Security - Add Database:escape_string and remove_XSS

Author: jmontoyaa

main/admin/languages.php

@@ -197,13 +197,13 @@
 
 if (isset($_POST['Submit']) && $_POST['Submit']) {
     // changing the name
-    $sql = "UPDATE $tbl_admin_languages SET original_name='{$_POST['txt_name']}'
-            WHERE id='{$_POST['edit_id']}'";
+    $name = Database::escape_string($_POST['txt_name']);
+    $postId = (int) $_POST['edit_id'];
+    $sql = "UPDATE $tbl_admin_languages SET original_name='$name'
+            WHERE id='$postId'";
     $result = Database::query($sql);
     // changing the Platform language
     if ($_POST['platformlanguage'] && $_POST['platformlanguage'] != '') {
-        //$sql_update_2 = "UPDATE $tbl_settings_current SET selected_value='{$_POST['platformlanguage']}' WHERE variable='platformLanguage'";
-        //$result_2 = Database::query($sql_update_2);
         api_set_setting('platformLanguage', $_POST['platformlanguage'], null, null, $_configuration['access_url']);
     }
 } elseif (isset($_POST['action'])) {
@@ -253,13 +253,16 @@
 // including the header file (which includes the banner itself)
 Display::display_header($tool_name);
 
-echo '<a id="disable_all_except_default" href="javascript:void(0)" class="btn btn-primary"><em class="fa fa-eye"></em> '.get_lang('LanguagesDisableAllExceptDefault').'</a><br /><br />';
+echo '<a 
+    id="disable_all_except_default" 
+    href="javascript:void(0)" class="btn btn-primary">
+    <em class="fa fa-eye"></em> '.get_lang('LanguagesDisableAllExceptDefault').'</a><br /><br />';
 
 // selecting all the languages
 $sql_select = "SELECT * FROM $tbl_admin_languages";
 $result_select = Database::query($sql_select);
 
-$sql_select_lang = "SELECT * FROM $tbl_settings_current WHERE  category='Languages'";
+$sql_select_lang = "SELECT * FROM $tbl_settings_current WHERE category='Languages'";
 $result_select_lang = Database::query($sql_select_lang);
 $row_lang = Database::fetch_array($result_select_lang);
 

main/admin/subscribe_user2course.php

@@ -17,8 +17,6 @@
 
 api_protect_admin_script();
 
-/* Global constants and variables */
-
 $form_sent = 0;
 $first_letter_user = '';
 $first_letter_course = '';
@@ -30,7 +28,7 @@
 
 /* Header */
 $tool_name = get_lang('AddUsersToACourse');
-$interbreadcrumb[] = ["url" => 'index.php', "name" => get_lang('PlatformAdmin')];
+$interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')];
 
 $htmlHeadXtra[] = '<script>
 function validate_filter() {
@@ -56,7 +54,7 @@ function validate_filter() {
 $new_field_list = [];
 if (is_array($extra_field_list)) {
     foreach ($extra_field_list as $extra_field) {
-        //if is enabled to filter and is a "<select>" field type
+        // if is enabled to filter and is a "<select>" field type
         if ($extra_field[8] == 1 && $extra_field[2] == ExtraField::FIELD_TYPE_SELECT) {
             $new_field_list[] = [
                 'name' => $extra_field[3],
@@ -83,8 +81,8 @@ function validate_filter() {
     $form_sent = $_POST['form_sent'];
     $users = isset($_POST['UserList']) && is_array($_POST['UserList']) ? $_POST['UserList'] : [];
     $courses = isset($_POST['CourseList']) && is_array($_POST['CourseList']) ? $_POST['CourseList'] : [];
-    $first_letter_user = $_POST['firstLetterUser'];
-    $first_letter_course = $_POST['firstLetterCourse'];
+    $first_letter_user = Database::escape_string($_POST['firstLetterUser']);
+    $first_letter_course = Database::escape_string($_POST['firstLetterCourse']);
 
     foreach ($users as $key => $value) {
         $users[$key] = intval($value);
@@ -306,7 +304,7 @@ function validate_filter() {
      <b><?php echo get_lang('CourseList'); ?> :</b>
      <br/><br/>
         <?php echo get_lang('FirstLetterCourse'); ?> :
-     <select name="firstLetterCourse" 
+     <select name="firstLetterCourse"
         onchange="javascript:document.formulaire.form_sent.value='2'; document.formulaire.submit();"
         aria-label="<?php echo get_lang('FirstLetterCourse'); ?>">
       <option value="">--</option>

main/admin/teacher_time_report.php

@@ -46,11 +46,11 @@
     $selectedTeacher = $formValues['teacher'];
 
     if (!empty($formValues['from'])) {
-        $selectedFrom = $formValues['from'];
+        $selectedFrom = Security::remove_XSS($formValues['from']);
     }
 
     if (!empty($formValues['until'])) {
-        $selectedUntil = $formValues['until'];
+        $selectedUntil = Security::remove_XSS($formValues['until']);
     }
 }
 
@@ -96,6 +96,9 @@
 if (!empty($selectedCourse)) {
     $withFilter = true;
     $course = api_get_course_info($selectedCourse);
+    if (empty($course)) {
+        api_not_allowed(true);
+    }
     $reportTitle = sprintf(get_lang('TimeReportForCourseX'), $course['title']);
     $teachers = CourseManager::get_teacher_list_from_course_code($selectedCourse);
 

main/auth/courses_categories.php

@@ -8,13 +8,17 @@
  *
  * @package chamilo.auth
  */
+
 if (isset($_REQUEST['action']) && Security::remove_XSS($_REQUEST['action']) !== 'subscribe') {
     $stok = Security::get_token();
 } else {
     $stok = Security::getTokenFromSession();
 }
 
 $action = !empty($_REQUEST['action']) ? Security::remove_XSS($_REQUEST['action']) : 'display_courses';
+global $actions;
+$action = in_array($action, $actions) ? $action : 'display_courses';
+
 $showCourses = CoursesAndSessionsCatalog::showCourses();
 $showSessions = CoursesAndSessionsCatalog::showSessions();
 $pageCurrent = isset($pageCurrent) ? $pageCurrent : isset($_GET['pageCurrent']) ? intval($_GET['pageCurrent']) : 1;

main/inc/lib/api.lib.php

@@ -3270,6 +3270,7 @@ function api_display_tool_view_option()
         $output_string .= '<a class="btn btn-default btn-sm" href="'.$sourceurl.'&isStudentView=true" target="_self">'.
             Display::returnFontAwesomeIcon('eye').' '.get_lang('SwitchToStudentView').'</a>';
     }
+    $output_string = Security::remove_XSS($output_string);
     $html = Display::tag('div', $output_string, ['class' => 'view-options']);
 
     return $html;

main/inc/lib/formvalidator/Element/DateRangePicker.php

@@ -53,6 +53,7 @@ public function setValue($value)
      */
     public function parseDateRange($dateRange)
     {
+        $dateRange = Security::remove_XSS($dateRange);
         $dates = explode('/', $dateRange);
         $dates = array_map('trim', $dates);
         $start = isset($dates[0]) ? $dates[0] : '';
@@ -82,7 +83,7 @@ public function validateDates($dates, $format = null)
         $d = DateTime::createFromFormat($format, $dates['end']);
         $resultEnd = $d && $d->format($format) == $dates['end'];
 
-        if (!($resultStart) || !$resultEnd) {
+        if (!$resultStart || !$resultEnd) {
             return false;
         }
 
@@ -133,29 +134,29 @@ private function getElementJS()
         }
 
         $minDate = null;
-        $minDateValue = $this->getAttribute('minDate');
+        $minDateValue = Security::remove_XSS($this->getAttribute('minDate'));
         if (!empty($minDateValue)) {
             $minDate = "
                 minDate: '{$minDateValue}',
             ";
         }
 
         $maxDate = null;
-        $maxDateValue = $this->getAttribute('maxDate');
+        $maxDateValue = Security::remove_XSS($this->getAttribute('maxDate'));
         if (!empty($maxDateValue)) {
             $maxDate = "
                 maxDate: '{$maxDateValue}',
             ";
         }
 
         $format = 'YYYY-MM-DD HH:mm';
-        $formatValue = $this->getAttribute('format');
+        $formatValue = Security::remove_XSS($this->getAttribute('format'));
         if (!empty($formatValue)) {
             $format = $formatValue;
         }
 
         $timePicker = 'true';
-        $timePickerValue = $this->getAttribute('timePicker');
+        $timePickerValue = Security::remove_XSS($this->getAttribute('timePicker'));
         if (!empty($timePickerValue)) {
             $timePicker = $timePickerValue;
         }

main/inc/lib/formvalidator/Element/HtmlEditor.php

@@ -54,8 +54,7 @@ public function __construct(
      */
     public function toHtml()
     {
-        $value = $this->getValue();
-
+        $value = Security::remove_XSS($this->getValue());
         if ($this->editor) {
             if ($this->editor->getConfigAttribute('fullPage')) {
                 if (strlen(trim($value)) == 0) {
@@ -100,7 +99,7 @@ public function buildEditor($style = false)
     {
         $result = '';
         if ($this->editor) {
-            $this->editor->value = $this->getValue();
+            $this->editor->value = Security::remove_XSS($this->getValue());
             $this->editor->setName($this->getName());
             if ($style == true) {
                 $result = $this->editor->createHtmlStyle();