Skip to content
GitLab
Commit 3a298174 authored by jamiesensei's avatar jamiesensei
Browse files

important security fix previous use of ['type'] in repeatedeloptions array would not have worked.

parent 83b902fe
Hide whitespace changes
Inline Side-by-side
lib/formslib.php
View file @ 3a298174
......@@ -498,9 +498,6 @@ class moodleform {
case 'default' :
$mform->setDefault($realelementname, $params);
break;
case 'type' :
$mform->setType($realelementname, $params);
break;
case 'helpbutton' :
$mform->setHelpButton($realelementname, $params);
break;
......@@ -613,7 +610,6 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
* @access public
*/
function MoodleQuickForm($formName, $method, $action, $target='', $attributes=null){
global $CFG;
static $formcounter = 1;
HTML_Common::HTML_Common($attributes);
......@@ -739,9 +735,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
}
}
$renderer->setAdvancedElements($this->_advancedElements);
if (count($this->_advancedElements)){
}
}
parent::accept($renderer);
}
......@@ -803,7 +797,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
$this->_submitFiles = array();
} else {
if (1 == get_magic_quotes_gpc()) {
foreach ($files as $elname=>$file) {
foreach (array_keys($files) as $elname) {
// dangerous characters in filenames are cleaned later in upload_manager
$files[$elname]['name'] = stripslashes($files[$elname]['name']);
}
......@@ -965,7 +959,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
{
parent::addGroupRule($group, $arg1, $type, $format, $howmany, $validation, $reset);
if (is_array($arg1)) {
foreach ($arg1 as $elementIndex => $rules) {
foreach ($arg1 as $rules) {
foreach ($rules as $rule) {
$validation = (isset($rule[3]) && 'client' == $rule[3])? 'client': 'server';
......@@ -977,7 +971,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
} elseif (is_string($arg1)) {
if ($validation == 'client') {
$this->updateAttributes(array('onsubmit' => 'try { var myValidator = validate_' . $formname . '; } catch(e) { return true; } return myValidator(this);'));
$this->updateAttributes(array('onsubmit' => 'try { var myValidator = validate_' . $this->_formName . '; } catch(e) { return true; } return myValidator(this);'));
}
}
} // end func addGroupRule
......@@ -1035,7 +1029,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
} elseif ($dependent) {
$element = array();
$element[] =& $this->getElement($elementName);
foreach ($rule['dependent'] as $idx => $elName) {
foreach ($rule['dependent'] as $elName) {
$element[] =& $this->getElement($elName);
}
} else {
......
mod/choice/mod_form.php
View file @ 3a298174
......@@ -37,14 +37,14 @@ class mod_choice_mod_form extends moodleform_mod {
}
$repeateloptions = array();
$repeateloptions['limit'] = array(
'default'=>0,
'type'=>PARAM_INT,
'disabledif'=>array('limitanswers', 'eq', 0));
$repeateloptions['option'] = array(
'type'=>PARAM_TEXT,
'helpbutton'=>array('options', get_string('modulenameplural', 'choice'), 'choice'));
$repeateloptions['optionid'] = array('type'=>PARAM_INT);
$repeateloptions['limit']['default'] = 0;
$repeateloptions['limit']['disabledif'] = array('limitanswers', 'eq', 0);
$mform->setType('limit', PARAM_INT);
$repeateloptions['option']['helpbutton'] = array('options', get_string('modulenameplural', 'choice'), 'choice');
$mform->setType('option', PARAM_TEXT);
$mform->setType('optionid', PARAM_INT);
$this->repeat_elements($repeatarray, $repeatno,
$repeateloptions, 'option_repeats', 'option_add_fields', 3);
......
mod/quiz/mod_form.php
View file @ 3a298174
......@@ -221,17 +221,15 @@ class mod_quiz_mod_form extends moodleform_mod {
}
$numfeedbacks = max(count($this->_feedbacks) * 1.5, 5);
$repeateloptions = array();
$repeateloptions ['feedbacktext'] = array('type'=>PARAM_TEXT);
$repeateloptions ['feedbackboundaries'] = array('type'=>PARAM_TEXT);
$mform->setType('feedbacktext', PARAM_TEXT);
$mform->setType('feedbackboundaries', PARAM_NOTAGS);
$nextel=$this->repeat_elements($repeatarray, $numfeedbacks-1,
$repeateloptions, 'boundary_repeats', 'boundary_add_fields', 3);
array(), 'boundary_repeats', 'boundary_add_fields', 3);
//put some extra elements in before the button
$insertEl = &MoodleQuickForm::createElement('text', "feedbacktext[$nextel]", get_string('feedback', 'quiz'));
$mform->insertElementBefore($insertEl, 'boundary_add_fields');
$mform->setType("feedbacktext[$nextel]", PARAM_TEXT);
$insertEl = &MoodleQuickForm::createElement('static', 'gradeboundarystatic2', get_string('gradeboundary', 'quiz'), '0%');
$mform->insertElementBefore($insertEl, 'boundary_add_fields');
......
