Commit e5654cad authored by Sam Hemelryk's avatar Sam Hemelryk
Browse files

Merge branch 'MDL-25754_20_wip' of git://github.com/skodak/moodle

parents ec9b044d 34b93e39
......@@ -792,10 +792,9 @@ function clean_param($param, $type) {
}
case PARAM_TAG:
//as long as magic_quotes_gpc is used, a backslash will be a
//problem, so remove *all* backslash.
//$param = str_replace('\\', '', $param);
//remove some nasties
// Please note it is not safe to use the tag name directly anywhere,
// it must be processed with s(), urlencode() before embedding anywhere.
// remove some nasties
$param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
//convert many whitespace chars into one
$param = preg_replace('/\s+/', ' ', $param);
......@@ -803,7 +802,6 @@ function clean_param($param, $type) {
$param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
return $param;
case PARAM_TAGLIST:
$tags = explode(',', $param);
$result = array();
......
......@@ -55,7 +55,9 @@ $PAGE->set_context($systemcontext);
$PAGE->set_blocks_editing_capability('moodle/tag:editblocks');
$PAGE->set_pagelayout('base');
$PAGE->requires->yui2_lib('connection');
$PAGE->requires->yui2_lib('animation');
$PAGE->requires->yui2_lib('datasource');
$PAGE->requires->yui2_lib('autocomplete');
$tagname = tag_display_name($tag);
......
......@@ -599,7 +599,7 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) {
global $CFG;
if(!isset($tagobject->name)) {
if (!isset($tagobject->name)) {
return '';
}
......@@ -612,6 +612,9 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) {
$tagname = $tagobject->rawname;
}
// clean up a bit just in case the rules change again
$tagname = clean_param($tagname, PARAM_TAG);
if ($html == TAG_RETURN_TEXT) {
return $tagname;
} else { // TAG_RETURN_HTML
......
......@@ -22,6 +22,8 @@
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
define('AJAX_SCRIPT', true);
require_once('../config.php');
require_once('lib.php');
......@@ -35,6 +37,6 @@ $query = optional_param('query', '', PARAM_RAW);
if ($similar_tags = tag_autocomplete($query)) {
foreach ($similar_tags as $tag) {
echo $tag->name . "\t" . tag_display_name($tag) . "\n";
echo clean_param($tag->name, PARAM_TAG) . "\t" . tag_display_name($tag) . "\n";
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment