Feature #3257 fix some variables are lost when called for "receiver" by nanongong from record_audio (Firefox,Chrome). Then Nanogong needs to run less security filters

main/document/record_audio.php

@@ -137,7 +137,7 @@ if (isset ($group)) {
 Display :: display_header($nameTools, 'Doc');
 
 echo '<div class="actions">';
-		echo '<a href="document.php?id='.$document_id.'">'.Display::return_icon('back.png',get_lang('BackTo').' '.get_lang('DocumentsOverview'),'','32').'</a>';
+		echo '<a href="document.php?'.api_get_cidreq().'&id='.$document_id.'">'.Display::return_icon('back.png',get_lang('BackTo').' '.get_lang('DocumentsOverview'),'','32').'</a>';
 echo '</div>';
 
 echo '<br/>';
@@ -155,10 +155,13 @@ function submitVoice() {
 	//path, url and filename
 	var filename = document.getElementById("audio_title").value+".wav";	
 	var filename = filename.replace(/\s/g, "_");//replace spaces by _
-	var filename = encodeURIComponent(filename);//TODO:implement a good encode into receiver.php	
+	var filename = encodeURIComponent(filename);	
 	var filepath="<?php echo urlencode($filepath); ?>";
-	var dir="<?php echo urlencode($dir); ?>";	
-	var urlnanogong="../inc/lib/nanogong/receiver.php?filename="+filename+"&filepath="+filepath+"&dir="+dir;	
+	var dir="<?php echo urlencode($dir); ?>";
+	var course_code="<?php echo urlencode($course_code); ?>";
+	var urlnanogong="../inc/lib/nanogong/receiver.php?filename="+filename+"&filepath="+filepath+"&dir="+dir+"&course_code="+course_code;
+	
+	
 	//check	
 	var recorder
 	if (!(recorder = document.getElementById("nanogong")) || !(recorder.sendGongRequest)) {
@@ -209,6 +212,8 @@ if ($array_browser[0]=="Internet Explorer") {
 } else {   
 	echo '<form name="form_nanogong">';	
 		echo '<input type="text" id="audio_title">';
+		echo '<input type="hidden" name="cidReq" value="'.$_course['id'].'">';
+		echo '<input type="hidden" name="id" value="'.$document_id.'">';
 		echo '<button class="upload" type="submit" value="'.get_lang('Send').'" onClick="submitVoice()" />'.get_lang('Send').'</button>';
 	echo '</form>';
 }

main/inc/lib/nanogong/NOTICE.txt

@@ -1,4 +1,4 @@
-The NanoGong Applet 4.1
+The NanoGong Applet 4.2
 Copyright 2002-2011 The Gong Project
 
 This product includes software developed by the Gong Project

main/inc/lib/nanogong/receiver.php

@@ -15,19 +15,25 @@
 require_once '../../../inc/global.inc.php';
 require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
 
-//security
-api_protect_course_script();
-api_block_anonymous_users();
-if (!isset($_GET['filename']) || !isset($_GET['filepath']) || !isset($_GET['dir'])){
+//security. Nanogong need less security
+if(api_get_setting('enable_nanogong') == 'false'){
+	api_protect_course_script();
+	api_block_anonymous_users();
+}
+
+if (!isset($_GET['filename']) || !isset($_GET['filepath']) || !isset($_GET['dir']) || !isset($_GET['course_code'])){
 	api_not_allowed(true);
 }
 if (!is_uploaded_file($_FILES['voicefile']['tmp_name'])) exit;
 
 //clean
-$filename=$_GET['filename'];
-$filename=urldecode($filename);//TODO: implement a good for record_audio.php encodeURIComponent
-$filepath=urldecode($_GET['filepath']);
-$dir=urldecode($_GET['dir']);
+$filename=Security::remove_XSS($_GET['filename']);
+$filename=urldecode($filename);
+$filepath=Security::remove_XSS(urldecode($_GET['filepath']));
+$dir=Security::remove_XSS(urldecode($_GET['dir']));
+
+$course_code = Security::remove_XSS(urldecode($_GET['course_code']));
+$_course=api_get_course_info($course_code);
 
 $filename = trim($_GET['filename']);
 $filename = Security::remove_XSS($filename);