Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix course title add Security::remove_XSS
  • Loading branch information
jmontoyaa committed May 14, 2021
1 parent a145f71 commit fd54f61
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 41 deletions.
61 changes: 35 additions & 26 deletions main/auth/sort_my_courses.php
Expand Up @@ -306,27 +306,29 @@
echo ' ';
echo CourseManager::getTeacherListFromCourseCodeToString($course['code']);
echo '<br />';

if (api_get_setting('display_teacher_in_courselist') === 'true') {
echo $course['tutor'];
}
echo '</td><td valign="top">'; ?>
<div style="float:left;width:110px;">
<?php
if (api_get_setting('show_courses_descriptions_in_catalog') == 'true') {
$icon_title = get_lang('CourseDetails').' - '.$course['title']; ?>
<a href="<?php echo api_get_path(WEB_CODE_PATH); ?>inc/ajax/course_home.ajax.php?a=show_course_information&code=<?php echo $course['code']; ?>" data-title="<?php echo $icon_title; ?>" title="<?php echo $icon_title; ?>" class="ajax">
<?php
echo Display::return_icon('info.png', $icon_title, '', '22');
} ?>
</a>
<?php
echo '</td><td valign="top">';
echo '<div style="float:left;width:110px;">';
if (api_get_setting('show_courses_descriptions_in_catalog') === 'true') {
$icon_title = get_lang('CourseDetails').' - '.$course['title'];
$url = api_get_path(
WEB_CODE_PATH
).'inc/ajax/course_home.ajax.php?a=show_course_information&code='.$course['code'];
echo Security::remove_XSS(
Display::url(
Display::return_icon('info.png', $icon_title, '', '22'),
$url,
['class' => 'ajax', 'data-title' => $icon_title, 'title' => $icon_title]
)
);
echo Display::url(
Display::return_icon('edit.png', get_lang('Edit'), '', 22),
$currentUrl.'?action=edit_course_category&category_id='.$row['id'].'&course_id='.$course['real_id'].'&sec_token='.$stok,
['class' => 'ajax']
);

}
if ($key > 0) {
?>
<a href="<?php echo $currentUrl; ?>?action=<?php echo $action; ?>&amp;move=up&amp;course=<?php echo $course['code']; ?>&amp;category=<?php echo $course['user_course_cat']; ?>&amp;sec_token=<?php echo $stok; ?>">
Expand Down Expand Up @@ -390,16 +392,19 @@
if (api_get_setting('display_teacher_in_courselist') === 'true') {
echo $course['tutor'];
}
echo '</td><td class="text-right">'; ?>
<div>
<?php
if (api_get_setting('show_courses_descriptions_in_catalog') == 'true') {
$icon_title = get_lang('CourseDetails').' - '.$course['title']; ?>
<a href="<?php echo api_get_path(WEB_CODE_PATH); ?>inc/ajax/course_home.ajax.php?a=show_course_information&code=<?php echo $course['code']; ?>" data-title="<?php echo $icon_title; ?>" title="<?php echo $icon_title; ?>" class="ajax">
<?php echo Display::return_icon('info.png', $icon_title, '', '22'); ?>
</a>
<?php
}
echo '</td><td class="text-right">';
echo '<div>';
if (api_get_setting('show_courses_descriptions_in_catalog') === 'true') {
$icon_title = get_lang('CourseDetails').' - '.$course['title'];
$url = api_get_path(WEB_CODE_PATH).'inc/ajax/course_home.ajax.php?a=show_course_information&code='.$course['code'];
echo Security::remove_XSS(
Display::url(
Display::return_icon('info.png', $icon_title, '', '22'),
$url,
['class' => 'ajax', 'data-title' => $icon_title, 'title' => $icon_title]
)
);
}
echo '';
if (isset($_GET['edit']) && $course['code'] == $_GET['edit']) {
echo Display::return_icon('edit_na.png', get_lang('Edit'), '', 22);
Expand All @@ -412,7 +417,8 @@
}
if ($key > 0) {
?>
<a href="<?php echo $currentUrl; ?>?action=<?php echo $action; ?>&amp;move=up&amp;course=<?php echo $course['code']; ?>&amp;category=<?php echo $course['user_course_cat']; ?>&amp;sec_token=<?php echo $stok; ?>">
<a
href="<?php echo $currentUrl; ?>?action=<?php echo $action; ?>&amp;move=up&amp;course=<?php echo $course['code']; ?>&amp;category=<?php echo $course['user_course_cat']; ?>&amp;sec_token=<?php echo $stok; ?>">
<?php echo Display::display_icon('up.png', get_lang('Up'), '', 22); ?>
</a>
<?php
Expand All @@ -421,7 +427,8 @@
}
if ($key < $number_of_courses - 1) {
?>
<a href="<?php echo $currentUrl; ?>?action=<?php echo $action; ?>&amp;move=down&amp;course=<?php echo $course['code']; ?>&amp;category=<?php echo $course['user_course_cat']; ?>&amp;sec_token=<?php echo $stok; ?>">
<a
href="<?php echo $currentUrl; ?>?action=<?php echo $action; ?>&amp;move=down&amp;course=<?php echo $course['code']; ?>&amp;category=<?php echo $course['user_course_cat']; ?>&amp;sec_token=<?php echo $stok; ?>">
<?php echo Display::display_icon('down.png', get_lang('Down'), '', 22); ?>
</a>
<?php
Expand All @@ -435,7 +442,9 @@
if ($course['unsubscr'] == 1) {
?>
<!-- changed link to submit to avoid action by the search tool indexer -->
<form action="<?php echo api_get_self(); ?>" method="post" onsubmit="javascript: if (!confirm('<?php echo addslashes(api_htmlentities(get_lang("ConfirmUnsubscribeFromCourse"), ENT_QUOTES, api_get_system_encoding())); ?>')) return false;">
<form action="<?php echo api_get_self(); ?>"
method="post"
onsubmit="javascript: if (!confirm('<?php echo addslashes(api_htmlentities(get_lang("ConfirmUnsubscribeFromCourse"), ENT_QUOTES, api_get_system_encoding())); ?>')) return false;">
<input type="hidden" name="sec_token" value="<?php echo $stok; ?>">
<input type="hidden" name="unsubscribe" value="<?php echo $course['code']; ?>" />
<button class="btn btn-default" value="<?php echo get_lang('Unsubscribe'); ?>" name="unsub">
Expand Down
34 changes: 20 additions & 14 deletions main/template/default/layout/hot_course_item.tpl
Expand Up @@ -3,9 +3,12 @@
<div class="col-xs-12 col-sm-6 col-md-4">
<div class="items items-hotcourse">
<div class="image">
<a title="{{ item.title}}" href="{{ _p.web }}course/{{ item.real_id }}/about">
<img src="{{ item.course_image_large }}" class="img-responsive" alt="{{ item.title }}">
</a>
{% set title %}
<a title="{{ item.title}}" href="{{ _p.web }}course/{{ item.real_id }}/about">
<img src="{{ item.course_image_large }}" class="img-responsive" alt="{{ item.title }}">
</a>
{% endset %}
{{ title | remove_xss }}

