Skip to content

HTML filtering on titles #6400

Open
Open
@ywarnier

Description

@ywarnier

In 1.11.30 (and many versions before that), the entitis that could be used to hack through JS are transformed into visible HTML Entities.

For example, if a course title is Paris & Marseille < France, then the saved version will appear as Paris &amp; Marseille
If using Paris & Marseille > France, then what appears is Paris &amp; Marseille.

This is saved in the database as escaped entities, despite the principle of Chamilo to only filter HTML entities when we have to display them on an HTML page.

This is due to excessive filtering, made obvious by the fact, for example, that infocours.php contains the following code:

$form->addText('title', get_lang('Title'), true);
$form->applyFilter('title', 'html_filter');
$form->applyFilter('title', 'trim');

While the very addText() of FormValidator already includes:

        $this->applyFilter($name, 'html_filter');
        $this->applyFilter($name, 'attr_on_filter');

This is a known issue for which we don't have a valid patch yet. Removing it is easy: edit FormValidator.class.php (in main/inc/lib/formvalidator/) and comment these two lines above in the addText() method. Done.
However, this is likely to introduce security vulnerabilities (until properly thought through) and we are not willing to do that.

Metadata

Metadata

Assignees

Labels

Type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions