Forum: add remove_xss

jmontoyaa · jmontoyaa · commit 140f58709926 · 2021-08-05T15:31:20.000+02:00
diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php
@@ -4690,12 +4690,13 @@ function move_thread_form()
         </div>
         <div class="formw">';
     $htmlcontent .= '<select name="forum">';
-    foreach ($forum_categories as $key => $category) {
+    foreach ($forum_categories as $category) {
         $htmlcontent .= '<optgroup label="'.$category['cat_title'].'">';
         foreach ($forums as $key => $forum) {
             if (isset($forum['forum_category'])) {
                 if ($forum['forum_category'] == $category['cat_id']) {
-                    $htmlcontent .= '<option value="'.$forum['forum_id'].'">'.$forum['forum_title'].'</option>';
+                    $htmlcontent .= '<option value="'.$forum['forum_id'].'">'.
+                        Security::remove_XSS($forum['forum_title']).'</option>';
                 }
             }
         }
diff --git a/main/forum/index.php b/main/forum/index.php
@@ -270,13 +270,13 @@ function hidecontent(content){
         if (empty($forumCategory['cat_title'])) {
             $forumCategoryInfo['title'] = get_lang('WithoutCategory');
         } else {
-            $forumCategoryInfo['title'] = $forumCategory['cat_title'];
+            $forumCategoryInfo['title'] = Security::remove_XSS($forumCategory['cat_title']);
         }
         $forumCategoryInfo['extra_fields'] = isset($forumCategory['extra_fields']) ? $forumCategory['extra_fields'] : [];
         $forumCategoryInfo['icon_session'] = api_get_session_image($forumCategory['session_id'], $_user['status']);
 
         // Validation when belongs to a session
-        $forumCategoryInfo['description'] = $forumCategory['cat_comment'];
+        $forumCategoryInfo['description'] = Security::remove_XSS($forumCategory['cat_comment']);
         $forumCategory['session_display'] = null;
         if (empty($sessionId) && !empty($forumCategory['session_name'])) {
             $forumCategory['session_display'] = ' ('.Security::remove_XSS($forumCategory['session_name']).')';

Original file line number	Diff line number	Diff line change
`@@ -4690,12 +4690,13 @@ function move_thread_form()`
`4690`	`4690`	`</div>`
`4691`	`4691`	`<div class="formw">';`
`4692`	`4692`	`$htmlcontent .= '<select name="forum">';`
`4693`		`- foreach ($forum_categories as $key => $category) {`
	`4693`	`+ foreach ($forum_categories as $category) {`
`4694`	`4694`	`$htmlcontent .= '<optgroup label="'.$category['cat_title'].'">';`
`4695`	`4695`	`foreach ($forums as $key => $forum) {`
`4696`	`4696`	`if (isset($forum['forum_category'])) {`
`4697`	`4697`	`if ($forum['forum_category'] == $category['cat_id']) {`
`4698`		`- $htmlcontent .= '<option value="'.$forum['forum_id'].'">'.$forum['forum_title'].'</option>';`
	`4698`	`+ $htmlcontent .= '<option value="'.$forum['forum_id'].'">'.`
	`4699`	`+ Security::remove_XSS($forum['forum_title']).'</option>';`
`4699`	`4700`	`}`
`4700`	`4701`	`}`
`4701`	`4702`	`}`