Merge pull request #6662 from AngelFQC/p32q-6gh3-3gcv

NicoDucou · web-flow · commit a6e7932b7ff2 · 2025-11-01T09:31:39.000+01:00
Course description: Remove XSS when showing title
diff --git a/main/inc/ajax/course_home.ajax.php b/main/inc/ajax/course_home.ajax.php
@@ -1,6 +1,7 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+use Chamilo\CourseBundle\Entity\CCourseDescription;
 use Chamilo\CourseBundle\Entity\CTool;
 use ChamiloSession as Session;
 
@@ -290,15 +291,17 @@
                 echo get_lang('PrivateAccess');
                 break;
             }
-            $table = Database::get_course_table(TABLE_COURSE_DESCRIPTION);
-            $sql = "SELECT * FROM $table
-                    WHERE c_id = ".$course_info['real_id']." AND session_id = 0
-                    ORDER BY id";
-            $result = Database::query($sql);
-            if (Database::num_rows($result) > 0) {
-                while ($description = Database::fetch_object($result)) {
-                    $descriptions[$description->id] = $description;
-                }
+
+            /** @var array<int, CCourseDescription> $courseDescriptions */
+            $courseDescriptions = Database::getManager()
+                ->getRepository(CCourseDescription::class)
+                ->findBy(['cId' => $course_info['real_id'], 'sessionId' => 0])
+            ;
+
+            $descriptions = [];
+
+            foreach ($courseDescriptions as $courseDescription) {
+                $descriptions[$courseDescription->getIid()] = $courseDescription;
                 // Function that displays the details of the course description in html.
                 $content = CourseManager::get_details_course_description_html(
                     $descriptions,
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
@@ -8,6 +8,7 @@
 use Chamilo\CoreBundle\Entity\SequenceResource;
 use Chamilo\CourseBundle\Component\CourseCopy\CourseBuilder;
 use Chamilo\CourseBundle\Component\CourseCopy\CourseRestorer;
+use Chamilo\CourseBundle\Entity\CCourseDescription;
 use ChamiloSession as Session;
 use Doctrine\Common\Collections\Criteria;
 
@@ -3442,24 +3443,24 @@ public static function getExtraFieldsToBePresented($courseId)
     /**
      * Lists details of the course description.
      *
-     * @param array        The course description
-     * @param string    The encoding
-     * @param bool        If true is displayed if false is hidden
+     * @param array<int, CCourseDescription> $descriptions        The course description
+     * @param string $charset The encoding
+     * @param bool $action_show If true is displayed if false is hidden
      *
      * @return string The course description in html
      */
     public static function get_details_course_description_html(
-        $descriptions,
-        $charset,
-        $action_show = true
-    ) {
+        array $descriptions,
+        string $charset,
+        bool $action_show = true
+    ): ?string {
         $data = null;
-        if (isset($descriptions) && count($descriptions) > 0) {
+        if (count($descriptions) > 0) {
             foreach ($descriptions as $description) {
                 $data .= '<div class="sectiontitle">';
                 if (api_is_allowed_to_edit() && $action_show) {
                     //delete
-                    $data .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&action=delete&description_id='.$description->id.'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(
+                    $data .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&action=delete&description_id='.$description->getIid().'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(
                         get_lang('ConfirmYourChoice'),
                                 ENT_QUOTES,
                         $charset
@@ -3471,7 +3472,7 @@ public static function get_details_course_description_html(
                     );
                     $data .= '</a> ';
                     //edit
-                    $data .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&description_id='.$description->id.'">';
+                    $data .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&description_id='.$description->getIid().'">';
                     $data .= Display::return_icon(
                         'edit.png',
                         get_lang('Edit'),
@@ -3480,10 +3481,10 @@ public static function get_details_course_description_html(
                     );
                     $data .= '</a> ';
                 }
-                $data .= $description->title;
+                $data .= Security::remove_XSS($description->getTitle());
                 $data .= '</div>';
                 $data .= '<div class="sectioncomment">';
-                $data .= Security::remove_XSS($description->content);
+                $data .= Security::remove_XSS($description->getContent());
                 $data .= '</div>';
             }
         } else {