question/type/calculated/edit_calculated_form.php
View file @ 3a298174
......@@ -91,18 +91,17 @@ class question_edit_calculated_form extends question_edit_form {
$mform->addGroup($anslengrp, 'anslengrp', get_string('correctanswershows', 'qtype_calculated'), null, false);
$mform->addElement('htmleditor', 'feedback[0]', get_string('feedback', 'quiz'));
$mform->setType('feedback[0]', PARAM_RAW);
$mform->setType('feedback', PARAM_RAW);
//------------------------------------------------------------------------------------------
$repeated = array();
$repeatedoptions = array();
$repeated[] =& $mform->createElement('header', 'unithdr', get_string('unithdr', 'qtype_numerical', '{no}'));
$repeated[] =& $mform->createElement('text', 'unit', get_string('unit', 'quiz'));
$repeatedoptions['unit']['type'] = PARAM_NOTAGS;
$mform->setType('unit', PARAM_NOTAGS);
$repeated[] =& $mform->createElement('text', 'multiplier', get_string('multiplier', 'quiz'));
$repeatedoptions['multiplier']['type'] = PARAM_NUMBER;
$mform->setType('multiplier', PARAM_NUMBER);
if (isset($this->question->options)){
$countunits = count($this->question->options->units);
......@@ -110,7 +109,7 @@ class question_edit_calculated_form extends question_edit_form {
$countunits = 0;
}
$repeatsatstart = $countunits + 1;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_calculated', '{no}'));
$this->repeat_elements($repeated, $repeatsatstart, array(), 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_calculated', '{no}'));
$firstunit = $mform->getElement('multiplier[0]');
$firstunit->freeze();
......
question/type/match/edit_match_form.php
View file @ 3a298174
......@@ -37,11 +37,10 @@ class question_edit_match_form extends question_edit_form {
}
$repeatsatstart = (QUESTION_NUMANS_START > ($countsubquestions + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countsubquestions + QUESTION_NUMANS_ADD);
$repeatedoptions = array();
$repeatedoptions['subanswer']['type'] = PARAM_TEXT;
$repeatedoptions['subquestion']['type'] = PARAM_TEXT;
$mform->setType('subanswer', PARAM_TEXT);
$mform->setType('subquestion', PARAM_TEXT);
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreqblanks', 'qtype_match'));
$this->repeat_elements($repeated, $repeatsatstart, array(), 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreqblanks', 'qtype_match'));
}
......
question/type/missingtype/edit_missingtype_form.php
View file @ 3a298174
......@@ -34,8 +34,8 @@ class question_edit_missingtype_form extends question_edit_form {
$repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD);
$repeatedoptions = array();
$repeatedoptions['answer']['type'] = PARAM_NOTAGS;//text with no multilang support
$repeatedoptions['fraction']['default'] = 0;
$mform->setType('answer', PARAM_NOTAGS);
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmorechoiceblanks', 'qtype_multichoice'));
}
......
question/type/multichoice/edit_multichoice_form.php
View file @ 3a298174
......@@ -45,8 +45,8 @@ class question_edit_multichoice_form extends question_edit_form {
$repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD);
$repeatedoptions = array();
$repeatedoptions['answer']['type'] = PARAM_NOTAGS;//text with no multilang support
$repeatedoptions['fraction']['default'] = 0;
$mform->setType('answer', PARAM_NOTAGS);
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmorechoiceblanks', 'qtype_multichoice'));
$mform->addElement('header', 'overallfeedbackhdr', get_string('overallfeedback', 'qtype_multichoice'));
......
question/type/numerical/edit_numerical_form.php
View file @ 3a298174
......@@ -27,16 +27,16 @@ class question_edit_numerical_form extends question_edit_form {
$repeated[] =& $mform->createElement('header', 'answerhdr', get_string('answerno', 'qtype_numerical', '{no}'));
$repeated[] =& $mform->createElement('text', 'answer', get_string('answer', 'quiz'));
$repeatedoptions['answer']['type'] = PARAM_NUMBER;
$mform->setType('answer', PARAM_NUMBER);
$repeated[] =& $mform->createElement('text', 'tolerance', get_string('acceptederror', 'quiz'));
$repeatedoptions['tolerance']['type'] = PARAM_NUMBER;
$mform->setType('tolerance', PARAM_NUMBER);
$repeated[] =& $mform->createElement('select', 'fraction', get_string('grade'), $gradeoptions);
$repeatedoptions['fraction']['default'] = 0;
$repeated[] =& $mform->createElement('htmleditor', 'feedback', get_string('feedback', 'quiz'));
$repeatedoptions['feedback']['type'] = PARAM_RAW;
$mform->setType('feedback', PARAM_RAW);
if (isset($this->question->options)){
......@@ -51,14 +51,13 @@ class question_edit_numerical_form extends question_edit_form {
//------------------------------------------------------------------------------------------
$repeated = array();
$repeatedoptions = array();
$repeated[] =& $mform->createElement('header', 'unithdr', get_string('unithdr', 'qtype_numerical', '{no}'));
$repeated[] =& $mform->createElement('text', 'unit', get_string('unit', 'quiz'));
$repeatedoptions['unit']['type'] = PARAM_NOTAGS;
$mform->setType('unit', PARAM_NOTAGS);
$repeated[] =& $mform->createElement('text', 'multiplier', get_string('multiplier', 'quiz'));
$repeatedoptions['multiplier']['type'] = PARAM_NUMBER;
$mform->setType('multiplier', PARAM_NOTAGS);
if (isset($this->question->options)){
$countunits = count($this->question->options->units);
......@@ -66,7 +65,7 @@ class question_edit_numerical_form extends question_edit_form {
$countunits = 0;
}
$repeatsatstart = $countunits + 2;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_numerical'));
$this->repeat_elements($repeated, $repeatsatstart, array(), 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_numerical'));
$firstunit = $mform->getElement('multiplier[0]');
$firstunit->freeze();
......
question/type/shortanswer/edit_shortanswer_form.php
View file @ 3a298174
......@@ -40,7 +40,7 @@ class question_edit_shortanswer_form extends question_edit_form {
$repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD);
$repeatedoptions = array();
$repeatedoptions['answer']['type'] = PARAM_TEXT;
$mform->setType('answer', PARAM_NOTAGS);
$repeatedoptions['fraction']['default'] = 0;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreanswerblanks', 'qtype_shortanswer'));
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment