Security - Reintroducing HTML filter after report by Javier Bloem that it introduces an XSS, secifically for portals open to new teachers created by anonymous users, and reverting commit svn r20496 referencing issue http://projects.dokeos.com/index.php?do=details&task_id=4109 not accessible to the public anymore.

ywarnier · ywarnier · commit 3c770c201dbe · 2013-08-11T16:53:51.000-05:00
diff --git a/main/course_info/infocours.php b/main/course_info/infocours.php
@@ -134,7 +134,7 @@ function is_settings_editable() {
 
 
 $form->add_textfield('title', get_lang('Title'), true, array('class' => 'span6'));
-//$form->applyFilter('title', 'html_filter');
+$form->applyFilter('title', 'html_filter');
 $form->applyFilter('title', 'trim');
 
 //$form->add_textfield('tutor_name', get_lang('Professors'), true, array ('size' => '60'));
@@ -154,9 +154,11 @@ function is_settings_editable() {
 $form->addElement('select_language', 'course_language', array(get_lang('Ln'), get_lang('TipLang')));
 
 $form->add_textfield('department_name', get_lang('Department'), false, array('class' => 'span5'));
+$form->applyFilter('department_name', 'html_filter');
 $form->applyFilter('department_name', 'trim');
 
 $form->add_textfield('department_url', get_lang('DepartmentUrl'), false, array('class' => 'span5'));
+$form->applyFilter('department_url', 'html_filter');
 //$form->addRule('tutor_name', get_lang('ThisFieldIsRequired'), 'required');
 
 
