Security fixes

This commit is contained in:
nemunaire 2016-07-17 10:22:51 +02:00
parent 89122cc4a4
commit dc2a338847
5 changed files with 9 additions and 8 deletions

View File

@ -124,6 +124,7 @@ class Question
public function validated() public function validated()
{ {
$this->validated = true; $this->validated = true;
$this->reported = 0;
//Return to normal ID //Return to normal ID
$this->getNormalId(); $this->getNormalId();

View File

@ -24,13 +24,13 @@ else
if ($question->get_writer() != null) if ($question->get_writer() != null)
{?><strong>Proposée par :</strong> <a href="mailto:<?php echo $question->get_writer()->getEmail(); ?>"><?php echo $question->get_writer()->getUsername(); ?></a><br><br><?php } ?> {?><strong>Proposée par :</strong> <a href="mailto:<?php echo $question->get_writer()->getEmail(); ?>"><?php echo $question->get_writer()->getUsername(); ?></a><br><br><?php } ?>
<strong>Cours concerné :</strong> <?php echo $question->getCourse()->getName(); ?><br><br> <strong>Cours concerné :</strong> <?php echo $question->getCourse()->getName(); ?><br><br>
<strong>Question posée :</strong> <?php echo $question->getQuestion(); ?><br><br> <strong>Question posée :</strong> <?php echo nl2br(htmlentities($question->getQuestion(), ENT_COMPAT, "UTF-8")); ?><br><br>
<strong>Réponses valides exhaustives :</strong> <strong>Réponses valides exhaustives :</strong>
</p> </p>
<?php <?php
echo "<ul>"; echo "<ul>";
foreach($question->getAnswer() as $a) foreach($question->getAnswer() as $a)
echo "<li>".$a."</li>"; echo "<li>".htmlentities($a, ENT_COMPAT, "UTF-8")."</li>";
echo "</ul>"; echo "</ul>";
?> ?>
<p> <p>
@ -64,7 +64,7 @@ foreach($cs as $c)
<p id="questionPart"> <p id="questionPart">
<label id="q" for="question">Quelle est votre question ? </label><br> <label id="q" for="question">Quelle est votre question ? </label><br>
<textarea id="question" name="question" rows="3" cols="70"><?php echo nl2br(htmlentities(utf8_decode($question->getQuestion()))); ?></textarea> <textarea id="question" name="question" rows="3" cols="70"><?php echo htmlentities($question->getQuestion(), ENT_COMPAT, "UTF-8"); ?></textarea>
</p> </p>
<p id="answerList"> <p id="answerList">
<label for="answer">Quelle est la réponse ?</label><br> <label for="answer">Quelle est la réponse ?</label><br>

View File

@ -26,7 +26,7 @@ else
<article id="menu">.: <article id="menu">.:
<form method="get" action="?" style="float: right;"> <form method="get" action="?" style="float: right;">
<?php if (isset($_GET["valid"])) echo '<input type="hidden" name="valid">'; ?> <?php if (isset($_GET["valid"])) echo '<input type="hidden" name="valid">'; ?>
<label for="filter">Filter par code de cours :</label> <input type="text" id="filter" name="filter" value="<?php echo $filter; ?>"> <input type="submit" value="Filtrer"> <label for="filter">Filtrer par code de cours :</label> <input type="text" id="filter" name="filter" value="<?php echo $filter; ?>"> <input type="submit" value="Filtrer">
</form> </form>
<a href="?">Liste des questions non-validées</a> :: <a href="?">Liste des questions non-validées</a> ::
<a href="?<?php if (isset($_GET["valid"])) echo "valid&amp;"; ?>report">Liste des questions rapportées</a> :: <a href="?<?php if (isset($_GET["valid"])) echo "valid&amp;"; ?>report">Liste des questions rapportées</a> ::
@ -77,7 +77,7 @@ foreach($file->get_questions() as $q)
?> ?>
<tr> <tr>
<td><acronym title="<?php echo $q->getCourse()->getName(); ?>"><?php echo $q->getCourse()->getCode(); ?></acronym></td> <td><acronym title="<?php echo $q->getCourse()->getName(); ?>"><?php echo $q->getCourse()->getCode(); ?></acronym></td>
<td><?php echo $q->getQuestion(); ?></td> <td><?php echo htmlentities($q->getQuestion(), ENT_COMPAT, "UTF-8"); ?></td>
<td><?php if ($q->get_writer() != null) echo $q->get_writer()->getUsername(); ?></td> <td><?php if ($q->get_writer() != null) echo $q->get_writer()->getUsername(); ?></td>
<td><?php echo strftime("%d/%m/%y %H:%M", $q->getAddedTime()); ?></td> <td><?php echo strftime("%d/%m/%y %H:%M", $q->getAddedTime()); ?></td>
<td><?php if ($q->get_validator() != null) echo $q->get_validator()->getUsername(); ?> <td><?php if ($q->get_validator() != null) echo $q->get_validator()->getUsername(); ?>

0
questions.php Executable file → Normal file
View File

View File

@ -21,13 +21,13 @@ else
?> ?>
<p> <p>
<strong>Cours concerné :</strong> <?php echo $question->getCourse()->getName(); ?><br><br> <strong>Cours concerné :</strong> <?php echo $question->getCourse()->getName(); ?><br><br>
<strong>Question posée :</strong> <?php echo $question->getQuestion(); ?><br><br> <strong>Question posée :</strong> <?php echo htmlentities($question->getQuestion(), ENT_COMPAT, "UTF-8"); ?><br><br>
<strong>Réponses valides exhaustives :</strong> <strong>Réponses valides exhaustives :</strong>
</p> </p>
<?php <?php
echo "<ul>"; echo "<ul>";
foreach($question->getAnswer() as $a) foreach($question->getAnswer() as $a)
echo "<li>".$a."</li>"; echo "<li>".htmlentities($a, ENT_COMPAT, "UTF-8")."</li>";
echo "</ul>"; echo "</ul>";
if ($question->isValidation()) if ($question->isValidation())
{ {
@ -37,7 +37,7 @@ if ($question->isValidation())
action="thanksRefused.php"> action="thanksRefused.php">
<label for="comment">Précisez les raisons de votre refus</label> <label for="comment">Précisez les raisons de votre refus</label>
<input name="comment" type="textarea" <input name="comment" type="textarea"
rows="5" cols="50" /> rows="5" cols="50">
<input type="hidden" name="id" value="<?php echo $question->getId() ?>"> <input type="hidden" name="id" value="<?php echo $question->getId() ?>">
<input type="submit" value="Refuser la question"> <input type="submit" value="Refuser la question">