Merge branch '1.11.x' of github.com:chamilo/chamilo-lms into 1.11.x

main/exercise/pending.php

@@ -13,6 +13,7 @@
 $courseId = isset($_REQUEST['course_id']) ? (int) $_REQUEST['course_id'] : 0;
 $exerciseId = isset($_REQUEST['exercise_id']) ? (int) $_REQUEST['exercise_id'] : 0;
 $statusId = isset($_REQUEST['status']) ? (int) $_REQUEST['status'] : 0;
+$questionTypeId = isset($_REQUEST['questionTypeId']) ? (int) $_REQUEST['questionTypeId'] : 0;
 $exportXls = isset($_REQUEST['export_xls']) && !empty($_REQUEST['export_xls']) ? (int) $_REQUEST['export_xls'] : 0;
 $action = $_REQUEST['a'] ?? null;
 
@@ -293,6 +294,14 @@ function updateExerciseList(courseId) {
 ];
 
 $form->addSelect('status', get_lang('Status'), $status);
+
+$questionType = [
+    0 => get_lang('All'),
+    1 => get_lang('QuestionsWithNoAutomaticCorrection'),
+];
+
+$form->addSelect('questionTypeId', get_lang('QuestionType'), $questionType);
+
 $form->addButtonSearch(get_lang('Search'), 'pendingSubmit');
 $content = $form->returnForm();
 
@@ -305,7 +314,7 @@ function updateExerciseList(courseId) {
 
 $url = api_get_path(WEB_AJAX_PATH).
     'model.ajax.php?a=get_exercise_pending_results&filter_by_user='.$filter_user.
-    '&course_id='.$courseId.'&exercise_id='.$exerciseId.'&status='.$statusId.'&showAttemptsInSessions='.$showAttemptsInSessions;
+    '&course_id='.$courseId.'&exercise_id='.$exerciseId.'&status='.$statusId.'&questionType='.$questionTypeId.'&showAttemptsInSessions='.$showAttemptsInSessions;
 $action_links = '';
 
 $officialCodeInList = api_get_setting('show_official_code_exercise_result_list');

main/inc/ajax/document.ajax.php

@@ -219,13 +219,12 @@
 
         $data = [];
         $fileUpload = $_FILES['upload'];
-        $currentDirectory = Security::remove_XSS($_REQUEST['curdirpath']);
         $isAllowedToEdit = api_is_allowed_to_edit(null, true);
         if ($isAllowedToEdit) {
             $globalFile = ['files' => $fileUpload];
             $result = DocumentManager::upload_document(
                 $globalFile,
-                $currentDirectory,
+                '/',
                 '',
                 '',
                 0,
@@ -244,11 +243,11 @@
             }
         } else {
             $userId = api_get_user_id();
-            $syspath = UserManager::getUserPathById($userId, 'system').'my_files'.$currentDirectory;
+            $syspath = UserManager::getUserPathById($userId, 'system').'my_files';
             if (!is_dir($syspath)) {
                 mkdir($syspath, api_get_permissions_for_new_directories(), true);
             }
-            $webpath = UserManager::getUserPathById($userId, 'web').'my_files'.$currentDirectory;
+            $webpath = UserManager::getUserPathById($userId, 'web').'my_files';
             $fileUploadName = $fileUpload['name'];
             if (file_exists($syspath.$fileUploadName)) {
                 $extension = pathinfo($fileUploadName, PATHINFO_EXTENSION);

main/inc/ajax/model.ajax.php

@@ -649,6 +649,7 @@ function getWhereClause($col, $oper, $val)
         $courseId = $_REQUEST['course_id'] ?? 0;
         $exerciseId = $_REQUEST['exercise_id'] ?? 0;
         $status = $_REQUEST['status'] ?? 0;
+        $questionType = $_REQUEST['questionType'] ?? 0;
         $showAttemptsInSessions = $_REQUEST['showAttemptsInSessions'] ? true : false;
         if (isset($_GET['filter_by_user']) && !empty($_GET['filter_by_user'])) {
             $filter_user = (int) $_GET['filter_by_user'];
@@ -685,7 +686,8 @@ function getWhereClause($col, $oper, $val)
             false,
             true,
             $status,
-            $showAttemptsInSessions
+            $showAttemptsInSessions,
+            $questionType
         );
 
