Doesn't accept "/" character on title

[eduardomozart]

Hello,
When creating a course object with "/" character on it on Forma LMS 3.3.17 (e.g. "Gravação de aula - 08/01/2024") it removes the "/" (output: "Gravação de aula - 08012024"), but when editing the "learning_organization" MySQL table it seems to accept it and it's rendered on GUI as expected (e.g. "Gravação de aula - 08/01/2024").
I'm not sure, but I believe the problem seems to be related to "escape_string" function https://github.com/formalms/formalms/bl ... i.php#L273 which is called from "INSERT" SQL statement.
If it doesn't happen on your environment, maybe it's happening on mine because the MySQL server charset is set to "latin1", but I already changed the Forma LMS table collation to utf8mb4_unicode_ci so I believe it isn't the issue.

[alfa24]

Can you provide full stack trace of the insert?
escape_string calls mysqli_real_escape_string(), that won't strip slashes.
I think it's more a filter input / sanitize issue.

[eduardomozart]

Hello @alfa24, thank you for your response. How can I provide the full stack trace?

[alfa24]

Ask your developer... he should know how trigger an error and get a stack trace.

[eduardomozart]

I work on a small K-12 school so I'm the developer, the IT administrator and anything else related to IT here (at least someone else does the coffe, otherwise I would need to do it). I'm not a PHP expert but I hope to provide any information I can to troubleshoot this.
I tried to reproduce the issue again but I was unable to, it's now working as expected, so this topic can be closed (I think).

[eduardomozart]

Sorry, I was able to reproduce the issue again. It seems that it doesn't happen when creating the learning object, only when updating it, so I believe it may be related to some UPDATE SQL statement and/or some filter input / sanitize issue, as can be seen below:

[alfa24]

The image you attached isn't showing the issue...

[eduardomozart]

Hello @alfa24,
Sorry, for some reason the GIF image was cut, I edited my last post so now it shows the issue.
Notice that when I add the HTML page the first time, the name of the learning object is saved as "Gravação de Aula - 08/01/2024" as expected, but when editing the item and updating it, the title is saved as "Gravação de Aula - 08012024" (notice that the "/" is missing), so I believe there's some UPDATE SQL statement and/or some filter input / sanitize issue.

[alfa24]

I could replicate and confirm the issue.
The update query is in /appLms/modules/htmlpage/htmlpage.php, function uppage() :

Code: Select all

  $insert_query = '
	UPDATE ' . $GLOBALS['prefix_lms'] . "_htmlpage
	SET title = '" . ((trim(addslashes($_REQUEST['title'])) == '') ? addslashes(Lang::t('_NOTITLE', 'htmlpage', 'lms')) : addslashes($_REQUEST['title'])) . "',
		textof = '" . addslashes($_REQUEST['textof']) . "'
	WHERE idPage = '" . (int) $_REQUEST['idPage'] . "'";

You can get rid of all those addslashes and convert them in sql_escape_string.

[eduardomozart]

Hello @alfa24,
Thank you for your help! I replaced all instances of "addslashes" PHP function by "sql_escape_string" PHP function and I can confirm that on DB it's now being saved with slashes as expected. But I noticed a stranger behavior: when editing the item, the slash was there on the "Title" field, but in the course view, the slashes was still missing, so I noticed there was a call to "updateObjectTitle" PHP function that references on "_organization" DB table prefix that was cutting it. I created a PR https://github.com/formalms/formalms/pull/8 that seems to fix the issue, but I'm not sure exactly it's impact because I don't know why it was cutting it, so I'm not sure if it may break anything, but I believe it's maybe related to the Organization chart feature or (more probably) to the sorting of the learning objects on the course, as it seem's related to "path" column that contain slashes.