a5fae3b0d2
This issue mostly affects the search form fields. Submitted values for these fields are typically obtained via optional_param() with PARAM_NOTAGS specified as the parameter type - see parse_search_field() methods. Such values themselves are not safe enough to be printed back directly into the HTML as they might contain malicious code. While working on the patch, some other places with weak protection were detected and fixed. In case of the itemid parameters, explicit clean_param() is added to make sure we cast the value as an integer. That should make the s() unnecessary but it was added anyway as an extra protection (just in case the code flow changes or the parts of the code are re-used elsewhere).
49 lines
2.4 KiB
PHP
49 lines
2.4 KiB
PHP
<?php
|
|
///////////////////////////////////////////////////////////////////////////
|
|
// //
|
|
// NOTICE OF COPYRIGHT //
|
|
// //
|
|
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
|
|
// http://moodle.org //
|
|
// //
|
|
// Copyright (C) 1999-onwards Moodle Pty Ltd http://moodle.com //
|
|
// //
|
|
// This program is free software; you can redistribute it and/or modify //
|
|
// it under the terms of the GNU General Public License as published by //
|
|
// the Free Software Foundation; either version 2 of the License, or //
|
|
// (at your option) any later version. //
|
|
// //
|
|
// This program is distributed in the hope that it will be useful, //
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
|
|
// GNU General Public License for more details: //
|
|
// //
|
|
// http://www.gnu.org/copyleft/gpl.html //
|
|
// //
|
|
///////////////////////////////////////////////////////////////////////////
|
|
|
|
class data_field_text extends data_field_base {
|
|
|
|
var $type = 'text';
|
|
|
|
function display_search_field($value = '') {
|
|
return '<label class="accesshide" for="f_' . $this->field->id . '">'. $this->field->name.'</label>' . '<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
|
|
}
|
|
|
|
function parse_search_field() {
|
|
return optional_param('f_'.$this->field->id, '', PARAM_NOTAGS);
|
|
}
|
|
|
|
function generate_sql($tablealias, $value) {
|
|
global $DB;
|
|
|
|
static $i=0;
|
|
$i++;
|
|
$name = "df_text_$i";
|
|
return array(" ({$tablealias}.fieldid = {$this->field->id} AND ".$DB->sql_like("{$tablealias}.content", ":$name", false).") ", array($name=>"%$value%"));
|
|
}
|
|
|
|
}
|
|
|
|
|