Remove remove_xss and stripslashes while saving. see #1433

chamilo · Oct 7, 2016 · 7d5284d · 7d5284d
1 parent ef680c5
commit 7d5284d
Showing 1 changed file with 17 additions and 17 deletions.
diff --git a/main/inc/introductionSection.inc.php b/main/inc/introductionSection.inc.php
@@ -1,6 +1,8 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Chamilo\CourseBundle\Entity\CToolIntro;
+
 /**
  * The INTRODUCTION MICRO MODULE is used to insert and edit
  * an introduction section on a Chamilo module or on the course homepage.
@@ -28,8 +30,6 @@
  * @package chamilo.include
  */
 
-use Chamilo\CourseBundle\Entity\CToolIntro;
-
 $TBL_INTRODUCTION = Database::get_course_table(TABLE_TOOL_INTRO);
 $intro_editAllowed = $is_allowed_to_edit;
 $session_id = api_get_session_id();
@@ -70,12 +70,7 @@
     if ($intro_cmdUpdate) {
         if ($form->validate()) {
             $form_values = $form->exportValues();
-            $intro_content = Security::remove_XSS(
-                stripslashes(
-                    api_html_entity_decode($form_values['intro_content'])
-                ),
-                COURSEMANAGERLOWSECURITY
-            );
+            $intro_content = $form_values['intro_content'];
 
             $criteria = [
                 'cId' => $course_id,
@@ -90,8 +85,7 @@
                     ->findOneBy($criteria);
 
                 if ($toolIntro) {
-                    $toolIntro
-                        ->setIntroText($intro_content);
+                    $toolIntro->setIntroText($intro_content);
                 } else {
                     $toolIntro = new CToolIntro();
                     $toolIntro
@@ -103,10 +97,12 @@
                 Database::getManager()->persist($toolIntro);
                 Database::getManager()->flush();
 
-                $introduction_section .= Display::return_message(
-                    get_lang('IntroductionTextUpdated'),
-                    'confirmation',
-                    false
+                Display::addFlash(
+                    Display::return_message(
+                        get_lang('IntroductionTextUpdated'),
+                        'confirmation',
+                        false
+                    )
                 );
             } else {
                 // got to the delete command
@@ -125,7 +121,9 @@
                     id='".Database::escape_string($moduleId)."' AND
                     session_id='".intval($session_id)."'";
         Database::query($sql);
-        $introduction_section .= Display::return_message(get_lang('IntroductionTextDeleted'), 'confirmation');
+        Display::addFlash(
+            Display::return_message(get_lang('IntroductionTextDeleted'), 'confirmation')
+        );
     }
 }
 
@@ -134,7 +132,7 @@
 /* Retrieves the module introduction text, if exist */
 /* @todo use a lib to query the $TBL_INTRODUCTION table */
 // Getting course intro
-$intro_content = null;
+$intro_content = '';
 $sql = "SELECT intro_text FROM $TBL_INTRODUCTION
         WHERE
             c_id = $course_id AND
@@ -155,7 +153,7 @@
                 id = '".Database::escape_string($moduleId)."' AND
                 session_id = '".intval($session_id)."'";
     $intro_dbQuery = Database::query($sql);
-    $introSessionContent = null;
+    $introSessionContent = '';
     if (Database::num_rows($intro_dbQuery) > 0) {
         $intro_dbResult = Database::fetch_array($intro_dbQuery);
         $introSessionContent = $intro_dbResult['intro_text'];
@@ -166,6 +164,8 @@
     }
 }
 
+$intro_content = Security::remove_XSS($intro_content);
+
 /* Determines the correct display */
 
 if ($intro_cmdEdit || $intro_cmdAdd) {