Skip to content

Commit 0d8c731

Browse files
jmontoyaajmontoyaa
committed
Forum: add remove_xss
1 parent c7bf620 commit 0d8c731

File tree

3 files changed

+21
-22
lines changed

3 files changed

+21
-22
lines changed

main/forum/viewforum.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,7 @@
140140
$interbreadcrumb[] = [
141141
'url' => $forumUrl.'viewforumcategory.php?forumcategory='.$current_forum_category['cat_id']
142142
.'&search='.Security::remove_XSS(urlencode($my_search)),
143-
'name' => prepare4display($current_forum_category['cat_title']),
143+
'name' => Security::remove_XSS(prepare4display($current_forum_category['cat_title'])),
144144
];
145145
$interbreadcrumb[] = [
146146
'url' => '#',
@@ -375,7 +375,7 @@
375375
echo '</div>';
376376

377377
/* Display */
378-
$titleForum = $current_forum['forum_title'];
378+
$titleForum = Security::remove_XSS($current_forum['forum_title']);
379379
$descriptionForum = $current_forum['forum_comment'];
380380
$iconForum = Display::return_icon(
381381
'forum_yellow.png',
@@ -440,7 +440,7 @@
440440
$linkPostForum = '<a href="viewthread.php?'.api_get_cidreq().'&forum='.$my_forum
441441
."&thread={$row['thread_id']}&search="
442442
.Security::remove_XSS(urlencode($my_search)).'">'
443-
.$row['thread_title'].'</a>';
443+
.Security::remove_XSS($row['thread_title']).'</a>';
444444
$html = '';
445445
$html .= '<div class="panel panel-default forum '.($row['thread_sticky'] ? 'sticky' : '').'">';
446446
$html .= '<div class="panel-body">';

main/forum/viewforumcategory.php

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -126,8 +126,6 @@ function hidecontent(content){
126126

127127
$logInfo = [
128128
'tool' => TOOL_FORUM,
129-
'tool_id' => 0,
130-
'tool_id_detail' => 0,
131129
'action' => $action,
132130
'info' => isset($_GET['content']) ? $_GET['content'] : '',
133131
];
@@ -181,7 +179,7 @@ function hidecontent(content){
181179

182180
$forum_categories_list = [];
183181
$forumId = $forum_category['cat_id'];
184-
$forumTitle = $forum_category['cat_title'];
182+
$forumTitle = Security::remove_XSS($forum_category['cat_title']);
185183
$linkForumCategory = 'viewforumcategory.php?'.api_get_cidreq().'&forumcategory='.strval(intval($forumId));
186184
$descriptionCategory = $forum_category['cat_comment'];
187185
$icoCategory = Display::return_icon(
@@ -271,32 +269,26 @@ function hidecontent(content){
271269
// you are teacher => show forum
272270

273271
if (api_is_allowed_to_edit(false, true)) {
274-
//echo 'teacher';
275272
$show_forum = true;
276273
} else {
277274
// you are not a teacher
278-
//echo 'student';
279275
// it is not a group forum => show forum
280276
// (invisible forums are already left out see get_forums function)
281277
if ($forum['forum_of_group'] == '0') {
282-
//echo '-gewoon forum';
283278
$show_forum = true;
284279
} else {
285280
// it is a group forum
286281
//echo '-groepsforum';
287282
// it is a group forum but it is public => show
288283
if ($forum['forum_group_public_private'] == 'public') {
289284
$show_forum = true;
290-
//echo '-publiek';
291285
} else {
292286
// it is a group forum and it is private
293287
//echo '-prive';
294288
// it is a group forum and it is private but the user is member of the group
295289
if (in_array($forum['forum_of_group'], $groups_of_user)) {
296-
//echo '-is lid';
297290
$show_forum = true;
298291
} else {
299-
//echo '-is GEEN lid';
300292
$show_forum = false;
301293
}
302294
}
@@ -360,14 +352,14 @@ function hidecontent(content){
360352
$html .= '<div class="col-md-9">';
361353
$iconForum = Display::return_icon(
362354
'forum_yellow.png',
363-
get_lang($forum_category['cat_title']),
355+
Security::remove_XSS(get_lang($forum_category['cat_title'])),
364356
null,
365357
ICON_SIZE_MEDIUM
366358
);
367359

