Security - Fix possible XSS attack vector using teacher role - reported by Javier Bloem

ywarnier · ywarnier · commit dd9bcd64fee5 · 2014-05-06T19:08:27.000-05:00
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
@@ -3372,7 +3372,7 @@ public static function display_special_courses($user_id, $load_dirs = false)
                         $course['status'] = STUDENT;
                     }
 
-                    $params['icon'] = Display::return_icon('blackboard.png', $course_info['title'], array(), ICON_SIZE_LARGE);
+                    $params['icon'] = Display::return_icon('blackboard.png', api_htmlentities($course_info['title']), array(), ICON_SIZE_LARGE);
 
                     $params['right_actions'] = '';
                     if (api_is_platform_admin()) {
@@ -3448,7 +3448,7 @@ public static function display_courses($user_id, $load_dirs = false)
         while ($row = Database::fetch_array($result)) {
             // We simply display the title of the category.
             $params = array(
-               'icon' => Display::return_icon('folder_yellow.png', $row['title'], array(), ICON_SIZE_LARGE),
+               'icon' => Display::return_icon('folder_yellow.png', api_htmlentities($row['title']), array(), ICON_SIZE_LARGE),
                'title' => $row['title'],
                'class' => 'table_user_course_category'
             );
@@ -3542,7 +3542,7 @@ public static function display_courses_in_category($user_category_id, $load_dirs
             $show_notification = Display::show_notification($course_info);
 
             // New code displaying the user's status in respect to this course.
-            $status_icon = Display::return_icon('blackboard.png', $course_info['title'], array(), ICON_SIZE_LARGE);
+            $status_icon = Display::return_icon('blackboard.png', api_htmlentities($course_info['title']), array(), ICON_SIZE_LARGE);
 
             $params = array();
             $params['right_actions'] = '';
@@ -3741,7 +3741,7 @@ public static function get_logged_user_course_html($course, $session_id = 0, $cl
         }
 
         $params = array();
-        $params['icon'] = Display::return_icon('blackboard_blue.png', $course_info['name'], array(), ICON_SIZE_LARGE);
+        $params['icon'] = Display::return_icon('blackboard_blue.png', api_htmlentities($course_info['name']), array(), ICON_SIZE_LARGE);
         $params['link'] = $session_url;
         $params['title'] = $session_title;
 
diff --git a/main/template/default/auth/courses_categories.php b/main/template/default/auth/courses_categories.php
@@ -251,10 +251,10 @@ function display_thumbnail($course, $icon_title)
     echo '<div class="thumbnail">';
     if (api_get_setting('show_courses_descriptions_in_catalog') == 'true') {
         echo '<a class="ajax" href="'.api_get_path(WEB_CODE_PATH).'inc/ajax/course_home.ajax.php?a=show_course_information&amp;code='.$course['code'].'" title="'.$icon_title.'" rel="gb_page_center[778]">';
-        echo '<img src="'.$course_medium_image.'" alt="'.$title.'" />';
+        echo '<img src="'.$course_medium_image.'" alt="'.api_htmlentities($title).'" />';
         echo '</a>';
     } else {
-        echo '<img src="'.$course_medium_image.'" alt="'.$title.'"/>';
+        echo '<img src="'.$course_medium_image.'" alt="'.api_htmlentities($title).'"/>';
     }
     echo '</div>';  // thumbail
     echo '</div>';  // span2