         break;
@@ -1622,7 +1624,8 @@ function getWhereClause($col, $oper, $val)
             false,
             true,
             $status,
-            $showAttemptsInSessions
+            $showAttemptsInSessions,
+            $questionType
         );
 
         break;

main/inc/ajax/plugin.ajax.php

@@ -13,8 +13,16 @@
 
 switch ($action) {
     case 'md_to_html':
-        $plugin = isset($_GET['plugin']) ? $_GET['plugin'] : '';
+        $plugin = $_GET['plugin'] ?? '';
         $appPlugin = new AppPlugin();
+
+        $pluginPaths = $appPlugin->read_plugins_from_path();
+
+        if (!in_array($plugin, $pluginPaths)) {
+            echo Display::return_message(get_lang('NotAllowed'), 'error', false);
+            exit;
+        }
+
         $pluginInfo = $appPlugin->getPluginInfo($plugin);
 
         $html = '';

main/inc/lib/agenda.lib.php

@@ -274,7 +274,7 @@ public function addEvent(
                 $attributes = [
                     'user' => api_get_user_id(),
                     'title' => $title,
-                    'text' => $content,
+                    'text' => Security::remove_XSS($content),
                     'date' => $start,
                     'enddate' => $end,
                     'all_day' => $allDay,
@@ -320,7 +320,7 @@ public function addEvent(
             case 'course':
                 $attributes = [
                     'title' => $title,
-                    'content' => $content,
+                    'content' => Security::remove_XSS($content),
                     'start_date' => $start,
                     'end_date' => $end,
                     'all_day' => $allDay,
@@ -476,7 +476,7 @@ public function addEvent(
                 if (api_is_platform_admin()) {
                     $attributes = [
                         'title' => $title,
-                        'content' => $content,
+                        'content' => Security::remove_XSS($content),
                         'start_date' => $start,
                         'end_date' => $end,
                         'all_day' => $allDay,
@@ -1876,7 +1876,7 @@ public function get_event($id)
                 if (Database::num_rows($result)) {
                     $event = Database::fetch_array($result, 'ASSOC');
                     $event['description'] = $event['text'];
-                    $event['content'] = $event['text'];
+                    $event['content'] = Security::remove_XSS($event['text'], STUDENT);
                     $event['start_date'] = $event['date'];
                     $event['end_date'] = $event['enddate'];
                 }
@@ -1904,7 +1904,7 @@ public function get_event($id)
                             'agenda_event_invitation_id' => $event->getInvitation()->getId(),
                             'collective' => $event->isCollective(),
                             'description' => $event->getText(),
-                            'content' => $event->getText(),
+                            'content' => Security::remove_XSS($event->getText(), STUDENT),
                             'start_date' => $event->getDate()->format('Y-m-d H:i:s'),
                             'end_date' => $event->getEndDate()->format('Y-m-d H:i:s'),
                         ];
@@ -1919,7 +1919,7 @@ public function get_event($id)
                     $result = Database::query($sql);
                     if (Database::num_rows($result)) {
                         $event = Database::fetch_array($result, 'ASSOC');
-                        $event['description'] = $event['content'];
+                        $event['description'] = Security::remove_XSS($event['content'], STUDENT);
 
                         // Getting send to array
                         $event['send_to'] = $this->getUsersAndGroupSubscribedToEvent(
@@ -1952,7 +1952,7 @@ public function get_event($id)
                 $result = Database::query($sql);
                 if (Database::num_rows($result)) {
                     $event = Database::fetch_array($result, 'ASSOC');
-                    $event['description'] = $event['content'];
+                    $event['description'] = Security::remove_XSS($event['content']);
                 }
                 break;
         }

main/inc/lib/document.lib.php

@@ -427,6 +427,7 @@ public static function file_send_for_download(
 
             switch ($contentType) {
                 case 'text/html':
+                    $enableMathJaxScript = api_get_setting('enabled_mathjax') && api_get_configuration_value('mathjax_enable_script_header_in_all_HTML_document');
                     if (isset($lpFixedEncoding) && $lpFixedEncoding === 'true') {
                         $contentType .= '; charset=UTF-8';
                     } else {
@@ -480,15 +481,23 @@ public static function file_send_for_download(
                     ['https%3A%2F%2F', 'https://'],
                     $content
                 );
+                if ($enableMathJaxScript === true) {
+                    $content = self::includeMathJaxScript($content);
+                }
                 echo $content;
             } else {
-                if (function_exists('ob_end_clean') && ob_get_length()) {
-                    // Use ob_end_clean() to avoid weird buffering situations
-                    // where file is sent broken/incomplete for download
-                    ob_end_clean();
+                if ($enableMathJaxScript === true) {
+                    $content = file_get_contents($full_file_name);
+                    $content = self::includeMathJaxScript($content);
+                    echo $content;
+                } else {
+                    if (function_exists('ob_end_clean') && ob_get_length()) {
+                        // Use ob_end_clean() to avoid weird buffering situations
+                        // where file is sent broken/incomplete for download
+                        ob_end_clean();
+                    }
+                    readfile($full_file_name);
                 }
-
-                readfile($full_file_name);
             }
 
