Security: Replace $_REQUEST with HttpFoundation\Request class and remove XSS in assign, issued, and issued_all pages

AngelFQC · AngelFQC · commit a6ce8fb3dc88 · 2025-08-15T18:35:14.000-05:00
See advisory GHSA-cchj-3qmf-82j5
diff --git a/main/badge/assign.php b/main/badge/assign.php
@@ -3,6 +3,7 @@
 
 use Chamilo\CoreBundle\Entity\Skill;
 use Skill as SkillManager;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
 
 /**
  * Page for assign skills to a user.
@@ -11,7 +12,12 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
-$userId = isset($_REQUEST['user']) ? (int) $_REQUEST['user'] : 0;
+$httpRequest = HttpRequest::createFromGlobals();
+
+$userId = $httpRequest->query->getInt(
+    'user',
+    $httpRequest->request->getInt('user')
+);
 
 if (empty($userId)) {
     api_not_allowed(true);
@@ -53,11 +59,25 @@
         $skillsOptions[$skill['data']['id']] = $skill['data']['name'];
     }
 }
-$skillIdFromGet = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : 0;
-$currentValue = isset($_REQUEST['current_value']) ? (int) $_REQUEST['current_value'] : 0;
-$currentLevel = isset($_REQUEST['current']) ? (int) str_replace('sub_skill_id_', '', $_REQUEST['current']) : 0;
+$skillIdFromGet = $httpRequest->query->getInt(
+    'id',
+    $httpRequest->request->getInt('id')
+);
+$currentValue = $httpRequest->query->getInt(
+    'current_value',
+    $httpRequest->request->getInt('current_value')
+);
+$currentLevel = $httpRequest->query->get(
+    'current',
+    $httpRequest->request->get('current', '')
+);
+$currentLevel = (int) str_replace('sub_skill_id_', '', $currentLevel);
 
-$subSkillList = isset($_REQUEST['sub_skill_list']) ? explode(',', $_REQUEST['sub_skill_list']) : [];
+$subSkillList = $httpRequest->query->get(
+    'sub_skill_list',
+    $httpRequest->request->get('sub_skill_list', '')
+);
+$subSkillList = explode(',', $subSkillList);
 $subSkillList = array_unique($subSkillList);
 
 if (!empty($subSkillList)) {
@@ -94,7 +114,10 @@
     }
 }
 
-$skillId = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : key($skillsOptions);
+$skillId = $httpRequest->query->getInt(
+    'id',
+    $httpRequest->request->getInt('id', key($skillsOptions))
+);
 $skill = $skillRepo->find($skillId);
 $profile = false;
 if ($skill) {
@@ -234,15 +257,15 @@
     //$form->addRule('acquired_level', get_lang('ThisFieldIsRequired'), 'required');
 }
 
-$form->addTextarea('argumentation', get_lang('Argumentation'), ['rows' => 6]);
-$form->addRule('argumentation', get_lang('ThisFieldIsRequired'), 'required');
+$form->addTextarea('argumentation', get_lang('Argumentation'), ['rows' => 6], true);
 $form->addRule(
     'argumentation',
     sprintf(get_lang('ThisTextShouldBeAtLeastXCharsLong'), 10),
     'mintext',
     10
 );
 $form->applyFilter('argumentation', 'trim');
+$form->applyFilter('argumentation', 'html_filter');
 $form->addButtonSave(get_lang('Save'));
 $form->setDefaults($formDefaultValues);
 
diff --git a/main/badge/issued.php b/main/badge/issued.php
@@ -4,6 +4,7 @@
 use Chamilo\CoreBundle\Entity\SkillRelUser;
 use Chamilo\CoreBundle\Entity\SkillRelUserComment;
 use SkillRelUser as SkillRelUserManager;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
 
 /**
  * Show information about the issued badge.
@@ -13,7 +14,12 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
-$issue = isset($_REQUEST['issue']) ? (int) $_REQUEST['issue'] : 0;
+$httpRequest = HttpRequest::createFromGlobals();
+
+$issue = $httpRequest->query->getInt(
+    'issue',
+    $httpRequest->request->getInt('issue')
+);
 
 if (empty($issue)) {
     api_not_allowed(true);
@@ -103,7 +109,7 @@
     'acquired_level' => $currentSkillLevel,
     'argumentation_author_id' => $skillIssue->getArgumentationAuthorId(),
     'argumentation_author_name' => $author['complete_name'],
-    'argumentation' => $skillIssue->getArgumentation(),
+    'argumentation' => Security::remove_XSS($skillIssue->getArgumentation()),
     'source_name' => $skillIssue->getSourceName(),
     'user_id' => $skillIssue->getUser()->getId(),
     'user_complete_name' => UserManager::formatUserFullName($skillIssue->getUser()),
diff --git a/main/badge/issued_all.php b/main/badge/issued_all.php
@@ -4,6 +4,7 @@
 use Chamilo\CoreBundle\Entity\SkillRelUser;
 use Chamilo\CoreBundle\Entity\SkillRelUserComment;
 use SkillRelUser as SkillRelUserManager;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
 
 /**
  * Show information about all issued badges with same skill by user.
@@ -12,8 +13,10 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
-$userId = isset($_GET['user']) ? (int) $_GET['user'] : 0;
-$skillId = isset($_GET['skill']) ? (int) $_GET['skill'] : 0;
+$httpRequest = HttpRequest::createFromGlobals();
+
+$userId = $httpRequest->query->getInt('user');
+$skillId = $httpRequest->query->getInt('skill');
 
 if (!$userId || !$skillId) {
     api_not_allowed(true);
@@ -90,7 +93,7 @@
             $argumentationAuthor['firstname'],
             $argumentationAuthor['lastname']
         ),
-        'argumentation' => $skillIssue->getArgumentation(),
+        'argumentation' => Security::remove_XSS($skillIssue->getArgumentation()),
         'source_name' => $skillIssue->getSourceName(),
         'user_id' => $skillIssue->getUser()->getId(),
         'user_complete_name' => UserManager::formatUserFullName($skillIssue->getUser()),
