if (empty($course->metacourse) && ($course->id!==SITEID)) {
if (has_capability('moodle/legacy:guest', $context, NULL, false)) { // Are a guest now
- $this->content->items[]='<a href="enrol.php?id='.$this->instance->pageid.'">'.get_string('enrolme', '', $course->shortname).'</a>';
+ $this->content->items[]='<a href="enrol.php?id='.$this->instance->pageid.'">'.get_string('enrolme', '', s($course->shortname)).'</a>';
$this->content->icons[]='<img src="'.$CFG->pixpath.'/i/user.gif" class="icon" alt="" />';
} else if (has_capability('moodle/role:unassignself', $context, NULL, false)) { // Have some role
- $this->content->items[]='<a href="unenrol.php?id='.$this->instance->pageid.'">'.get_string('unenrolme', '', $course->shortname).'</a>';
+ $this->content->items[]='<a href="unenrol.php?id='.$this->instance->pageid.'">'.get_string('unenrolme', '', s($course->shortname)).'</a>';
$this->content->icons[]='<img src="'.$CFG->pixpath.'/i/user.gif" class="icon" alt="" />';
}
}
continue;
}
$linkcss = $course->visible ? "" : " class=\"dimmed\" ";
- $this->content->items[]="<a $linkcss title=\"$course->shortname\" ".
- "href=\"$CFG->wwwroot/course/view.php?id=$course->id\">$course->fullname</a>";
+ $this->content->items[]="<a $linkcss title=\"" . s($course->shortname) . "\" ".
+ "href=\"$CFG->wwwroot/course/view.php?id=$course->id\">" . s($course->fullname) . "</a>";
$this->content->icons[]=$icon;
}
$this->title = get_string('mycourses');
if (count($categories) > 1 || (count($categories) == 1 && count_records('course') > 200)) { // Just print top level category links
foreach ($categories as $category) {
$linkcss = $category->visible ? "" : " class=\"dimmed\" ";
- $this->content->items[]="<a $linkcss href=\"$CFG->wwwroot/course/category.php?id=$category->id\">$category->name</a>";
+ $this->content->items[]="<a $linkcss href=\"$CFG->wwwroot/course/category.php?id=$category->id\">" . s($category->name) . "</a>";
$this->content->icons[]=$icon;
}
$this->content->icons[] = '';
if ($courses) {
foreach ($courses as $course) {
$linkcss = $course->visible ? "" : " class=\"dimmed\" ";
- $this->content->items[]="<a $linkcss title=\"$course->shortname\" ".
+ $this->content->items[]="<a $linkcss title=\"".s($course->shortname)."\" ".
"href=\"$CFG->wwwroot/course/view.php?id=$course->id\">$course->fullname</a>";
$this->content->icons[]=$icon;
}
$newcategory->name = $form->addcategory;
$newcategory->sortorder = 999;
if (!insert_record('course_categories', $newcategory)) {
- notify("Could not insert the new category '$newcategory->name'");
+ notify("Could not insert the new category '" . s($newcategory->name) . "'");
} else {
- notify(get_string('categoryadded', '', $newcategory->name));
+ notify(get_string('categoryadded', '', s($newcategory->name)));
}
}
}
/// Finally delete the category itself
if (delete_records('course_categories', 'id', $deletecat->id)) {
- notify(get_string('categorydeleted', '', $deletecat->name));
+ notify(get_string('categorydeleted', '', s($deletecat->name)));
}
}
else {
- $strdeletecategorycheck = get_string('deletecategorycheck','',$deletecat->name);
+ $strdeletecategorycheck = get_string('deletecategorycheck','', s($deletecat->name));
notice_yesno($strdeletecategorycheck,
"index.php?delete=$delete&sure=".md5($deletecat->timemodified)."&sesskey=$USER->sesskey",
"index.php?sesskey=$USER->sesskey");
$linkcss = $category->visible ? '' : ' class="dimmed" ';
echo '<a '.$linkcss.' title="'.$str->edit.'" '.
' href="category.php?id='.$category->id.'&categoryedit=on&sesskey='.sesskey().'">'.
