Skip to content
Permalink
Browse files

Add intval + Security::remove_XSS

  • Loading branch information...
jmontoyaa committed Jul 22, 2016
1 parent 6b71eec commit 2a47c02329fb8dee04a6b6425c9ee7601c6f32e2
@@ -78,7 +78,7 @@
}
if (isset($_GET['id_session']) && ($_GET['id_session'] == strval(intval($_GET['id_session']))) && ($_GET['id_session']>0)) {
ldap_add_user_to_session($UserList, $_GET['id_session']);
header('Location: resume_session.php?id_session='.$_GET['id_session']);
header('Location: resume_session.php?id_session='.intval($_GET['id_session']));
} else {
Display :: display_header($tool_name);
if(count($userid_match_login)>0)
@@ -61,7 +61,9 @@
$cr->set_file_option($_POST['same_file_name_option']);
$cr->restore($_POST['destination_course']);
Display::display_normal_message(
get_lang('CopyFinished').': <a href="'.api_get_course_url($_POST['destination_course']).'">'.$_POST['destination_course'].'</a>',
get_lang('CopyFinished').': <a href="'.api_get_course_url($_POST['destination_course']).'">'.
Security::remove_XSS($_POST['destination_course']).
'</a>',
false
);
} elseif (Security::check_token('post') && (
@@ -32,15 +32,15 @@
// Build URL-parameters for table-sorting
$sort_params = array();
if (isset($_GET['dropbox_column'])) {
$sort_params[] = 'dropbox_column='.$_GET['dropbox_column'];
$sort_params[] = 'dropbox_column='.intval($_GET['dropbox_column']);
}
if (isset($_GET['dropbox_page_nr'])) {
$sort_params[] = 'page_nr='.intval($_GET['page_nr']);
}
if (isset($_GET['dropbox_per_page'])) {
$sort_params[] = 'dropbox_per_page='.intval($_GET['dropbox_per_page']);
}
if (isset($_GET['dropbox_direction'])) {
if (isset($_GET['dropbox_direction']) && in_array($_GET['dropbox_direction'], ['ASC', 'DESC'])) {
$sort_params[] = 'dropbox_direction='.$_GET['dropbox_direction'];
}
@@ -104,27 +104,18 @@ function confirmation() {
$_GET['selectcat'] = $cats[0]->get_id();
if (isset($_GET['isStudentView'])) {
if ( (isset($_GET['selectcat']) && $_GET['selectcat']>0) && (isset($_SESSION['studentview']) && $_SESSION['studentview']=='studentview') ) {
$interbreadcrumb[]= array ('url' => 'index.php'.'?selectcat=0&amp;isStudentView='.$_GET['isStudentView'],'name' => get_lang('ToolGradebook'));
if ((isset($_GET['selectcat']) && $_GET['selectcat'] > 0) && (isset($_SESSION['studentview']) && $_SESSION['studentview'] == 'true')) {
$interbreadcrumb[] = array(
'url' => 'index.php'.'?selectcat=0&isStudentView=true',
'name' => get_lang('ToolGradebook'),
);
}
}
if ((isset($_GET['selectcat']) && $_GET['selectcat']>0) &&
(isset($_SESSION['studentview']) && $_SESSION['studentview']=='studentview')
(isset($_SESSION['studentview']) && $_SESSION['studentview']=='true')
) {
/*Display :: display_header();
//Introduction tool: student view
Display::display_introduction_section(TOOL_GRADEBOOK, array('ToolbarSet' => 'AssessmentsIntroduction'));
$category = $_GET['selectcat'];
$cats = Category :: load ($category, null, null, null, null, null, false);
$allcat = $cats[0]->get_subcategories($stud_id, $course_code, $session_id);
$alleval = $cats[0]->get_evaluations($stud_id);
$alllink = $cats[0]->get_links($stud_id);
$addparams = array();
$gradebooktable= new GradebookTable($cats[0], $allcat, $alleval,$alllink, $addparams);
$gradebooktable->display();
Display :: display_footer();
exit;*/
} else {
if (!isset($_GET['selectcat']) &&
($_SESSION['studentview']=='studentview') ||
@@ -1184,7 +1184,7 @@ public static function show_navigation_menu()
}
if (stristr($url_item['path'], $url_current['path'])) {
if (!isset($_GET['learnpath_id']) || strpos($url_item['query'], 'learnpath_id='.$_GET['learnpath_id']) === 0) {
if (!isset($_GET['learnpath_id']) || strpos($url_item['query'], 'learnpath_id='.intval($_GET['learnpath_id'])) === 0) {
$html .= ' id="here"';
}
}
@@ -56,6 +56,7 @@ function get_users($from, $limit, $column, $direction)
$active = isset($_GET['active']) ? $_GET['active'] : 1;
$keyword = isset($_GET['keyword']) ? Security::remove_XSS($_GET['keyword']) : null;
$sleepingDays = isset($_GET['sleeping_days']) ? intval($_GET['sleeping_days']) : null;
$sessionId = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
$lastConnectionDate = null;
if (!empty($sleepingDays)) {
@@ -111,7 +112,7 @@ function get_users($from, $limit, $column, $direction)
foreach ($students as $student_data) {
$student_id = $student_data['user_id'];
if (isset($_GET['id_session'])) {
$courses = Tracking :: get_course_list_in_session_from_student($student_id, $_GET['id_session']);
$courses = Tracking :: get_course_list_in_session_from_student($student_id, $sessionId);
}
$avg_time_spent = $avg_student_score = $avg_student_progress = $total_assignments = $total_messages = 0;
@@ -121,8 +122,8 @@ function get_users($from, $limit, $column, $direction)
$courseInfo = api_get_course_info($course_code);
$courseId = $courseInfo['real_id'];
if (CourseManager :: is_user_subscribed_in_course($student_id, $course_code, true)) {
$avg_time_spent += Tracking :: get_time_spent_on_the_course($student_id, $courseId, $_GET['id_session']);
$my_average = Tracking :: get_avg_student_score($student_id, $course_code);
$avg_time_spent += Tracking :: get_time_spent_on_the_course($student_id, $courseId, $sessionId);
$my_average = Tracking :: get_avg_student_score($student_id, $course_code);
if (is_numeric($my_average)) {
$avg_student_score += $my_average;
}
@@ -158,7 +159,7 @@ function get_users($from, $limit, $column, $direction)
$row[] = $string_date;
if (isset($_GET['id_coach']) && intval($_GET['id_coach']) != 0) {
$detailsLink = '<a href="myStudents.php?student='.$student_id.'&id_coach='.$coach_id.'&id_session='.$_GET['id_session'].'">
$detailsLink = '<a href="myStudents.php?student='.$student_id.'&id_coach='.$coach_id.'&id_session='.$sessionId.'">
'.Display::return_icon('2rightarrow.png').'</a>';
} else {
$detailsLink = '<a href="myStudents.php?student='.$student_id.'">
@@ -58,6 +58,7 @@ function get_users($from, $limit, $column, $direction)
$active = isset($_GET['active']) ? $_GET['active'] : 1;
$keyword = isset($_GET['keyword']) ? Security::remove_XSS($_GET['keyword']) : null;
$sleepingDays = isset($_GET['sleeping_days']) ? intval($_GET['sleeping_days']) : null;
$sessionId = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
$lastConnectionDate = null;
if (!empty($sleepingDays)) {
@@ -159,7 +160,7 @@ function get_users($from, $limit, $column, $direction)
$row[] = $string_date;
if (isset($_GET['id_coach']) && intval($_GET['id_coach']) != 0) {
$detailsLink = '<a href="myStudents.php?student='.$student_id.'&id_coach='.$coach_id.'&id_session='.$_GET['id_session'].'">
$detailsLink = '<a href="myStudents.php?student='.$student_id.'&id_coach='.$coach_id.'&id_session='.$sessionId.'">
'.Display::return_icon('2rightarrow.png', get_lang('Details')).'</a>';
} else {
$detailsLink = '<a href="myStudents.php?student='.$student_id.'">
@@ -57,7 +57,7 @@ function get_users($from, $limit, $column, $direction)
$keyword = isset($_GET['keyword']) ? Security::remove_XSS($_GET['keyword']) : null;
$sleepingDays = isset($_GET['sleeping_days']) ? intval($_GET['sleeping_days']) : null;
$status = isset($_GET['status']) ? Security::remove_XSS($_GET['status']) : null;
$sessionId = isset($_GET['id_session']) ? (int) $_GET['id_session'] : 0;
$lastConnectionDate = null;
if (!empty($sleepingDays)) {
@@ -160,7 +160,7 @@ function get_users($from, $limit, $column, $direction)
$row[] = $string_date;
if (isset($_GET['id_coach']) && intval($_GET['id_coach']) != 0) {
$detailsLink = '<a href="myStudents.php?student='.$student_id.'&id_coach='.$coach_id.'&id_session='.$_GET['id_session'].'">
$detailsLink = '<a href="myStudents.php?student='.$student_id.'&id_coach='.$coach_id.'&id_session='.$sessionId.'">
'.Display::return_icon('2rightarrow.png', get_lang('Details')).'</a>';
} else {
$detailsLink = '<a href="myStudents.php?student='.$student_id.'">
@@ -1275,41 +1275,8 @@ function get_addedresource_link_in_learnpath($type, $id, $id_in_path)
$link .= "../phpbb/viewtopic.php?topic=".$myrow["topic_id"]."&forum=".$myrow["forum_id"]."&md5=".$myrow["md5"];
}
break;
case "Post":
/* todo REVIEW THIS SECTION - NOT USING VALID TABLES ANYMORE
$tbl_posts = $_course['dbNameGlu'].'bb_posts';
$tbl_posts_text = $_course['dbNameGlu'].'bb_posts_text';
$TBL_FORUMS = $_course['dbNameGlu']."bb_forums";
$result= Database::query("SELECT * FROM $tbl_posts where post_id=$id");
$myrow=Database::fetch_array($result);
// grabbing the title of the post
$sql_titel="SELECT * FROM $tbl_posts_text WHERE post_id=".$myrow["post_id"];
$result_titel=Database::query($sql_titel);
$myrow_titel=Database::fetch_array($result_titel);
$sql="select * from $tbl_learnpath_item where id=$id_in_path";
$result=Database::query($sql); $row=Database::fetch_array($result);
if ($row['title'] != '') { $myrow_titel["post_title"]=$row['title']; }
$desc=$row['description'];
$link .= str_repeat("&nbsp;&gt;",$level);
$posternom=$myrow['nom']; $posterprenom=$myrow['prenom'];
$posttime=$myrow['post_time']; $posttext=$myrow_titel['post_text'];
$posttitle=$myrow_titel['post_title'];
$posttext = str_replace('"',"'",$posttext);
if ($builder != 'builder')
{
$link .= api_get_self()."?action=closelesson&source_forum=".$_GET['source_forum']."&how=complete&id_in_path=$id_in_path&learnpath_id=$learnpath_id&type=Post&origin=$origin&posternom=$posternom&posterprenom=$posterprenom&posttime=$posttime&posttext=$posttext&posttitle=$posttitle#$id_in_path";
}
else
{
$link .= "../phpbb/viewtopic.php?topic=".$myrow["topic_id"]."&forum=".$myrow["forum_id"]."&md5=".$myrow["md5"];
}
*/
break;
case "Document":
$dbTable = Database::get_course_table(TABLE_DOCUMENT);
$result=Database::query("SELECT * FROM $dbTable WHERE id=$id",__FILE__,__LINE);