{% if item.categoryName != '' %}
<span class="category">{{ item.categoryName }}</span>
Expand All @@ -15,17 +18,20 @@
</div>
<div class="description">
<div class="block-title">
<h5 class="title">
{% if item.is_course_student or item.is_course_teacher %}
<a alt="{{ item.title }}" title="{{ item.title }}" href="{{ _p.web }}courses/{{ item.directory }}/">
{{ item.title_cut}}
</a>
{% else %}
<a alt="{{ item.title }}" title="{{ item.title }}" href="{{ _p.web }}course/{{ item.real_id }}/about">
{{ item.title_cut}}
</a>
{% endif %}
</h5>
{% set title %}
<h5 class="title">
{% if item.is_course_student or item.is_course_teacher %}
<a alt="{{ item.title }}" title="{{ item.title }}" href="{{ _p.web }}courses/{{ item.directory }}/">
{{ item.title_cut}}
</a>
{% else %}
<a alt="{{ item.title }}" title="{{ item.title }}" href="{{ _p.web }}course/{{ item.real_id }}/about">
{{ item.title_cut}}
</a>
{% endif %}
</h5>
{% endset %}
{{ title | remove_xss }}
</div>
<div class="ranking">
{{ item.rating_html }}
Expand Down
Expand Up @@ -11,9 +11,12 @@
{% if item.visibility == constant('COURSE_VISIBILITY_CLOSED') and not item.current_user_is_teacher %}
<img src="{{ item.image }}" class="img-responsive">
{% else %}
{% set title %}
<a title="{{ item.title }}" href="{{ item.link }}">
<img src="{{ item.image }}" alt="{{ item.title }}" class="img-responsive">
</a>
{% endset %}
{{ title | remove_xss }}
{% endif %}
{% if item.category != '' %}
<span class="category">{{ item.category }}</span>
Expand All @@ -38,6 +41,7 @@
</div>
<div class="description">
<div class="block-title">
{% set title %}
<h4 class="title" title="{{ item.title }}">
{% if item.visibility == constant('COURSE_VISIBILITY_CLOSED') and not item.current_user_is_teacher %}
{{ item.title_cut }}
Expand All @@ -47,10 +51,15 @@
<span class="code-title">{{ item.code_course }}</span>{{ item.url_marker }}
{% endif %}
</h4>
{% endset %}
{{ title | remove_xss }}
</div>
<div class="block-author">
{% if item.teachers | length > 6 %}
<a id="plist-{{ loop.index }}" data-trigger="focus" tabindex="0" role="button" class="btn btn-default panel_popover" data-toggle="popover" title="{{ 'CourseTeachers' | get_lang }}" data-html="true">
<a id="plist-{{ loop.index }}"
data-trigger="focus" tabindex="0" role="button"
class="btn btn-default panel_popover" data-toggle="popover"
title="{{ 'CourseTeachers' | get_lang }}" data-html="true">
<i class="fa fa-graduation-cap" aria-hidden="true"></i>
</a>
<div id="popover-content-plist-{{ loop.index }}" class="hide">
Expand Down

0 comments on commit fd54f61

Please sign in to comment.