             return true;
@@ -7516,4 +7525,26 @@ private static function getButtonDelete(
 
         return $btn;
     }
+
+    /**
+     * Include MathJax script in document.
+     *
+     * @param string file content $content
+     *
+     * @return string file content
+     */
+    private static function includeMathJaxScript($content)
+    {
+        $scriptTag = '<script src="'.api_get_path(WEB_PUBLIC_PATH).'assets/MathJax/MathJax.js?config=TeX-MML-AM_HTMLorMML"></script>';
+        // Find position of </body> tag
+        $pos = strpos($content, '</body>');
+        // If </body> tag found, insert the script tag before it
+        if ($pos !== false) {
+            $content = substr_replace($content, $scriptTag, $pos, 0);
+        } else {
+            // If </body> tag not found, just append the script tag at the end
+            $content .= $scriptTag;
+        }
+        return $content;
+    }
 }

main/inc/lib/exercise.lib.php

@@ -2227,7 +2227,8 @@ public static function get_count_exam_results(
         $showSession = false,
         $searchAllTeacherCourses = false,
         $status = 0,
-        $showAttemptsInSessions = false
+        $showAttemptsInSessions = false,
+        $questionType = 0
     ) {
         return self::get_exam_results_data(
             null,
@@ -2246,7 +2247,8 @@ public static function get_count_exam_results(
             false,
             $searchAllTeacherCourses,
             $status,
-            $showAttemptsInSessions
+            $showAttemptsInSessions,
+            $questionType
         );
     }
 
@@ -2534,7 +2536,8 @@ public static function get_exam_results_data(
         $getOnlyIds = false,
         $searchAllTeacherCourses = false,
         $status = 0,
-        $showAttemptsInSessions = false
+        $showAttemptsInSessions = false,
+        $questionType = 0
     ) {
         //@todo replace all this globals
         global $filter;
@@ -2558,6 +2561,27 @@ public static function get_exam_results_data(
         $courseCondition = "c_id = $courseId";
         $statusCondition = '';
 
+        if ($questionType == 1) {
+            $TBL_EXERCISES_REL_QUESTION = Database::get_course_table(TABLE_QUIZ_TEST_QUESTION);
+            $TBL_EXERCISES_QUESTION = Database::get_course_table(TABLE_QUIZ_QUESTION);
+
+            $sqlExercise = "SELECT exercice_id
+                            FROM $TBL_EXERCISES_REL_QUESTION terq
+                            LEFT JOIN $TBL_EXERCISES_QUESTION teq
+                            ON terq.question_id = teq.iid
+                            WHERE teq.type in (".FREE_ANSWER.", ".ORAL_EXPRESSION.", ".ANNOTATION.", ".UPLOAD_ANSWER.")
+            ";
+
+            $resultExerciseIds = Database::query($sqlExercise);
+            $exercises = Database::store_result($resultExerciseIds, 'ASSOC');
+            $exerciseIds = [];
+            foreach ($exercises as $exercise) {
+                $exerciseIds[] = $exercise['exercice_id'];
+            }
+            $exercises_where = " AND te.exe_exo_id IN(".implode(',', $exerciseIds).")";
+            $exercisesFilter = " AND exe_exo_id IN(".implode(',', $exerciseIds).")";
+        }
+
         if (!empty($status)) {
             switch ($status) {
                 case 2:
@@ -2653,6 +2677,7 @@ public static function get_exam_results_data(
             WHERE
                 $courseCondition
                 $exerciseFilter
+                $exercisesFilter
                 $sessionCondition
             GROUP BY ttte.exe_id
         )";
@@ -2809,6 +2834,7 @@ public static function get_exam_results_data(
                     ce.active <> -1 AND
                     ce.$courseCondition
                     $exercise_where
+                    $exercises_where
                     $extra_where_conditions
                     $statusCondition
                 ";

main/inc/lib/extra_field_value.lib.php

@@ -334,14 +334,13 @@ public function saveFieldValues(
                             break;
                     }
 
-                    $cleanedName = api_replace_dangerous_char($value['name']);
-                    $fileName = ExtraField::FIELD_TYPE_FILE."_{$params['item_id']}_$cleanedName";
                     if (!file_exists($fileDir)) {
                         mkdir($fileDir, $dirPermissions, true);
                     }
 
                     if (!empty($value['tmp_name']) && isset($value['error']) && $value['error'] == 0) {
                         $cleanedName = api_replace_dangerous_char($value['name']);
+                        $cleanedName = disable_dangerous_file($cleanedName);
                         $fileName = ExtraField::FIELD_TYPE_FILE."_{$params['item_id']}_$cleanedName";
                         moveUploadedFile($value, $fileDir.$fileName);
 

main/inc/lib/fileUpload.lib.php

@@ -343,7 +343,7 @@ function handle_uploaded_document(
             }
 
             // Full path to where we want to store the file with trailing slash
-            $whereToSave = $documentDir.$uploadPath;
+            $whereToSave = Security::cleanPath($documentDir.$uploadPath).'/';
 
             // At least if the directory doesn't exist, tell so
             if (!is_dir($whereToSave)) {

main/inc/lib/security.lib.php

@@ -64,8 +64,7 @@ public static function check_abs_path(string $abs_path, string $checker_path): b
         }
 
         // Clean $abs_path.
-        $abs_path = str_replace(['//', '../'], ['/', ''], $abs_path);
-        $true_path = str_replace("\\", '/', realpath($abs_path));
+        $true_path = self::cleanPath($abs_path);
         $checker_path = str_replace("\\", '/', realpath($checker_path));
 
         if (empty($checker_path)) {
@@ -89,6 +88,13 @@ public static function check_abs_path(string $abs_path, string $checker_path): b
         return false;
     }
 
+    public static function cleanPath(string $absPath): string
+    {
+        $absPath = str_replace(['//', '../'], ['/', ''], $absPath);
+
+        return str_replace("\\", '/', realpath($absPath));
+    }
+
     /**
      * Checks if the relative path (directory) given is really under the
      * checker path (directory).

main/install/configuration.dist.php

@@ -1167,6 +1167,10 @@
 // Allow SCORM packages when importing a course
 // $_configuration['allow_import_scorm_package_in_course_builder'] = false;
 
+// Avoid all the scorms folders to be included by default in the partial course backup
+// and enable the scroms folders to be selected manualy
+//$_configuration['course_backup_allow_scorm_selection_in_select_form'] = false;
+
 // Hide announcement "sent to" label
 // $_configuration['hide_announcement_sent_to_users_info'] = false;
 
@@ -2539,3 +2543,6 @@
 
 // Set the following parameter to true to enable student to be assign as teacher of a course
 //$_configuration['course_allow_student_role_to_be_teacher'] = false;
+
+// Set the followinf parameter to true to activate the integration of the mathjax script in all HTML documents
+//$_configuration['mathjax_enable_script_header_in_all_HTML_document'] = false;

main/lang/english/trad4all.inc.php

@@ -9053,4 +9053,6 @@
 $CoursesUpdatedSuccessfully = "Courses updated successfully";
 $UpdateFailedForCourses = "The update failed for the following courses";
 $HoursMinutesSeconds = "%02d h %02d m %02d s";
+$IfYourLPsAreScormsYouShouldSelectThemFromTheScorms = "If your Learning paths are scorm packages, you should select the corresponding folder in the SCORM part";
+$QuestionsWithNoAutomaticCorrection = "Questions with no automatic correction";
 ?>

main/lang/french/trad4all.inc.php

@@ -8987,4 +8987,6 @@
 $CoursesUpdatedSuccessfully = "Mise à jour des cours réussie";
 $UpdateFailedForCourses = "La mise à jour a échoué pour les cours suivants";
 $HoursMinutesSeconds = "%02d h %02d m %02d s";
+$IfYourLPsAreScormsYouShouldSelectThemFromTheScorms = "Si vos parcours d'apprentissage sont des packages scorm, vous devez sélectionner le dossier correspondant dans la partie SCORM";
+$QuestionsWithNoAutomaticCorrection = "Questions sans correction automatique";
 ?>