Display: Fix error when updating tool icon on the course homepage (introduced in 1.11.20 through security updates) - refs #4809

Author: ywarnier

main/course_info/tools.php

@@ -55,7 +55,7 @@
  $form->addHeader(get_lang('EditIcon'));
  $form->addHtml('<div class="col-md-7">');
  $form->addText('name', get_lang('Name'));
- $form->addText('link', get_lang('Links'));
+ $form->addInternalUrl('link', get_lang('Links'));
  $allowedPictureTypes = ['jpg', 'jpeg', 'png'];
  $form->addFile('icon', get_lang('CustomIcon'));
  $form->addRule(

main/inc/lib/formvalidator/Element/InternalUrl.php

@@ -0,0 +1,31 @@
+<?php
+/* For licensing terms, see /license.txt */
+
+/**
+ * InternalUrl element (URL without the domain as prefix).
+ *
+ * Class InternalUrl
+ */
+class InternalUrl extends HTML_QuickForm_text
+{
+ /**
+ * InternalUrl constructor.
+ *
+ * @param string $elementName
+ * @param string $elementLabel
+ * @param array $attributes
+ */
+ public function __construct($elementName = null, $elementLabel = null, $attributes = null)
+ {
+ if (!isset($attributes['id'])) {
+ $attributes['id'] = $elementName;
+ }
+
+ $attributes['type'] = 'text';
+ $attributes['class'] = 'form-control';
+
+ parent::__construct($elementName, $elementLabel, $attributes);
+
+ $this->setType('text');
+ }
+}

main/inc/lib/formvalidator/FormValidator.class.php

@@ -224,6 +224,36 @@ public function addText($name, $label, $required = true, $attributes = [], $crea
  return $element;
  }
 
+ /**
+ * Adds a text field to the form to be used as internal url (URL without the domain part).
+ * A trim-filter is attached to the field.
+ *
+ * @param string|array $label The label for the form-element
+ * @param string $name The element name
+ * @param bool $required (optional) Is the form-element required (default=true)
+ * @param array $attributes (optional) List of attributes for the form-element
+ *
+ * @return HTML_QuickForm_text
+ */
+ public function addInternalUrl($name, $label, $required = true, $attributes = [], $createElement = false)
+ {
+ if ($createElement) {
+ $element = $this->createElement('text', $name, $label, $attributes);
+ } else {
+ $element = $this->addElement('text', $name, $label, $attributes);
+ }
+
+ $this->applyFilter($name, 'trim');
+ $this->applyFilter($name, 'plain_url_filter');
+ $this->addRule($name, get_lang('InsertAValidUrl'), 'internal_url');
+
+ if ($required) {
+ $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
+ }
+
+ return $element;
+ }
+
  /**
  * Add hidden course params.
  */
@@ -1268,6 +1298,7 @@ public function addUrl($name, $label, $required = true, $attributes = [])
  {
  $this->addElement('url', $name, $label, $attributes);
  $this->applyFilter($name, 'trim');
+
  $this->addRule($name, get_lang('InsertAValidUrl'), 'url');
 
  if ($required) {
@@ -2048,3 +2079,20 @@ function mobile_phone_number_filter($mobilePhoneNumber)
 
  return ltrim($mobilePhoneNumber, '0');
 }
+
+/**
+ * Cleans JS from a URL.
+ *
+ * @param string $html URL to clean
+ * @param int $mode (optional)
+ *
+ * @return string The cleaned URL
+ */
+function plain_url_filter($html, $mode = NO_HTML)
+{
+ $allowed_tags = HTML_QuickForm_Rule_HTML::get_allowed_tags($mode);
+ $html = kses_no_null($html);
+ $html = kses_js_entities($html);
+ $allowed_html_fixed = kses_array_lc($allowed_tags);
+ return kses_split($html, $allowed_html_fixed, array('http', 'https'));
+}

main/inc/lib/formvalidator/Rule/InternalUrl.php

@@ -0,0 +1,24 @@
+<?php
+
+/**
+ * Abstract base class for QuickForm validation rules.
+ */
+
+/**
+ * Validate internal urls (URLs without the domain).
+ */
+class HTML_QuickForm_Rule_InternalUrl extends HTML_QuickForm_Rule
+{
+ /**
+ * Validates internal url.
+ * We cheat a little by using the adding the domain as prefix to use the domain validation process of filter_var().
+ *
+ * @param string $url
+ *
+ * @return bool returns true if valid, false otherwise
+ */
+ public function validate($url, $options)
+ {
+ return (bool) filter_var(api_get_path(WEB_PATH).$url, FILTER_VALIDATE_URL);
+ }
+}

main/inc/lib/pear/HTML/QuickForm/RuleRegistry.php

@@ -152,7 +152,8 @@ public function getRule($ruleName)
  'mimetype' => 'HTML_QuickForm_Rule_MimeType',
  'filename' => 'HTML_QuickForm_Rule_FileName',
  'validquestiontype' => 'HTML_QuickForm_Rule_QuestionType',
- 'mintext' => 'Html_Quickform_Rule_MinText'
+ 'mintext' => 'Html_Quickform_Rule_MinText',
+ 'internal_url' => 'HTML_QuickForm_Rule_InternalUrl',
  );
 
  $class = $rules[$ruleName];