This issue mostly affects the search form fields. Submitted values for
these fields are typically obtained via optional_param() with
PARAM_NOTAGS specified as the parameter type - see parse_search_field()
methods. Such values themselves are not safe enough to be printed back
directly into the HTML as they might contain malicious code.
While working on the patch, some other places with weak protection were
detected and fixed.
In case of the itemid parameters, explicit clean_param() is added to
make sure we cast the value as an integer. That should make the s()
unnecessary but it was added anyway as an extra protection (just in case
the code flow changes or the parts of the code are re-used elsewhere).
version = planned 2015051100 release version
requires= current 2015050500 rc1 version
Note: On purpose, the course format social wrong version (2015102100)
has been kept unmodified. Looking forward a solution right now.
Fix accidental <tr> in some field modify screens
Update mod_data version
Change required asterisk to image
Improve required error message
Fix required icon positions
Remove required code from date field
Add name in labels for fields
Add required field option for multimenu
Remove old required field title text modifier
Add multimenu to behat
Add more comprehensive behat tests
Reload old input when an input error occurs
Behat grammar fixes
Allow location of 0, 0
Use html_writer
Fix existing mod_data behat tests
This is implemented for most fields but not all. The reason is that there are
some fields for which this does not make sense because no entry is a valid entry.
The supported fields are:
checkbox
file
latlong
menu
number
picture
radio
text
textarea
url
The unsupported fields are:
date
multimenu
* image galery preset accessiblity fixes MDL-7822
* xhtml fixes
* fields now use s() and p() where needed
* added labels to all fields - imporved accessiblity for adding of new entries
* some other general bugfixing and cleanup
it is still not finished though, expect some more commits tomorrow
Removed hard coded message strings from scripts and moved them to the language file.
Fixed a display bug in multimenu field.
Removed rounded help buttons from fields, made the fields use html title to
display the descriptions instead.
Updated following fields so that they do not pack data into
data_content.content, but use data_content.content, data_content.content1,
etc:
- URL field
- File field
- Picture field
Note that above changes to the way data is stored means that the new
implementation is not compatible with previous version.
Updated textarea field. Added relevant help messages. Added richtext editor
support. Removed ability to restrict allowed formats for the textarea field.
Misc bug fixes and display tweaks.