| commit | 8f95eac1634b4d84053cef52a03065e620d6adf2 | |
| author | David Mudrák <david@moodle.com> | |
| Mon, 18 Jan 2016 13:26:31 +0000 (18 14:26 +0100) | ||
| committer | Eloy Lafuente (stronk7) <stronk7@moodle.org> | |
| Mon, 7 Mar 2016 21:07:17 +0000 (7 22:07 +0100) | ||
| tree | 7aae2e56d97cd8e021a12abdf4637593137e1abf | treesnapshot (tar.gz zip) |
| parent | d3142bcdbed86fcf707bd3da1b2ed589b4c77e07 | commitdiff |
MDL-52727 mod_data: Improve output of the form fields values
This issue mostly affects the search form fields. Submitted values for
these fields are typically obtained via optional_param() with
PARAM_NOTAGS specified as the parameter type - see parse_search_field()
methods. Such values themselves are not safe enough to be printed back
directly into the HTML as they might contain malicious code.
While working on the patch, some other places with weak protection were
detected and fixed.
In case of the itemid parameters, the s() seems to be unnecessary but it
was added anyway as an extra protection (just in case the code flow
changes or the parts of the code are re-used elsewhere).
This issue mostly affects the search form fields. Submitted values for
these fields are typically obtained via optional_param() with
PARAM_NOTAGS specified as the parameter type - see parse_search_field()
methods. Such values themselves are not safe enough to be printed back
directly into the HTML as they might contain malicious code.
While working on the patch, some other places with weak protection were
detected and fixed.
In case of the itemid parameters, the s() seems to be unnecessary but it
was added anyway as an extra protection (just in case the code flow
changes or the parts of the code are re-used elsewhere).