368360
$linkForum = Display::tag(
369361
'a',
370-
$forum['forum_title'].$session_displayed,
362+
Security::remove_XSS($forum['forum_title']).$session_displayed,
371363
[
372364
'href' => 'viewforum.php?'.api_get_cidreq(true, false)."&gidReq={$forum['forum_of_group']}&forum={$forum['forum_id']}&search=".Security::remove_XSS(urlencode(isset($_GET['search']) ? $_GET['search'] : '')),
373365
'class' => empty($forum['visibility']) ? 'text-muted' : null,
@@ -382,7 +374,7 @@ function hidecontent(content){
382374
);
383375
$html .= Display::tag(
384376
'p',
385-
strip_tags($forum['forum_comment']),
377+
Security::remove_XSS(strip_tags($forum['forum_comment'])),
386378
[
387379
'class' => 'description',
388380
]

main/template/default/forum/list.tpl

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@
4747

4848
{% if fold_forum_categories %}
4949
{% set panel_icon %}
50-
<a href="{{ item.url }}" title="{{ item.title }}">
50+
<a href="{{ item.url }}" title="{{ item.title | remove_xss }}">
5151
<span class="open">{{ 'forum_blue.png'|img(32) }}</span>
5252
</a>
5353
{% endset %}
@@ -62,7 +62,8 @@
6262
{% set panel_title %}
6363
<a href="{{ item.url }}" title="{{ item.title }}">
6464
<span class="open">{{ 'forum_blue.png'|img(32) }}</span>
65-
{{ item.title }}{{ item.icon_session }}
65+
{{ item.title | remove_xss }}
66+
{{ item.icon_session }}
6667
</a>
6768
{% for category_language_item in category_language_array %}
6869
<span class="flag-icon flag-icon-{{ languages[category_language_item | lower] }}"></span>
@@ -106,7 +107,13 @@
106107
</div>
107108
<h3 class="title">
108109
{{ 'forum_yellow.png'|img(32) }}
109-
<a href="{{ subitem.url }}" title="{{ subitem.title }}" class="{{ subitem.visibility != '1' ? 'text-muted': '' }}">{{ subitem.title }}</a>
110+
<a
111+
href="{{ subitem.url }}"
112+
title="{{ subitem.title | remove_xss }}"
113+
class="{{ subitem.visibility != '1' ? 'text-muted': '' }}"
114+
>
115+
{{ subitem.title | remove_xss }}
116+
</a>
110117
{% if subitem.forum_of_group != 0 %}
111118
<a class="forum-goto" href="../group/group_space.php?{{ _p.web_cid_query }}&gidReq={{ subitem.forum_of_group }}">
112119
{{ "forum.png"|img(22) }} {{ "GoTo"|get_lang }} {{ subitem.forum_group_title }}
@@ -124,16 +131,16 @@
124131
</div>
125132
{% endif %}
126133
<div class="description">
127-
{{ subitem.description }}
134+
{{ subitem.description | remove_xss }}
128135
</div>
129136

130137
{{ subitem.last_post_text }}
131-
132138
{{ subitem.alert }}
139+
133140
{% if subitem.moderation is not empty %}
134141
<span class="label label-warning">
135-
{{ "PostsPendingModeration"|get_lang }}: {{ subitem.moderation }}
136-
</span>
142+
{{ "PostsPendingModeration"|get_lang }}: {{ subitem.moderation }}
143+
</span>
137144
{% endif %}
138145
</div>
139146
</div>

0 commit comments

Comments
 (0)