public function save() { $input = JFactory::getApplication()->input; $contentId = $input->getVar('cid'); // Cannot use input->get() here. It eats all HTML, with no option to // tell it not to... H5P does its own XSS filtering of HTML fields, // but it does so when returning it from the database. $h5p_params = $_POST['edit-h5p-params']; $library = $input->get('edit-h5p-library', '', 'string'); $h5p_core = H5PJoomla::getInstance('core'); $h5p_joomla = H5PJoomla::getInstance('interface'); $library_data = $h5p_core->libraryFromString($library); $libraryId = $h5p_joomla->getLibraryId($library_data['machineName'], $library_data['majorVersion'], $library_data['minorVersion']); $db = JFactory::getDbo(); $jsonQuoted = $db->quote($h5p_params); $title = $input->get('h5p-title', 'My H5P', 'string'); if (!$title) { $title = 'Untitled ' . $library_data['machineName']; } $titleQuoted = $db->quote($title); $db->setQuery(sprintf("INSERT INTO #__h5p (h5p_id, title, json_content, embed_type, main_library_id)\n\t\t\t VALUES (%s, %s, %s, 'div, iframe', %d)\n\t\t\t ON DUPLICATE KEY UPDATE title=%s, json_content=%s, main_library_id=%d", $db->quote($contentId), $titleQuoted, $jsonQuoted, $libraryId, $titleQuoted, $jsonQuoted, $libraryId)); $db->query(); $storage = H5PJoomla::getInstance('editorstorage'); $h5pStorage = H5PJoomla::getInstance('storage'); $editor = new H5peditor($storage, JPATH_ROOT . DIRECTORY_SEPARATOR . 'media', JURI::root(true), $h5pStorage); if (!$editor->createDirectories($contentId)) { print "<p>Unable to create content directories on the server. Please contact the system administrator.</p>"; return; } // Move files. $editor->processParameters($contentId, $library_data, json_decode($h5p_params), NULL, NULL); // Response HTML header('Content-Type: text/html'); print "\n\t\t\t<script type=\"text/javascript\">\n\t\t\t\twindow.parent.insertH5P('{$contentId}', '{$title}');\n\t\t\t</script>\n\t\t"; }