Gradebook: add remove_xss

jmontoyaa · jmontoyaa · commit e561531a74b0 · 2021-08-02T13:28:26.000+02:00
diff --git a/main/gradebook/lib/fe/gradebooktable.class.php b/main/gradebook/lib/fe/gradebooktable.class.php
@@ -423,7 +423,7 @@ public function get_table_data($from = 1, $per_page = null, $column = null, $dir
 
                 // Name.
                 if ('Category' === get_class($item)) {
-                    $row[] = $invisibility_span_open.'<strong>'.$item->get_name().'</strong>'.$invisibility_span_close;
+                    $row[] = $invisibility_span_open.'<strong>'.Security::remove_XSS($item->get_name()).'</strong>'.$invisibility_span_close;
                     $main_categories[$item->get_id()]['name'] = $item->get_name();
                 } else {
                     $name = $this->build_name_link($item, $type);
diff --git a/main/gradebook/lib/fe/linkaddeditform.class.php b/main/gradebook/lib/fe/linkaddeditform.class.php
@@ -92,7 +92,7 @@ public function __construct(
                                 $default_weight = $my_cat->get_weight();
                                 $select_gradebook->addOption(get_lang('Default'), $my_cat->get_id());
                             } else {
-                                $select_gradebook->addOption($my_cat->get_name(), $my_cat->get_id());
+                                $select_gradebook->addOption(Security::remove_XSS($my_cat->get_name()), $my_cat->get_id());
                             }
                         } else {
                             $select_gradebook->addOption(get_lang('Select'), 0);
diff --git a/main/gradebook/lib/flatview_data_generator.class.php b/main/gradebook/lib/flatview_data_generator.class.php
@@ -155,7 +155,7 @@ public function get_header_names($items_start = 0, $items_count = null, $show_de
                 $add_weight = " $sub_cat_weight %";
 
                 $mainHeader = Display::url(
-                    $sub_cat->get_name(),
+                    Security::remove_XSS($sub_cat->get_name()),
                     api_get_self().'?selectcat='.$sub_cat->get_id().'&'.api_get_cidreq()
                 ).$add_weight;
 
diff --git a/main/gradebook/lib/gradebook_data_generator.class.php b/main/gradebook/lib/gradebook_data_generator.class.php
@@ -124,7 +124,7 @@ public function get_data(
         foreach ($visibleItems as $item) {
             $row = [];
             $row[] = $item;
-            $row[] = $item->get_name();
+            $row[] = Security::remove_XSS($item->get_name());
             // display the 2 first line of description and all description
             // on mouseover (https://support.chamilo.org/issues/6588)
             $row[] = '<span title="'.api_remove_tags_with_space($item->get_description()).'">'.

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ public function __construct(`
`92`	`92`	`$default_weight = $my_cat->get_weight();`
`93`	`93`	`$select_gradebook->addOption(get_lang('Default'), $my_cat->get_id());`
`94`	`94`	`} else {`
`95`		`- $select_gradebook->addOption($my_cat->get_name(), $my_cat->get_id());`
	`95`	`+ $select_gradebook->addOption(Security::remove_XSS($my_cat->get_name()), $my_cat->get_id());`
`96`	`96`	`}`
`97`	`97`	`} else {`
`98`	`98`	`$select_gradebook->addOption(get_lang('Select'), 0);`