--- loncom/interface/londocs.pm 2017/09/15 23:15:55 1.484.2.72.2.2
+++ loncom/interface/londocs.pm 2018/04/29 17:33:52 1.484.2.72.2.5
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Documents
#
-# $Id: londocs.pm,v 1.484.2.72.2.2 2017/09/15 23:15:55 raeburn Exp $
+# $Id: londocs.pm,v 1.484.2.72.2.5 2018/04/29 17:33:52 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -2598,7 +2598,8 @@ sub apply_fixups {
}
}
}
- for (my $i=0; $i<@LONCAPA::map::order; $i++) {
+ my $total = scalar(@LONCAPA::map::order) - 1;
+ for (my $i=$total; $i>=0; $i--) {
my $idx = $LONCAPA::map::order[$i];
if (defined($LONCAPA::map::resources[$idx])) {
my $changed;
@@ -2608,7 +2609,7 @@ sub apply_fixups {
splice(@LONCAPA::map::order,$i,1);
if (ref($currparam{$idx}) eq 'ARRAY') {
foreach my $name (@{$currparam{$idx}}) {
- &LONCAPA::map::delparameter($idx,'parameter_'.$name);
+ &LONCAPA::map::delparameter($idx,$name);
}
}
next;
@@ -2650,7 +2651,7 @@ sub apply_fixups {
foreach my $idx (keys(%remparam)) {
if (ref($remparam{$idx}) eq 'ARRAY') {
foreach my $name (@{$remparam{$idx}}) {
- &LONCAPA::map::delparameter($idx,'parameter_'.$name);
+ &LONCAPA::map::delparameter($idx,$name);
}
}
}
@@ -3925,7 +3926,7 @@ END
}
}
if ($url ne '') {
- $url.=(($url=~/\?/)?'&':'?').'symb='.&HTML::Entities::encode($shownsymb,'"<>&');
+ $url.=(($url=~/\?/)?'&':'?').'symb='.&escape($shownsymb);
}
} elsif (!$env{'request.role.adv'}) {
my $checkencrypt;
@@ -3946,7 +3947,7 @@ END
my $shownsymb = &Apache::lonenc::encrypted($symb);
my $shownurl = &Apache::lonenc::encrypted($url);
if (&Apache::lonnet::symbverify($shownsymb,$shownurl)) {
- $url = $shownurl.(($shownurl=~/\?/)?'&':'?').'symb='.&HTML::Entities::encode($shownsymb,'"<>&');
+ $url = $shownurl.(($shownurl=~/\?/)?'&':'?').'symb='.&escape($shownsymb);
if ($env{'request.enc'} ne '') {
delete($env{'request.enc'});
}
@@ -4985,6 +4986,11 @@ sub handler {
$disabled = ' disabled="disabled"';
}
&Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['inhibitmenu']);
+ if ($env{'form.inhibitmenu'}) {
+ unless ($env{'form.inhibitmenu'} eq 'yes') {
+ delete($env{'form.inhibitmenu'});
+ }
+ }
if ($allowed && $env{'form.verify'}) {
&init_breadcrumbs('verify','Verify Content','Docs_Verify_Content');
&verifycontent($r);
@@ -5018,6 +5024,25 @@ sub handler {
'forcesupplement','forcestandard',
'tools','symb','command','supppath']);
+ foreach my $item ('forcesupplement','forcestandard','tools') {
+ next if ($env{'form.'.$item} eq '');
+ unless ($env{'form.'.$item} eq '1') {
+ delete($env{'form.'.$item});
+ }
+ }
+
+ if ($env{'form.command'}) {
+ unless ($env{'form.command'} =~ /^(direct|directnav|editdocs|editsupp|contents|home)$/) {
+ delete($env{'form.command'});
+ }
+ }
+
+ if ($env{'form.symb'}) {
+ my ($mapurl,$id,$resurl) = &Apache::lonnet::decode_symb($env{'form.symb'});
+ unless (($id =~ /^\d+$/) && (&Apache::lonnet::is_on_map($resurl))) {
+ delete($env{'form.symb'});
+ }
+ }
# standard=1: this is a "new-style" course with an uploaded map as top level
# standard=2: this is a "old-style" course, and there is nothing we can do
@@ -5040,6 +5065,38 @@ sub handler {
my $toolsflag=0;
if ($env{'form.tools'}) { $toolsflag=1; }
+ if ($env{'form.folderpath'} ne '') {
+ my @items = split(/\&/,$env{'form.folderpath'});
+ my $badpath;
+ for (my $i=0; $i<@items; $i++) {
+ my $odd = $i%2;
+ if (($odd) && (!$supplementalflag) && ($items[$i] !~ /^[^:]*:(|\d+):(|1):(|1):(|1):(|1)$/)) {
+ $badpath = 1;
+ } elsif ((!$odd) && ($items[$i] !~ /^(default|supplemental)(|_\d+)$/)) {
+ $badpath = 1;
+ }
+ last if ($badpath);
+ }
+ if ($badpath) {
+ delete($env{'form.folderpath'});
+ }
+ }
+
+ if ($env{'form.supppath'} ne '') {
+ my @items = split(/\&/,$env{'form.supppath'});
+ my $badpath;
+ for (my $i=0; $i<@items; $i++) {
+ my $odd = $i%2;
+ if ((!$odd) && ($items[$i] !~ /^supplemental(|_\d+)$/)) {
+ $badpath = 1;
+ }
+ last if ($badpath);
+ }
+ if ($badpath) {
+ delete($env{'form.supppath'});
+ }
+ }
+
my $script='';
my $showdoc=0;
my $addentries = {};
@@ -6039,6 +6096,7 @@ my %suporderhash = (
sub embedded_form_elems {
my ($phase,$primaryurl,$newidx) = @_;
my $folderpath = &HTML::Entities::encode($env{'form.folderpath'},'<>&"');
+ $newidx =~s /\D+//g;
return <
@@ -6059,7 +6117,11 @@ sub embedded_destination {
} elsif ($folder =~ /^(default|supplemental)_(\d+)$/) {
$destination .= $2.'/';
}
- $destination .= $env{'form.newidx'};
+ my $newidx = $env{'form.newidx'};
+ $newidx =~s /\D+//g;
+ if ($newidx) {
+ $destination .= $newidx;
+ }
my $dir_root = '/userfiles';
return ($destination,$dir_root);
}
@@ -6085,6 +6147,9 @@ sub decompression_info {
}
unshift(@hiddens,$pathitem);
foreach my $item (@hiddens) {
+ if ($item eq 'newidx') {
+ next if ($env{'form.'.$item} =~ /\D/);
+ }
if ($env{'form.'.$item}) {
$hiddenelem .= ''."\n";