This issue mostly affects the search form fields. Submitted values for
these fields are typically obtained via optional_param() with
PARAM_NOTAGS specified as the parameter type - see parse_search_field()
methods. Such values themselves are not safe enough to be printed back
directly into the HTML as they might contain malicious code.
While working on the patch, some other places with weak protection were
detected and fixed.
In case of the itemid parameters, explicit clean_param() is added to
make sure we cast the value as an integer. That should make the s()
unnecessary but it was added anyway as an extra protection (just in case
the code flow changes or the parts of the code are re-used elsewhere).
Finally, we have an early version good enough for everyone to
start banging on to help us polish it up and find bugs.
Please take a look and file bugs in the bug tracker under "Database module".
We urgently need
- new icons for existing field types
- testing on PostgreSQL install
Coming soon (?):
- Many more field types: calculation, checkbox, relation, date, datetime,
time, email, group, list, user, number, richtext
(Please let us know if you are interested in developing any of these)
- A way to save and restore "presets", which are field/template sets
- Backup/Restore support
- Groups Support
- RSS support
Many thanks to Yu for all the hard work under my whip.