Added missing parameters to htmlspecialchars

collect_question.php

@@ -14,6 +14,12 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
   // Überprüfung auf String  / Wertzuweisung
   $action=''; if(isset($_GET['action'])) $action=strval($_GET['action']);
 
+  // Fetch encoding from session, simplifies future switch to utf-8 encoding.
+  $encoding = $_SESSION['_config']['encoding'];
+  if (!$encoding) {
+    $encoding = "iso-8859-1"; // Backwards compatibility
+  }
+
   // Auswahl der gewählten Aktionen
   switch ($action){
 
@@ -23,10 +29,10 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
                           // Wertzuweisung
                           $_SESSION ['values']['question']['t_id']=0; if($_POST["t_id"])$_SESSION ['values']['question']['t_id'] =abs(intval($_REQUEST["t_id"]));
                           $_SESSION ['values']['question']['qt']=0;if($_POST["qt"])$_SESSION ['values']['question']['qt'] =abs(intval($_REQUEST["qt"]));
-                          $_SESSION ['values']['question']['questionText']=''; if($_POST["questionText"])$_SESSION ['values']['question']['questionText']= htmlspecialchars($_REQUEST["questionText"]); // Umwandlung von Sonderzeichen in HTML-Code
-                          $new=""; if($_REQUEST["new"])$new= htmlspecialchars($_POST["new"]); // Umwandlung von Sonderzeichen in HTML-Code
+                          $_SESSION ['values']['question']['questionText']=''; if($_POST["questionText"])$_SESSION ['values']['question']['questionText']= htmlspecialchars($_REQUEST["questionText"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code
+                          $new=""; if($_REQUEST["new"])$new= htmlspecialchars($_POST["new"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code
                           $_SESSION ['values']['question']['description']=0; if($_POST["description"])$_SESSION ['values']['question']['description']=abs(intval($_POST["description"]));
-                          $_SESSION ['values']['question']['descriptionText']="";if($_POST["descriptionText"])$_SESSION ['values']['question']['descriptionText']=htmlspecialchars($_POST["descriptionText"]);
+                          $_SESSION ['values']['question']['descriptionText']="";if($_POST["descriptionText"])$_SESSION ['values']['question']['descriptionText']=htmlspecialchars($_POST["descriptionText"], ENT_COMPAT | ENT_HTML401, $encoding);
 
                           // Session Variable setzen
                           $_SESSION ['values']['question']['new']=1;
@@ -124,9 +130,9 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
 
                 // Wertzuweisung
                 $qt_id=0; if(isset($_GET['qt_id'])) $qt_id=abs(intval($_GET['qt_id']));
-                $error=""; if(isset($_GET["error"])) $error= htmlspecialchars($_GET["error"]); // Umwandlung von Sonderzeichen in HTML-Code
-                $new=""; if(isset($_GET['new'])) $new=htmlspecialchars($_GET['new']);
-                $questionText=""; if(isset($_REQUEST["questionText"])) $questionText= htmlspecialchars($_REQUEST["questionText"]);
+                $error=""; if(isset($_GET["error"])) $error= htmlspecialchars($_GET["error"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code
+                $new=""; if(isset($_GET['new'])) $new=htmlspecialchars($_GET['new'], ENT_COMPAT | ENT_HTML401, $encoding);
+                $questionText=""; if(isset($_REQUEST["questionText"])) $questionText= htmlspecialchars($_REQUEST["questionText"], ENT_COMPAT | ENT_HTML401, $encoding);
 
                 // Sessionvariable setzen
                 $_SESSION['values']['error']=$error;

functions/UploadResults.pl

@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
 use Socket;
 use Net::SSLeay qw(die_now die_if_ssl_error) ;
 use DBI;
@@ -8,7 +8,7 @@ my $KeyFile = "key_200808.pem";
 my $CAfile = "CAcert_roots.pem";
 my $TargetHost="secure.cacert.org";
 my $TargetScript="cats/cats_import.php";
-my $ConnectInc="/home/cats/public_html/includes/db_connect.inc";
+my $ConnectInc="/var/www/cats1.it-sls.de/training/public/includes/db_connect.inc";
 
 sub url_encode($)
 {

topic.php

@@ -33,7 +33,13 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
   } else {
     $site="site=topic&action=getQuestions&t_id=$t_id";
   }
-  
+
+  // Fetch encoding from session, simplifies future switch to utf-8 encoding.
+  $encoding = $_SESSION['_config']['encoding'];
+  if (!$encoding) {
+    $encoding = "iso-8859-1"; // Backwards compatibility
+  }
+ 
   // Löschen der Session Variable
   if (isset($_SESSION['values']['question']['new'])) unset($_SESSION['values']['question']['new']); 
     
@@ -45,7 +51,7 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
                     // Wertzuweisung 
                     $questPerQuiz=0; if(isset($_REQUEST["questPerQuiz"]))$questPerQuiz =abs(intval($_REQUEST["questPerQuiz"]));
                     $rawToPass=0; if(isset($_REQUEST["rawToPass"]))$rawToPass =abs(intval($_REQUEST["rawToPass"]));
-                    $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"]); // Umwandlung von Sonderzeichen in HTML-Code
+                    $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"], ENT_COMPAT | ENT_HTML401, $encoding); // Umwandlung von Sonderzeichen in HTML-Code
   
                     $topics->setTopicName($name);
                     $checkNum=$topics->setNumOfQu($questPerQuiz);
@@ -157,8 +163,8 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
     case 'updateQuestion': { // Question updaten
     
                             // Wertzuweisung
-                            $questionText=""; if(isset($_REQUEST["question"]))$questionText= htmlspecialchars($_REQUEST["question"]);
-                            $descriptionText=""; if(isset($_REQUEST["descriptionText"]))$descriptionText= htmlspecialchars($_REQUEST["descriptionText"]);
+                            $questionText=""; if(isset($_REQUEST["question"]))$questionText= htmlspecialchars($_REQUEST["question"], ENT_COMPAT | ENT_HTML401, $encoding);
+                            $descriptionText=""; if(isset($_REQUEST["descriptionText"]))$descriptionText= htmlspecialchars($_REQUEST["descriptionText"], ENT_COMPAT | ENT_HTML401, $encoding);
                             $description=0; if(isset($_REQUEST["description"]))$description=$_REQUEST["description"];
                             
                             $question->setID($q_id);
@@ -234,7 +240,7 @@ if(($_SESSION['profile']['loggedin']==1) &&($_SESSION['profile']['admin']==1)){
         case 'updateTopic':{ // Topic updaten
         
                             //Wertzuweisung
-                            $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"]); 
+                            $name=""; if(isset($_REQUEST["new_topic"]))$name= htmlspecialchars($_REQUEST["new_topic"], ENT_COMPAT | ENT_HTML401, $encoding); 
                             $numofQuiz=0; if(isset($_REQUEST["questPerQuiz"]))$numOfQuiz =abs(intval($_REQUEST["questPerQuiz"]));
                             $rawToPass=0; if(isset($_REQUEST["rawToPass"])) $rawToPass =abs(intval($_REQUEST["rawToPass"]));