Skip to content

Commit aa359f9

Browse files
committed
Exercises: add remove_xss
1 parent 9815db1 commit aa359f9

File tree

7 files changed

+24
-36
lines changed

7 files changed

+24
-36
lines changed

main/exercise/TestCategory.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -499,7 +499,7 @@ public static function getCategoriesIdAndName($courseId = 0)
499499
$categories = self::getCategoryListInfo('', $courseId);
500500
$result = ['0' => get_lang('NoCategorySelected')];
501501
for ($i = 0; $i < count($categories); $i++) {
502-
$result[$categories[$i]->iid] = $categories[$i]->name;
502+
$result[$categories[$i]->iid] = Security::remove_XSS($categories[$i]->name);
503503
}
504504

505505
return $result;
@@ -677,7 +677,7 @@ public static function returnCategoryAndTitle($questionId, $in_display_category_
677677
($in_display_category_name == 1 || !$is_student)
678678
) {
679679
$content .= '<div class="page-header">';
680-
$content .= '<h4>'.get_lang('Category').": ".self::getCategoryNameForQuestion($questionId).'</h4>';
680+
$content .= '<h4>'.get_lang('Category').": ".Security::remove_XSS(self::getCategoryNameForQuestion($questionId)).'</h4>';
681681
$content .= "</div>";
682682
}
683683

@@ -1239,7 +1239,7 @@ public function displayCategories($courseId, $sessionId = 0)
12391239
$nb_question_label = $nb_question == 1 ? $nb_question.' '.get_lang('Question') : $nb_question.' '.get_lang('Questions');
12401240
$content = "<span style='float:right'>".$nb_question_label."</span>";
12411241
$content .= '<div class="sectioncomment">';
1242-
$content .= $category['description'];
1242+
$content .= Security::remove_XSS($category['description']);
12431243
$content .= '</div>';
12441244
$links = '';
12451245

@@ -1251,7 +1251,7 @@ public function displayCategories($courseId, $sessionId = 0)
12511251
$links .= Display::return_icon('delete.png', get_lang('Delete'), [], ICON_SIZE_SMALL).'</a>';
12521252
}
12531253

1254-
$html .= Display::panel($content, $category['title'].$links);
1254+
$html .= Display::panel($content, Security::remove_XSS($category['title']).$links);
12551255
}
12561256

12571257
return $html;

main/exercise/admin.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -277,12 +277,12 @@
277277
if (isset($_GET['newQuestion']) || isset($_GET['editQuestion'])) {
278278
$interbreadcrumb[] = [
279279
'url' => 'admin.php?exerciseId='.$objExercise->iid.'&'.api_get_cidreq(),
280-
'name' => $objExercise->selectTitle(true),
280+
'name' => Security::remove_XSS($objExercise->selectTitle(true)),
281281
];
282282
} else {
283283
$interbreadcrumb[] = [
284284
'url' => '#',
285-
'name' => $objExercise->selectTitle(true),
285+
'name' => Security::remove_XSS($objExercise->selectTitle(true)),
286286
];
287287
}
288288

@@ -445,7 +445,7 @@ function ($acc, $questionId) {
445445
// Question preview if teacher clicked the "switch to student"
446446
if ($studentViewActive && $is_allowedToEdit) {
447447
echo '<div class="main-question">';
448-
echo Display::div($objQuestion->selectTitle(), ['class' => 'question_title']);
448+
echo Display::div(Security::remove_XSS($objQuestion->selectTitle()), ['class' => 'question_title']);
449449
ExerciseLib::showQuestion(
450450
$objExercise,
451451
$editQuestion,

main/exercise/exercise.class.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6524,9 +6524,9 @@ public function showExerciseResultHeader(
65246524
}
65256525

65266526
if (api_get_configuration_value('save_titles_as_html')) {
6527-
$data['title'] = $this->get_formated_title().get_lang('Result');
6527+
$data['title'] = Security::remove_XSS($this->get_formated_title()).get_lang('Result');
65286528
} else {
6529-
$data['title'] = PHP_EOL.$this->exercise.' : '.get_lang('Result');
6529+
$data['title'] = PHP_EOL.Security::remove_XSS($this->exercise).' : '.get_lang('Result');
65306530
}
65316531

65326532
$questionsCount = count(explode(',', $trackExerciseInfo['data_tracking']));

main/exercise/exercise_submit.php

Lines changed: 6 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -200,7 +200,7 @@
200200
}
201201

202202
// if the user has submitted the form.
203-
$exercise_title = $objExercise->selectTitle();
203+
$exercise_title = Security::remove_XSS($objExercise->selectTitle());
204204
$exercise_sound = $objExercise->selectSound();
205205

206206
// If reminder ends we jump to the exercise_reminder
@@ -659,12 +659,6 @@
659659
}
660660
$count++;
661661
}
662-
//var_dump($questionCheck);exit;
663-
// Use reminder list to get the current question.
664-
/*if (2 === $reminder && !empty($myRemindList)) {
665-
$remindQuestionId = current($myRemindList);
666-
$questionCheck = Question::read($remindQuestionId);
667-
}*/
668662

669663
$categoryId = 0;
670664
if (null !== $questionCheck) {
@@ -674,20 +668,19 @@
674668
if ($objExercise->review_answers && isset($_GET['category_id'])) {
675669
$categoryId = $_GET['category_id'] ?? 0;
676670
}
677-
//var_dump($categoryId, $categoryList);
671+
678672
if (!empty($categoryId)) {
679673
$categoryInfo = $categoryList[$categoryId];
680674
$count = 1;
681675
$total = count($categoryList[$categoryId]);
682-
//var_dump($questionCheck);
676+
683677
foreach ($categoryList[$categoryId] as $checkQuestionId) {
684678
if ((int) $checkQuestionId === (int) $questionCheck->iid) {
685679
break;
686680
}
687681
$count++;
688682
}
689683

