//hack, if param[name]=src or none <param> tag, extract. Skip all other <param> attributes.
if ($name!='param' || $attrs['name']=='src'){
//skip glossary.html, tweak to accomodate atutor imscp; also skip repeated entries.
+ //skip javascript: links, void();, #, mailto:
if (strpos($attrs[$elements[$name]], 'glossary.html')===false
- && !in_array($attrs[$elements[$name]], $my_files)){
+ && !in_array($attrs[$elements[$name]], $my_files)
+ && $attrs[$elements[$name]]!='#'
+ && strpos($attrs[$elements[$name]], 'javascript:')===false
+ && strpos($attrs[$elements[$name]], 'mailto:')===false
+ && strpos($attrs[$elements[$name]], 'void(')===false
+ ){
$my_files[] = $attrs[$elements[$name]];
}
}
if (substr($file, 0, 7) != 'http://' && substr($file, 0, 8) != 'https://') {
$file_path = realpath(AT_CONTENT_DIR . $course_id . '/' . $content['content_path'] . $file);
-
+ /* check if the path contains AT_CONTENT_DIR in it, if not, skip it, it's trying to scan through
+ * the file system */
+ if (strpos($file_path, AT_CONTENT_DIR)!==0){
+ continue; //skip
+ }
+
/* check if this file exists in the content dir, if not don't include it */
if (file_exists($file_path) && is_file($file_path) && !in_array($file_path, $zipped_files)) {
$zipped_files[] = $file_path;
if (!empty($test_zipped_files) && in_array($file_path, $test_zipped_files)){
$content_files .= str_replace('{FILE}', $file, $ims_template_xml['file']);
} else {
- if (strpos($file, 'mailto:')!==false){
- //email exists in <a href=''> links but is not a file.
- continue;
- } elseif (preg_match('/^http[s]?\:/', $file) == 1){
+ if (preg_match('/^http[s]?\:/', $file) == 1){
$content_files .= str_replace('{FILE}', $file, $ims_template_xml['xml']);
- } else {
+ } elseif (file_exists($file_path) && is_file($file_path)) {
+ //http://www.atutor.ca/atutor/mantis/view.php?id=4313
+ //relative link that goes beyond get.php shouldn't be added
+ //relative link that does not exist shouldn't be added.
$content_files .= str_replace('{FILE}', $content['content_path'] . $file, $ims_template_xml['file']);
}
}