.lastname, user.firstname, user.username
24192414
FROM $tbl_blogs_posts post
@@ -2425,8 +2420,8 @@ public static function displayPostSelectionForTask($blog_id, $task_id)
24252420

24262421
// Display
24272422
$return = '<span class="blogpost_title">'.
2428-
get_lang('SelectTaskArticle').' "'.stripslashes($row['title']).'"</span>';
2429-
$return .= '<span style="font-style: italic;"">'.stripslashes($row['description']).'</span><br><br>';
2423+
get_lang('SelectTaskArticle').' "'.Security::remove_XSS($row['title']).'"</span>';
2424+
$return .= '<span style="font-style: italic;"">'.Security::remove_XSS($row['description']).'</span><br><br>';
24302425

24312426
if (Database::num_rows($result) == 0) {
24322427
$return .= get_lang('NoArticles');
@@ -2437,9 +2432,8 @@ public static function displayPostSelectionForTask($blog_id, $task_id)
24372432
while ($blog_post = Database::fetch_array($result)) {
24382433
$username = api_htmlentities(sprintf(get_lang('LoginX'), $blog_post['username']), ENT_QUOTES);
24392434
$return .= '<a href="'.$url.'&blog_id='.$blog_id.'&task_id='.$task_id.'&post_id='.$blog_post['post_id'].'#add_comment">'.
2440-
stripslashes(
2441-
$blog_post['title']
2442-
).'</a>, '.get_lang('WrittenBy').' '.stripslashes(
2435+
Security::remove_XSS($blog_post['title']).'</a>, '.
2436+
get_lang('WrittenBy').' '.stripslashes(
24432437
Display::tag(
24442438
'span',
24452439
api_get_person_name($blog_post['firstname'], $blog_post['lastname']),
@@ -2502,8 +2496,6 @@ public static function displayUserSubscriptionForm($blog_id)
25022496

25032497
$html .= '<legend>'.get_lang('SubscribeMembers').'</legend>';
25042498

2505-
$properties['width'] = '100%';
2506-
25072499
// Get blog members' id.
25082500
$sql = "SELECT user.user_id FROM $tbl_users user
25092501
INNER JOIN $tbl_blogs_rel_user blogs_rel_user
@@ -2630,7 +2622,6 @@ public static function displayUserUnsubscriptionForm($blog_id)
26302622

26312623
$html .= '<legend>'.get_lang('UnsubscribeMembers').'</legend>';
26322624

2633-
$properties["width"] = "100%";
26342625
//table column titles
26352626
$column_header[] = ['', false, ''];
26362627
if ($is_western_name_order) {

main/template/default/blog/blog.tpl

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
<input type="hidden" name="id_session" value="{{ session_id }}"/>
2121
<input type="hidden" name="blog_id" value="{{ id_blog }}"/>
2222
<input type="hidden" name="action" value="view_search_result"/>
23-
<input type="text" class="form-control" size="20" name="q" value="{{ search }}"/>
23+
<input type="text" class="form-control" size="20" name="q" value="{{ search | remove_xss }}"/>
2424
</div>
2525
<button class="btn btn-default btn-block" type="submit">
2626
<em class="fa fa-search"></em> {{ 'Search'|get_lang }}
@@ -62,7 +62,9 @@
6262
<div class="panel-body">
6363
<h3 class="title-post">
6464
<a href="{{ _p.web_self ~ '?' ~ _p.web_cid_query ~ '&' ~ {'action':'view_post', 'blog_id':item.id_blog, 'post_id':item.id_post}|url_encode }}#add_comment"
65-
title="{{ item.title }}">{{ item.title }}</a>
65+
title="{{ item.title }}">
66+
{{ item.title | remove_xss }}
67+
</a>
6668
</h3>
6769
<div class="info-post">
6870
<span class="date"><i class="fa fa-clock-o"></i> {{ item.post_date }}</span>
@@ -85,13 +87,15 @@
8587
{% endif %}
8688

8789
<div id="post-content-{{ item.id_post }}" class="{{ item.extract ? 'hidden' : '' }}">
88-
{{ item.content }}
90+
{{ item.content | remove_xss }}
8991
</div>
9092

9193
{% if item.files %}
9294
<div class="well well-sm files">
9395
<i class="fa fa-paperclip" aria-hidden="true"></i>
94-
<a href="download.php?file={{ item.files.path }}">{{ item.files.filename }}</a>
96+
<a href="download.php?file={{ item.files.path }}">
97+
{{ item.files.filename | remove_xss }}
98+
</a>
9599
</div>
96100
{% endif %}
97101
</div>

main/template/default/blog/post.tpl

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@
1212
{{ item.actions }}
1313
</div>
1414
<h4 class="media-heading"
15-
id="comment-{{ item.iid }}-title">{{ item.title }}</h4>
15+
id="comment-{{ item.iid }}-title">
16+
{{ item.title | remove_xss }}
17+
</h4>
1618
<ul class="info-post list-inline">
1719
<li class="date">
1820
<i class="fa fa-clock-o"></i> {{ item.comment_date }}
@@ -29,13 +31,15 @@
2931
</li>
3032
</ul>
3133
<div id="comment-{{ item.iid }}-content">
32-
{{ item.content }}
34+
{{ item.content | remove_xss }}
3335
</div>
3436
{% if item.files %}
3537
<aside class="well well-sm files">
3638
<i class="fa fa-paperclip" aria-hidden="true"></i>
37-
<a href="download.php?file={{ item.files.path }}">{{ item.files.filename }}</a>
38-
<p>{{ item.files.comment }}</p>
39+
<a href="download.php?file={{ item.files.path }}">
40+
{{ item.files.filename | remove_xss }}
41+
</a>
42+
<p>{{ item.files.comment | remove_xss }}</p>
3943
</aside>
4044
{% endif %}
4145

@@ -74,7 +78,7 @@
7478
<div class="form-group">
7579
<input type="hidden" name="blog_id" value="{{ id_blog }}"/>
7680
<input type="hidden" name="action" value="view_search_result"/>
77-
<input type="text" class="form-control" size="20" name="q" value="{{ search }}"/>
81+
<input type="text" class="form-control" size="20" name="q" value="{{ search | remove_xss }}"/>
7882
</div>
7983
<button class="btn btn-default btn-block" type="submit">
8084
<em class="fa fa-search"></em> {{ 'Search'|get_lang }}
@@ -106,7 +110,7 @@
106110
<article>
107111
<div class="article-header">
108112
<div class="title">
109-
<h1 title="{{ post.title }}">{{ post.title }}</h1>
113+
<h1 title="{{ post.title }}">{{ post.title | remove_xss }}</h1>
110114
</div>
111115
<ul class="info-post list-inline">
112116
<li class="date">
@@ -118,15 +122,17 @@
118122
</li>
119123
<li class="autor">
120124
<i class="fa fa-user" aria-hidden="true"></i>
121-
<a href="{{ _p.web }}main/social/profile.php?u={{ post.id_author }}">{{ post.author }}</a>
125+
<a href="{{ _p.web }}main/social/profile.php?u={{ post.id_author }}">
126+
{{ post.author }}
127+
</a>
122128
</li>
123129
<li class="score">
124130
<i class="fa fa-star" aria-hidden="true"></i> {{ post.score_ranking }}
125131
</li>
126132
</ul>
127133
</div>
128134
<div class="content-post">
129-
{{ post.content }}
135+
{{ post.content | remove_xss }}
130136
</div>
131137
{% if post.files %}
132138
<aside class="well well-sm files">

0 commit comments

Comments
 (0)