LPs: Add remove_Xss

Author: jmontoyaa

main/inc/lib/document.lib.php

@@ -6962,7 +6962,7 @@ private static function parseFile(
         $icon = choose_image($path);
         $position = strrpos($icon, '.');
         $icon = substr($icon, 0, $position).'_small.gif';
-        $my_file_title = $resource['title'];
+        $my_file_title = Security::remove_XSS($resource['title']);
         $visibility = $resource['visibility'];
 
         // If title is empty we try to use the path
@@ -7083,7 +7083,6 @@ private static function parseFolder($folderId, $resource, $lp_id)
             return null;
         }
 
-        //$onclick = '';
         // if in LP, hidden folder are displayed in grey
         $folder_class_hidden = '';
         if ($lp_id) {
@@ -7098,15 +7097,27 @@ private static function parseFolder($folderId, $resource, $lp_id)
             $return = '<ul class="lp_resource">';
         }
 
-        $return .= '<li class="doc_folder'.$folder_class_hidden.'" id="doc_id_'.$resource['id'].'"  style="margin-left:'.($num * 18).'px; ">';
+        $return .= '<li 
+            class="doc_folder'.$folder_class_hidden.'" 
+            id="doc_id_'.$resource['id'].'"  
+            style="margin-left:'.($num * 18).'px;" 
+            >';
 
         $image = Display::returnIconPath('nolines_plus.gif');
         if (empty($path)) {
             $image = Display::returnIconPath('nolines_minus.gif');
         }
-        $return .= '<img style="cursor: pointer;" src="'.$image.'" align="absmiddle" id="img_'.$resource['id'].'" '.$onclick.'>';
+        $return .= '<img 
+            style="cursor: pointer;" 
+            src="'.$image.'" 
+            align="absmiddle" 
+            id="img_'.$resource['id'].'" '.$onclick.'
+        >';
+
         $return .= Display::return_icon('lp_folder.gif').'&nbsp;';
-        $return .= '<span '.$onclick.' style="cursor: pointer;" >'.$title.'</span>';
+        $return .= '<span '.$onclick.' style="cursor: pointer;" >'.
+            Security::remove_XSS($title).
+            '</span>';
         $return .= '</li>';
 
         if (empty($path)) {

main/lp/learnpath.class.php

@@ -3539,7 +3539,7 @@ public function get_name()
      */
     public function getNameNoTags()
     {
-        return strip_tags($this->get_name());
+        return Security::remove_XSS(strip_tags($this->get_name()));
     }
 
     /**
@@ -6642,7 +6642,7 @@ public function return_new_tree($update_audio = 'false', $drop_element_here = fa
         $list .= '</ul>';
 
         $return = Display::panelCollapse(
-            $this->name,
+            $this->getNameNoTags(),
             $list,
             'scorm-list',
             null,
@@ -7585,7 +7585,6 @@ public function display_resources()
         ];
 
         $xApiPlugin = XApiPlugin::create();
-
         if ($xApiPlugin->isEnabled()) {
             $headers[] = Display::return_icon(
                 'import_scorm.png',
@@ -13171,9 +13170,7 @@ public function getFinalItemForm()
         $form->addHidden('action', 'add_final_item');
         $form->addHidden('path', Session::read('pathItem'));
         $form->addHidden('previous', $this->get_last());
-        $form->setDefaults(
-            ['title' => $title, 'content_lp_certificate' => $content]
-        );
+        $form->setDefaults(['title' => $title, 'content_lp_certificate' => $content]);
 
         if ($form->validate()) {
             $values = $form->exportValues();