Security: Glossary: Remove XSS

AngelFQC · AngelFQC · commit 8ff67c3ad239 · 2024-10-29T18:02:37.000-05:00
Fix GHSA-4wcp-3rh3-7wm4 advisory
diff --git a/main/glossary/index.php b/main/glossary/index.php
@@ -90,12 +90,12 @@ function sorter($item1, $item2)
             $form->addHtmlEditor(
                 'name',
                 get_lang('TermName'),
-                false,
+                true,
                 false,
                 ['ToolbarSet' => 'TitleAsHtml']
             );
         } else {
-            $form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']);
+            $form->addText('name', get_lang('TermName'), true, ['id' => 'glossary_title']);
         }
 
         $form->addHtmlEditor(
@@ -107,7 +107,6 @@ function sorter($item1, $item2)
         );
         $form->addButtonCreate(get_lang('TermAddButton'), 'SubmitGlossary');
         // setting the rules
-        $form->addRule('name', get_lang('ThisFieldIsRequired'), 'required');
         // The validation or display
         if ($form->validate()) {
             $check = Security::check_token('post');
@@ -154,12 +153,12 @@ function sorter($item1, $item2)
                 $form->addHtmlEditor(
                     'name',
                     get_lang('TermName'),
-                    false,
+                    true,
                     false,
                     ['ToolbarSet' => 'TitleAsHtml']
                 );
             } else {
-                $form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']);
+                $form->addText('name', get_lang('TermName'), true, ['id' => 'glossary_title']);
             }
 
             $form->addHtmlEditor(
@@ -192,9 +191,6 @@ function sorter($item1, $item2)
             $form->addButtonUpdate(get_lang('TermUpdateButton'), 'SubmitGlossary');
             $form->setDefaults($glossary_data);
 
-            // setting the rules
-            $form->addRule('name', get_lang('ThisFieldIsRequired'), 'required');
-
             // The validation or display
             if ($form->validate()) {
                 $check = Security::check_token('post');
diff --git a/main/inc/lib/TrackingCourseLog.php b/main/inc/lib/TrackingCourseLog.php
@@ -284,6 +284,8 @@ public static function getItemResourcesData($from, $numberOfItems, $column, $dir
                     $row[4] = $ip;
                 }
 
+                $row[5] = Security::remove_XSS($row[5]);
+
                 $resources[] = $row;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -284,6 +284,8 @@ public static function getItemResourcesData($from, $numberOfItems, $column, $dir`
`284`	`284`	`$row[4] = $ip;`
`285`	`285`	`}`
`286`	`286`
	`287`	`+ $row[5] = Security::remove_XSS($row[5]);`
	`288`	`+`
`287`	`289`	`$resources[] = $row;`
`288`	`290`	`}`
`289`	`291`	`}`