Exercises: add remove_xss

Author: jmontoyaa

main/exercise/TestCategory.php

@@ -499,7 +499,7 @@ public static function getCategoriesIdAndName($courseId = 0)
         $categories = self::getCategoryListInfo('', $courseId);
         $result = ['0' => get_lang('NoCategorySelected')];
         for ($i = 0; $i < count($categories); $i++) {
-            $result[$categories[$i]->iid] = $categories[$i]->name;
+            $result[$categories[$i]->iid] = Security::remove_XSS($categories[$i]->name);
         }
 
         return $result;
@@ -677,7 +677,7 @@ public static function returnCategoryAndTitle($questionId, $in_display_category_
             ($in_display_category_name == 1 || !$is_student)
         ) {
             $content .= '<div class="page-header">';
-            $content .= '<h4>'.get_lang('Category').": ".self::getCategoryNameForQuestion($questionId).'</h4>';
+            $content .= '<h4>'.get_lang('Category').": ".Security::remove_XSS(self::getCategoryNameForQuestion($questionId)).'</h4>';
             $content .= "</div>";
         }
 
@@ -1239,7 +1239,7 @@ public function displayCategories($courseId, $sessionId = 0)
             $nb_question_label = $nb_question == 1 ? $nb_question.' '.get_lang('Question') : $nb_question.' '.get_lang('Questions');
             $content = "<span style='float:right'>".$nb_question_label."</span>";
             $content .= '<div class="sectioncomment">';
-            $content .= $category['description'];
+            $content .= Security::remove_XSS($category['description']);
             $content .= '</div>';
             $links = '';
 
@@ -1251,7 +1251,7 @@ public function displayCategories($courseId, $sessionId = 0)
                 $links .= Display::return_icon('delete.png', get_lang('Delete'), [], ICON_SIZE_SMALL).'</a>';
             }
 
-            $html .= Display::panel($content, $category['title'].$links);
+            $html .= Display::panel($content, Security::remove_XSS($category['title']).$links);
         }
 
         return $html;

main/exercise/admin.php

@@ -277,12 +277,12 @@
 if (isset($_GET['newQuestion']) || isset($_GET['editQuestion'])) {
     $interbreadcrumb[] = [
         'url' => 'admin.php?exerciseId='.$objExercise->iid.'&'.api_get_cidreq(),
-        'name' => $objExercise->selectTitle(true),
+        'name' => Security::remove_XSS($objExercise->selectTitle(true)),
     ];
 } else {
     $interbreadcrumb[] = [
         'url' => '#',
-        'name' => $objExercise->selectTitle(true),
+        'name' => Security::remove_XSS($objExercise->selectTitle(true)),
     ];
 }
 
@@ -445,7 +445,7 @@ function ($acc, $questionId) {
         // Question preview if teacher clicked the "switch to student"
         if ($studentViewActive && $is_allowedToEdit) {
             echo '<div class="main-question">';
-            echo Display::div($objQuestion->selectTitle(), ['class' => 'question_title']);
+            echo Display::div(Security::remove_XSS($objQuestion->selectTitle()), ['class' => 'question_title']);
             ExerciseLib::showQuestion(
                 $objExercise,
                 $editQuestion,

main/exercise/exercise.class.php

@@ -6524,9 +6524,9 @@ public function showExerciseResultHeader(
         }
 
         if (api_get_configuration_value('save_titles_as_html')) {
-            $data['title'] = $this->get_formated_title().get_lang('Result');
+            $data['title'] = Security::remove_XSS($this->get_formated_title()).get_lang('Result');
         } else {
-            $data['title'] = PHP_EOL.$this->exercise.' : '.get_lang('Result');
+            $data['title'] = PHP_EOL.Security::remove_XSS($this->exercise).' : '.get_lang('Result');
         }
 
         $questionsCount = count(explode(',', $trackExerciseInfo['data_tracking']));

main/exercise/exercise_submit.php

@@ -200,7 +200,7 @@
 }
 
 // if the user has submitted the form.
-$exercise_title = $objExercise->selectTitle();
+$exercise_title = Security::remove_XSS($objExercise->selectTitle());
 $exercise_sound = $objExercise->selectSound();
 
 // If reminder ends we jump to the exercise_reminder
@@ -659,12 +659,6 @@
         }
         $count++;
     }
-    //var_dump($questionCheck);exit;
-    // Use reminder list to get the current question.
-    /*if (2 === $reminder && !empty($myRemindList)) {
-        $remindQuestionId = current($myRemindList);
-        $questionCheck = Question::read($remindQuestionId);
-    }*/
 
     $categoryId = 0;
     if (null !== $questionCheck) {
@@ -674,20 +668,19 @@
     if ($objExercise->review_answers && isset($_GET['category_id'])) {
         $categoryId = $_GET['category_id'] ?? 0;
     }
-    //var_dump($categoryId, $categoryList);
+
     if (!empty($categoryId)) {
         $categoryInfo = $categoryList[$categoryId];
         $count = 1;
         $total = count($categoryList[$categoryId]);
-        //var_dump($questionCheck);
+
         foreach ($categoryList[$categoryId] as $checkQuestionId) {
             if ((int) $checkQuestionId === (int) $questionCheck->iid) {
                 break;
             }
             $count++;
         }
 