@@ -38,7 +38,7 @@
$messageId = 0;
$messageContent = $_POST['social_wall_new_msg_main'];
if (!empty($_POST['url_content'])) {
$messageContent = $_POST['social_wall_new_msg_main'].'<br><br>'.$_POST['url_content'];
$messageContent = $_POST['social_wall_new_msg_main'].'<br /><br />'.$_POST['url_content'];
}
$idMessage = SocialManager::sendWallMessage(
api_get_user_id(),
@@ -1174,7 +1174,7 @@
$g_cr = isset($_GET['cidReq']) ? Security::remove_XSS($_GET['cidReq']) : '';
$p_l = isset($_POST['language']) ? Security::remove_XSS($_POST['language']) : '';
$add_parameters = isset($_GET['user_id']) ? 'user_id='.$_GET['user_id'].'&amp;' : '';
$add_parameters = isset($_GET['user_id']) ? 'user_id='.intval($_GET['user_id']).'&amp;' : '';
$url = api_get_self().'?'.$add_parameters.'course='.$g_c.'&invitationcode='.$g_ic.'&show='.$show.'&cidReq='.$g_cr;
$form = new FormValidator('question', 'post', $url);
@@ -2136,7 +2136,9 @@ public function auto_add_page_users($values)
<tr><td>'.$photo.'<br />'.Display::tag('span', api_get_person_name($userinfo['firstname'], $userinfo['lastname']), array('title'=>$username)).'</td></tr>
</table></div>';
$content_orig_B = '<br/><div align="center" style="font-size:24px">'.get_lang('AssignmentDescription').': '.$title_orig.'</div><br/>'.$_POST['content'];
$content_orig_B = '<br/><div align="center" style="font-size:24px">'.
get_lang('AssignmentDescription').': '.
$title_orig.'</div><br/>'.Security::remove_XSS($_POST['content']);
//Second: student list (names, photo and links to their works).
//Third: Create Students work pages.
@@ -2180,7 +2182,7 @@ public function auto_add_page_users($values)
'span',
strtoupper($o_user_to_add['lastname']).', '.$o_user_to_add['firstname'], array('title'=>$username)
).
' [['.$_POST['title']."_uass".$assig_user_id.' | '.$photo.']] '.$status_in_group.'</li>';
' [['.Security::remove_XSS($_POST['title'])."_uass".$assig_user_id.' | '.$photo.']] '.$status_in_group.'</li>';
//don't change this line without guaranteeing that users will be ordered by last names in the following format (surname, name)
$values['assignment']=2;
}
@@ -1,29 +1,29 @@
<?php
class TestFreeanswer extends UnitTestCase {
/**
* function which redifines Question::createAnswersForm
* @param the formvalidator instance
*/
function testcreateAnswersForm () {
$form = new FormValidator('exercise_admin', 'post', api_get_self().'?exerciseId='.$_GET['exerciseId']);
$form = new FormValidator('exercise_admin', 'post', api_get_self().'?exerciseId='.intval($_GET['exerciseId']));
$res =FreeAnswer::createAnswersForm($form);
$this->assertTrue(is_null($res));
//var_dump($res);
}
}
/**
* abstract function which creates the form to create / edit the answers of the question
* @param the formvalidator instance
*/
function testprocessAnswersCreation () {
$form = new FormValidator('exercise_admin', 'post', api_get_self().'?exerciseId='.$_GET['exerciseId']);
$form = new FormValidator('exercise_admin', 'post', api_get_self().'?exerciseId='.intval($_GET['exerciseId']));
$res =FreeAnswer::processAnswersCreation($form);
$this->assertTrue(is_null($res));
//var_dump($res);
}
}
?>

0 comments on commit 2a47c02

Please sign in to comment.
You can’t perform that action at this time.