Commit 8f95eac1 authored by David Mudrák's avatar David Mudrák Committed by Eloy Lafuente (stronk7)
Browse files

MDL-52727 mod_data: Improve output of the form fields values

This issue mostly affects the search form fields. Submitted values for
these fields are typically obtained via optional_param() with
PARAM_NOTAGS specified as the parameter type - see parse_search_field()
methods. Such values themselves are not safe enough to be printed back
directly into the HTML as they might contain malicious code.

While working on the patch, some other places with weak protection were
detected and fixed.

In case of the itemid parameters, the s() seems to be unnecessary but it
was added anyway as an extra protection (just in case the code flow
changes or the parts of the code are re-used elsewhere).
parent d3142bcd
......@@ -68,7 +68,7 @@ class data_field_file extends data_field_base {
$html .= '<fieldset><legend><span class="accesshide">'.$this->field->name.'</span></legend>';
// itemid element
$html .= '<input type="hidden" name="field_'.$this->field->id.'_file" value="'.$itemid.'" />';
$html .= '<input type="hidden" name="field_'.$this->field->id.'_file" value="'.s($itemid).'" />';
$options = new stdClass();
$options->maxbytes = $this->field->param3;
......@@ -92,7 +92,7 @@ class data_field_file extends data_field_base {
function display_search_field($value = '') {
return '<label class="accesshide" for="f_' . $this->field->id . '">' . $this->field->name . '</label>' .
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.$value.'" />';
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
}
function generate_sql($tablealias, $value) {
......
......@@ -71,7 +71,7 @@ class data_field_number extends data_field_base {
function display_search_field($value = '') {
return '<label class="accesshide" for="f_'.$this->field->id.'">' . get_string('fieldname', 'data') . '</label>' .
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.$value.'" />';
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
}
function parse_search_field() {
......
......@@ -93,7 +93,7 @@ class data_field_picture extends data_field_base {
$str .= $output->render($fm);
$str .= '<div class="mdl-left">';
$str .= '<input type="hidden" name="field_'.$this->field->id.'_file" value="'.$itemid.'" />';
$str .= '<input type="hidden" name="field_'.$this->field->id.'_file" value="'.s($itemid).'" />';
$str .= '<label for="field_'.$this->field->id.'_alttext">'.get_string('alttext','data') .'</label>&nbsp;<input type="text" name="field_'
.$this->field->id.'_alttext" id="field_'.$this->field->id.'_alttext" value="'.s($alttext).'" />';
$str .= '</div>';
......@@ -123,7 +123,7 @@ class data_field_picture extends data_field_base {
function display_search_field($value = '') {
return '<label class="accesshide" for="f_'.$this->field->id.'">' . get_string('fieldname', 'data') . '</label>' .
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.$value.'" />';
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
}
function parse_search_field() {
......
......@@ -27,7 +27,7 @@ class data_field_text extends data_field_base {
var $type = 'text';
function display_search_field($value = '') {
return '<label class="accesshide" for="f_' . $this->field->id . '">'. $this->field->name.'</label>' . '<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.$value.'" />';
return '<label class="accesshide" for="f_' . $this->field->id . '">'. $this->field->name.'</label>' . '<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
}
function parse_search_field() {
......
......@@ -121,7 +121,7 @@ class data_field_textarea extends data_field_base {
}
$editor->set_text($text);
$editor->use_editor($field, $options, $fpoptions);
$str .= '<input type="hidden" name="'.$field.'_itemid" value="'.$draftitemid.'" />';
$str .= '<input type="hidden" name="'.$field.'_itemid" value="'.s($draftitemid).'" />';
$str .= '<div><textarea id="'.$field.'" name="'.$field.'" rows="'.$this->field->param3.'" cols="'.$this->field->param2.'" spellcheck="true">'.s($text).'</textarea></div>';
$str .= '<div><label class="accesshide" for="' . $field . '_content1">' . get_string('format') . '</label>';
$str .= '<select id="' . $field . '_content1" name="'.$field.'_content1">';
......@@ -139,7 +139,7 @@ class data_field_textarea extends data_field_base {
function display_search_field($value = '') {
return '<label class="accesshide" for="f_' . $this->field->id . '">' . $this->field->name . '</label>' .
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.$value.'" />';
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
}
function parse_search_field() {
......
......@@ -54,7 +54,7 @@ class data_field_url extends data_field_base {
$str .= '<table><tr><td align="right">';
$str .= get_string('url','data').':</td><td>';
$str .= '<label class="accesshide" for="' . $fieldid . '">'. $this->field->name .'</label>';
$str .= '<input type="text" name="field_'.$this->field->id.'_0" id="'.$fieldid.'" value="'.$url.'" size="60" />';
$str .= '<input type="text" name="field_'.$this->field->id.'_0" id="'.$fieldid.'" value="'.s($url).'" size="60" />';
$str .= '<button id="filepicker-button-'.$options->client_id.'" style="display:none">'.$straddlink.'</button></td></tr>';
$str .= '<tr><td align="right">'.get_string('text','data').':</td><td><input type="text" name="field_'.$this->field->id.'_1" id="field_'.$this->field->id.'_1" value="'.s($text).'" size="60" /></td></tr>';
$str .= '</table>';
......@@ -79,7 +79,7 @@ class data_field_url extends data_field_base {
function display_search_field($value = '') {
return '<label class="accesshide" for="f_'.$this->field->id.'">' . get_string('fieldname', 'data') . '</label>' .
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.$value.'" />';
'<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" value="'.s($value).'" />';
}
function parse_search_field() {
......
......@@ -1715,9 +1715,9 @@ function data_print_preference_form($data, $perpage, $search, $sort='', $order='
$fn = !empty($search_array[DATA_FIRSTNAME]->data) ? $search_array[DATA_FIRSTNAME]->data : '';
$ln = !empty($search_array[DATA_LASTNAME]->data) ? $search_array[DATA_LASTNAME]->data : '';
$patterns[] = '/##firstname##/';
$replacement[] = '<label class="accesshide" for="u_fn">'.get_string('authorfirstname', 'data').'</label><input type="text" size="16" id="u_fn" name="u_fn" value="'.$fn.'" />';
$replacement[] = '<label class="accesshide" for="u_fn">'.get_string('authorfirstname', 'data').'</label><input type="text" size="16" id="u_fn" name="u_fn" value="'.s($fn).'" />';
$patterns[] = '/##lastname##/';
$replacement[] = '<label class="accesshide" for="u_ln">'.get_string('authorlastname', 'data').'</label><input type="text" size="16" id="u_ln" name="u_ln" value="'.$ln.'" />';
$replacement[] = '<label class="accesshide" for="u_ln">'.get_string('authorlastname', 'data').'</label><input type="text" size="16" id="u_ln" name="u_ln" value="'.s($ln).'" />';
// actual replacement of the tags
$newtext = preg_replace($patterns, $replacement, $data->asearchtemplate);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment