Description
In 1.11.30 (and many versions before that), the entitis that could be used to hack through JS are transformed into visible HTML Entities.
For example, if a course title is Paris & Marseille < France
, then the saved version will appear as Paris & Marseille
If using Paris & Marseille > France
, then what appears is Paris & Marseille
.
This is saved in the database as escaped entities, despite the principle of Chamilo to only filter HTML entities when we have to display them on an HTML page.
This is due to excessive filtering, made obvious by the fact, for example, that infocours.php contains the following code:
$form->addText('title', get_lang('Title'), true);
$form->applyFilter('title', 'html_filter');
$form->applyFilter('title', 'trim');
While the very addText() of FormValidator already includes:
$this->applyFilter($name, 'html_filter');
$this->applyFilter($name, 'attr_on_filter');
This is a known issue for which we don't have a valid patch yet. Removing it is easy: edit FormValidator.class.php (in main/inc/lib/formvalidator/) and comment these two lines above in the addText() method. Done.
However, this is likely to introduce security vulnerabilities (until properly thought through) and we are not willing to do that.