-        //var_dump($count , $total);
         if ($count === $total) {
             $isLastQuestionInCategory = $categoryId;
             if ($isLastQuestionInCategory) {
@@ -717,8 +710,7 @@
         api_location($url);
     }
 }
-//exit;
-//var_dump($isLastQuestionInCategory);
+
 if ($debug) {
     error_log('8. Question list loaded '.print_r($questionList, 1));
 }
@@ -728,7 +720,7 @@
 if (!empty($questionList)) {
     $question_count = count($questionList);
 }
-//var_dump($current_question);
+
 if ($current_question > $question_count) {
     // If time control then don't change the current question, otherwise there will be a loop.
     // @todo
@@ -738,10 +730,6 @@
 }
 
 if ($formSent && isset($_POST)) {
-    if ($debug) {
-        error_log('9. $formSent was set');
-    }
-
     if (!is_array($exerciseResult)) {
         $exerciseResult = [];
         $exerciseResultCoordinates = [];
@@ -1701,7 +1689,7 @@ function validate_all() {
         if ($objExercise->type == ONE_PER_PAGE || ($objExercise->type != ONE_PER_PAGE && $i == 1)) {
             echo Display::panelCollapse(
                 '<span>'.get_lang('ExerciseDescriptionLabel').'</span>',
-                $objExercise->description,
+                Security::remove_XSS($objExercise->description),
                 'exercise-description',
                 [],
                 'description',

main/exercise/overview.php

@@ -52,7 +52,7 @@
     'url' => 'exercise.php?'.api_get_cidreq(),
     'name' => get_lang('Exercises'),
 ];
-$interbreadcrumb[] = ['url' => '#', 'name' => $objExercise->selectTitle(true)];
+$interbreadcrumb[] = ['url' => '#', 'name' => Security::remove_XSS($objExercise->selectTitle(true))];
 
 $time_control = false;
 $clock_expired_time = ExerciseLib::get_session_time_control_key($objExercise->iid, $learnpath_id, $learnpath_item_id);
@@ -122,17 +122,17 @@
 // Exercise name.
 if (api_get_configuration_value('save_titles_as_html')) {
     $html .= Display::div(
-        $objExercise->get_formated_title().PHP_EOL.$editLink
+        Security::remove_XSS($objExercise->get_formated_title()).PHP_EOL.$editLink
     );
 } else {
     $html .= Display::page_header(
-        $iconExercise.PHP_EOL.$objExercise->selectTitle().PHP_EOL.$editLink
+        $iconExercise.PHP_EOL.Security::remove_XSS($objExercise->selectTitle()).PHP_EOL.$editLink
     );
 }
 
 // Exercise description.
 if (!empty($objExercise->description)) {
-    $html .= Display::div($objExercise->description, ['class' => 'exercise_description']);
+    $html .= Display::div(Security::remove_XSS($objExercise->description), ['class' => 'exercise_description']);
 }
 
 $exercise_stat_info = $objExercise->get_stat_track_exercise_info(

main/inc/lib/exercise.lib.php

@@ -84,7 +84,7 @@ public static function showQuestion(
                     if ($exercise->display_category_name) {
                         TestCategory::displayCategoryAndTitle($objQuestionTmp->iid);
                     }
-                    $titleToDisplay = $objQuestionTmp->getTitleToDisplay($current_item);
+                    $titleToDisplay = Security::remove_XSS($objQuestionTmp->getTitleToDisplay($current_item));
                     if ($answerType == READING_COMPREHENSION) {
                         // In READING_COMPREHENSION, the title of the question
                         // contains the question itself, which can only be
@@ -4846,7 +4846,7 @@ public static function displayQuestionListByAttempt(
         }
 
         // Display text when test is finished #4074 and for LP #4227
-        $endOfMessage = $objExercise->getTextWhenFinished();
+        $endOfMessage = Security::remove_XSS($objExercise->getTextWhenFinished());
         if (!empty($endOfMessage)) {
             echo Display::div(
                 $endOfMessage,
@@ -5173,7 +5173,7 @@ public static function displayQuestionListByAttempt(
         if (api_get_configuration_value('quiz_show_description_on_results_page') &&
             !empty($objExercise->description)
         ) {
-            echo Display::div($objExercise->description, ['class' => 'exercise_description']);
+            echo Display::div(Security::remove_XSS($objExercise->description), ['class' => 'exercise_description']);
         }
 
         echo $exercise_content;

main/template/default/exercise/partials/result_exercise.tpl

@@ -2,9 +2,9 @@
     <div class="panel panel-default">
         <div class="panel-body">
             {% if 'save_titles_as_html'|api_get_configuration_value %}
-                {{ data.title }}
+                {{ data.title | remove_xss }}
             {% else %}
-                <h3>{{ data.title }}</h3>
+                <h3>{{ data.title | remove_xss  }}</h3>
             {% endif %}
 
             <div class="row">