- $category->name.'</a>';
+ s($category->name).'</a>';
echo '</td>';
echo '<td class="count">'.$category->coursecount.'</td>';
// check to see if user can add menus
if (!has_capability('moodle/course:manageactivities', get_context_instance(CONTEXT_COURSE, $course->id))) {
- return false;
+ return false;
}
static $resources = false;
if ($category) {
if ($path) {
- $path = $path.' / '.$category->name;
+ $path = $path.' / '.s($category->name);
} else {
- $path = $category->name;
+ $path = s($category->name);
}
$list[$category->id] = $path;
} else {
$modcontext = get_context_instance(CONTEXT_MODULE, $mod->id);
// no permission to edit
if (!has_capability('moodle/course:manageactivities', $modcontext)) {
- return false;
+ return false;
}
if (!isset($str)) {
} else {
$groupmode = "";
}
-
+
if (has_capability('moodle/course:update', get_context_instance(CONTEXT_COURSE, $mod->course))) {
if ($moveselect) {
$move = '<a class="editing_move" title="'.$str->move.'" href="'.$path.'/mod.php?copy='.$mod->id.
* true should be used to print data from forms and false for data from DB.
* @return string
*/
-function s($var, $strip=false) {
+function s($var, $strip=false, $specialchars=true) {
if ($var == '0') { // for integer 0, boolean false, string '0'
return '0';
}
+ $newvar = $var;
+
if ($strip) {
- return preg_replace("/&(#\d+);/i", "&$1;", htmlspecialchars(stripslashes_safe($var)));
- } else {
- return preg_replace("/&(#\d+);/i", "&$1;", htmlspecialchars($var));
+ $newvar = stripslashes_safe($newvar);
+ }
+
+ if ($specialchars) {
+ $newvar = htmlspecialchars($newvar);
}
+
+ // Any lonely ampersands left, convert them using negative lookahead
+ $newvar = preg_replace("/\&(?!amp;|gt;|lt;|quot;)([^&]*)/", "&$1", $newvar);
+ return $newvar;
}
/**
* Does proper javascript quoting.
* Do not use addslashes anymore, because it does not work when magic_quotes_sybase is enabled.
*
+ * @deprecated
+ * @since 1.8 - 22/02/2007
* @param mixed value
* @return mixed quoted result
*/
$bodytags .= ' class="'.$pageclass.'" id="'.$pageid.'"';
ob_start();
+ $title = s($title); // fix for MDL-8582
include($CFG->header);
$output = ob_get_contents();
ob_end_clean();
$shortname ='';
if ($COURSE->id != SITEID) {
- $shortname = '<a href="'.$CFG->wwwroot.'/course/view.php?id='. $COURSE->id .'">'. $COURSE->shortname .'</a> ->';
+ $shortname = '<a href="'.$CFG->wwwroot.'/course/view.php?id='. $COURSE->id .'">'. s($COURSE->shortname) .'</a> ->';
}
- $output = print_header($COURSE->shortname .': '. $title, $COURSE->fullname .' '. $heading, $shortname .' '. $navigation, $focus, $meta,
+ $output = print_header(s($COURSE->shortname) .': '. s($title), s($COURSE->fullname) .' '. s($heading), $shortname.' '. $navigation, $focus, $meta,
$cache, $button, $menu, $usexml, $bodytags, true);
if ($return) {
$home = true;
} else {
$homelink = '<div class="homelink"><a '.$CFG->frametarget.' href="'.$CFG->wwwroot.
- '/course/view.php?id='.$course->id.'">'.$course->shortname.'</a></div>';
+ '/course/view.php?id='.$course->id.'">'.s($course->shortname).'</a></div>';
$home = false;
}
} else {
if (! $site = get_site()) {
$site->shortname = get_string('home');
}
- $navigation = "<li>$separator ". str_replace('->', "</li>\n<li>$separator", $navigation) ."</li>\n";
+
+ $navigation = "<li>$separator ". str_replace('->', "</li>\n<li>$separator", s($navigation, false, false)) ."</li>\n";
$output .= '<li class="first"><a '.$CFG->frametarget.' onclick="this.target=\''.$CFG->framename.'\'" href="'. $CFG->wwwroot.((!has_capability('moodle/site:config', get_context_instance(CONTEXT_SYSTEM, SITEID)) && !empty($USER->id) && !empty($CFG->mymoodleredirect) && !isguest())
- ? '/my' : '') .'/">'. $site->shortname ."</a></li>\n". $navigation;
+ ? '/my' : '') .'/">'. s($site->shortname) ."</a></li>\n". $navigation;
$output .= "</ul>\n";
}
projects / moodle.git / commitdiff