690-
//var_dump($count , $total);
691684
if ($count === $total) {
692685
$isLastQuestionInCategory = $categoryId;
693686
if ($isLastQuestionInCategory) {
@@ -717,8 +710,7 @@
717710
api_location($url);
718711
}
719712
}
720-
//exit;
721-
//var_dump($isLastQuestionInCategory);
713+
722714
if ($debug) {
723715
error_log('8. Question list loaded '.print_r($questionList, 1));
724716
}
@@ -728,7 +720,7 @@
728720
if (!empty($questionList)) {
729721
$question_count = count($questionList);
730722
}
731-
//var_dump($current_question);
723+
732724
if ($current_question > $question_count) {
733725
// If time control then don't change the current question, otherwise there will be a loop.
734726
// @todo
@@ -738,10 +730,6 @@
738730
}
739731

740732
if ($formSent && isset($_POST)) {
741-
if ($debug) {
742-
error_log('9. $formSent was set');
743-
}
744-
745733
if (!is_array($exerciseResult)) {
746734
$exerciseResult = [];
747735
$exerciseResultCoordinates = [];
@@ -1701,7 +1689,7 @@ function validate_all() {
17011689
if ($objExercise->type == ONE_PER_PAGE || ($objExercise->type != ONE_PER_PAGE && $i == 1)) {
17021690
echo Display::panelCollapse(
17031691
'<span>'.get_lang('ExerciseDescriptionLabel').'</span>',
1704-
$objExercise->description,
1692+
Security::remove_XSS($objExercise->description),
17051693
'exercise-description',
17061694
[],
17071695
'description',

main/exercise/overview.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@
5252
'url' => 'exercise.php?'.api_get_cidreq(),
5353
'name' => get_lang('Exercises'),
5454
];
55-
$interbreadcrumb[] = ['url' => '#', 'name' => $objExercise->selectTitle(true)];
55+
$interbreadcrumb[] = ['url' => '#', 'name' => Security::remove_XSS($objExercise->selectTitle(true))];
5656

5757
$time_control = false;
5858
$clock_expired_time = ExerciseLib::get_session_time_control_key($objExercise->iid, $learnpath_id, $learnpath_item_id);
@@ -122,17 +122,17 @@
122122
// Exercise name.
123123
if (api_get_configuration_value('save_titles_as_html')) {
124124
$html .= Display::div(
125-
$objExercise->get_formated_title().PHP_EOL.$editLink
125+
Security::remove_XSS($objExercise->get_formated_title()).PHP_EOL.$editLink
126126
);
127127
} else {
128128
$html .= Display::page_header(
129-
$iconExercise.PHP_EOL.$objExercise->selectTitle().PHP_EOL.$editLink
129+
$iconExercise.PHP_EOL.Security::remove_XSS($objExercise->selectTitle()).PHP_EOL.$editLink
130130
);
131131
}
132132

133133
// Exercise description.
134134
if (!empty($objExercise->description)) {
135-
$html .= Display::div($objExercise->description, ['class' => 'exercise_description']);
135+
$html .= Display::div(Security::remove_XSS($objExercise->description), ['class' => 'exercise_description']);
136136
}
137137

138138
$exercise_stat_info = $objExercise->get_stat_track_exercise_info(

main/inc/lib/exercise.lib.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ public static function showQuestion(
8484
if ($exercise->display_category_name) {
8585
TestCategory::displayCategoryAndTitle($objQuestionTmp->iid);
8686
}
87-
$titleToDisplay = $objQuestionTmp->getTitleToDisplay($current_item);
87+
$titleToDisplay = Security::remove_XSS($objQuestionTmp->getTitleToDisplay($current_item));
8888
if ($answerType == READING_COMPREHENSION) {
8989
// In READING_COMPREHENSION, the title of the question
9090
// contains the question itself, which can only be
@@ -4846,7 +4846,7 @@ public static function displayQuestionListByAttempt(
48464846
}
48474847

48484848
// Display text when test is finished #4074 and for LP #4227
4849-
$endOfMessage = $objExercise->getTextWhenFinished();
4849+
$endOfMessage = Security::remove_XSS($objExercise->getTextWhenFinished());
48504850
if (!empty($endOfMessage)) {
48514851
echo Display::div(
48524852
$endOfMessage,
@@ -5173,7 +5173,7 @@ public static function displayQuestionListByAttempt(
51735173
if (api_get_configuration_value('quiz_show_description_on_results_page') &&
51745174
!empty($objExercise->description)
51755175
) {
5176-
echo Display::div($objExercise->description, ['class' => 'exercise_description']);
5176+
echo Display::div(Security::remove_XSS($objExercise->description), ['class' => 'exercise_description']);
51775177
}
51785178

51795179
echo $exercise_content;

main/template/default/exercise/partials/result_exercise.tpl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,9 @@
22
<div class="panel panel-default">
33
<div class="panel-body">
44
{% if 'save_titles_as_html'|api_get_configuration_value %}
5-
{{ data.title }}
5+
{{ data.title | remove_xss }}
66
{% else %}
7-
<h3>{{ data.title }}</h3>
7+
<h3>{{ data.title | remove_xss }}</h3>
88
{% endif %}
99

1010
<div class="row">

0 commit comments

Comments
 (0)