Chamilo LMS

Hi,
I was working on that issue while testing adding media files on forum...

I've found 2 issues

• information concerning style or media aren't stored in the database (except for images):
  it's in file main/forum/reply.php, line 228 if you replace
  

  store_reply(Security::remove_XSS($values));
  

  
  with
  

  store_reply($values);
  

  
  but I don't know the consequences concerning security...

• tag aren't displayed on the post view
  it's still a consequence of the Security::remove_XSS on files main/forum/viewthread_flat.inc.php
  it's ok if you delete line 138 :
  

  $row['post_text']= Security::remove_XSS($row['post_text']);
  

delete line 133 for file main/forum/viewthread_nested.inc.php
and
delete line 311 and remove Security::remove_XSS line 314 for file main/forum|viewthread_threaded.inc.php

I don't know whet kind of security add to these fields before displaying it...

Hello Hubert,
You are right, is not necesary this store_reply(Security::remove_XSS($values));
We use only Security::remove_XSS() when showing links, info to the user to avoid XSS. We should not use remove_XSS when we are going to add to the DB.
We should only use the Database::escape_string() function
I will make some cleaning in that file