Commit 3a298174 authored by jamiesensei's avatar jamiesensei
Browse files

important security fix previous use of ['type'] in repeatedeloptions array would not have worked.

parent 83b902fe
...@@ -498,9 +498,6 @@ class moodleform { ...@@ -498,9 +498,6 @@ class moodleform {
case 'default' : case 'default' :
$mform->setDefault($realelementname, $params); $mform->setDefault($realelementname, $params);
break; break;
case 'type' :
$mform->setType($realelementname, $params);
break;
case 'helpbutton' : case 'helpbutton' :
$mform->setHelpButton($realelementname, $params); $mform->setHelpButton($realelementname, $params);
break; break;
...@@ -613,7 +610,6 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless { ...@@ -613,7 +610,6 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
* @access public * @access public
*/ */
function MoodleQuickForm($formName, $method, $action, $target='', $attributes=null){ function MoodleQuickForm($formName, $method, $action, $target='', $attributes=null){
global $CFG;
static $formcounter = 1; static $formcounter = 1;
HTML_Common::HTML_Common($attributes); HTML_Common::HTML_Common($attributes);
...@@ -739,9 +735,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless { ...@@ -739,9 +735,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
} }
} }
$renderer->setAdvancedElements($this->_advancedElements); $renderer->setAdvancedElements($this->_advancedElements);
if (count($this->_advancedElements)){
}
} }
parent::accept($renderer); parent::accept($renderer);
} }
...@@ -803,7 +797,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless { ...@@ -803,7 +797,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
$this->_submitFiles = array(); $this->_submitFiles = array();
} else { } else {
if (1 == get_magic_quotes_gpc()) { if (1 == get_magic_quotes_gpc()) {
foreach ($files as $elname=>$file) { foreach (array_keys($files) as $elname) {
// dangerous characters in filenames are cleaned later in upload_manager // dangerous characters in filenames are cleaned later in upload_manager
$files[$elname]['name'] = stripslashes($files[$elname]['name']); $files[$elname]['name'] = stripslashes($files[$elname]['name']);
} }
...@@ -965,7 +959,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless { ...@@ -965,7 +959,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
{ {
parent::addGroupRule($group, $arg1, $type, $format, $howmany, $validation, $reset); parent::addGroupRule($group, $arg1, $type, $format, $howmany, $validation, $reset);
if (is_array($arg1)) { if (is_array($arg1)) {
foreach ($arg1 as $elementIndex => $rules) { foreach ($arg1 as $rules) {
foreach ($rules as $rule) { foreach ($rules as $rule) {
$validation = (isset($rule[3]) && 'client' == $rule[3])? 'client': 'server'; $validation = (isset($rule[3]) && 'client' == $rule[3])? 'client': 'server';
...@@ -977,7 +971,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless { ...@@ -977,7 +971,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
} elseif (is_string($arg1)) { } elseif (is_string($arg1)) {
if ($validation == 'client') { if ($validation == 'client') {
$this->updateAttributes(array('onsubmit' => 'try { var myValidator = validate_' . $formname . '; } catch(e) { return true; } return myValidator(this);')); $this->updateAttributes(array('onsubmit' => 'try { var myValidator = validate_' . $this->_formName . '; } catch(e) { return true; } return myValidator(this);'));
} }
} }
} // end func addGroupRule } // end func addGroupRule
...@@ -1035,7 +1029,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless { ...@@ -1035,7 +1029,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
} elseif ($dependent) { } elseif ($dependent) {
$element = array(); $element = array();
$element[] =& $this->getElement($elementName); $element[] =& $this->getElement($elementName);
foreach ($rule['dependent'] as $idx => $elName) { foreach ($rule['dependent'] as $elName) {
$element[] =& $this->getElement($elName); $element[] =& $this->getElement($elName);
} }
} else { } else {
......
...@@ -37,14 +37,14 @@ class mod_choice_mod_form extends moodleform_mod { ...@@ -37,14 +37,14 @@ class mod_choice_mod_form extends moodleform_mod {
} }
$repeateloptions = array(); $repeateloptions = array();
$repeateloptions['limit'] = array( $repeateloptions['limit']['default'] = 0;
'default'=>0, $repeateloptions['limit']['disabledif'] = array('limitanswers', 'eq', 0);
'type'=>PARAM_INT, $mform->setType('limit', PARAM_INT);
'disabledif'=>array('limitanswers', 'eq', 0));
$repeateloptions['option'] = array( $repeateloptions['option']['helpbutton'] = array('options', get_string('modulenameplural', 'choice'), 'choice');
'type'=>PARAM_TEXT, $mform->setType('option', PARAM_TEXT);
'helpbutton'=>array('options', get_string('modulenameplural', 'choice'), 'choice'));
$repeateloptions['optionid'] = array('type'=>PARAM_INT); $mform->setType('optionid', PARAM_INT);
$this->repeat_elements($repeatarray, $repeatno, $this->repeat_elements($repeatarray, $repeatno,
$repeateloptions, 'option_repeats', 'option_add_fields', 3); $repeateloptions, 'option_repeats', 'option_add_fields', 3);
......
...@@ -221,17 +221,15 @@ class mod_quiz_mod_form extends moodleform_mod { ...@@ -221,17 +221,15 @@ class mod_quiz_mod_form extends moodleform_mod {
} }
$numfeedbacks = max(count($this->_feedbacks) * 1.5, 5); $numfeedbacks = max(count($this->_feedbacks) * 1.5, 5);
$repeateloptions = array(); $mform->setType('feedbacktext', PARAM_TEXT);
$repeateloptions ['feedbacktext'] = array('type'=>PARAM_TEXT); $mform->setType('feedbackboundaries', PARAM_NOTAGS);
$repeateloptions ['feedbackboundaries'] = array('type'=>PARAM_TEXT);
$nextel=$this->repeat_elements($repeatarray, $numfeedbacks-1, $nextel=$this->repeat_elements($repeatarray, $numfeedbacks-1,
$repeateloptions, 'boundary_repeats', 'boundary_add_fields', 3); array(), 'boundary_repeats', 'boundary_add_fields', 3);
//put some extra elements in before the button //put some extra elements in before the button
$insertEl = &MoodleQuickForm::createElement('text', "feedbacktext[$nextel]", get_string('feedback', 'quiz')); $insertEl = &MoodleQuickForm::createElement('text', "feedbacktext[$nextel]", get_string('feedback', 'quiz'));
$mform->insertElementBefore($insertEl, 'boundary_add_fields'); $mform->insertElementBefore($insertEl, 'boundary_add_fields');
$mform->setType("feedbacktext[$nextel]", PARAM_TEXT);
$insertEl = &MoodleQuickForm::createElement('static', 'gradeboundarystatic2', get_string('gradeboundary', 'quiz'), '0%'); $insertEl = &MoodleQuickForm::createElement('static', 'gradeboundarystatic2', get_string('gradeboundary', 'quiz'), '0%');
$mform->insertElementBefore($insertEl, 'boundary_add_fields'); $mform->insertElementBefore($insertEl, 'boundary_add_fields');
......
...@@ -91,18 +91,17 @@ class question_edit_calculated_form extends question_edit_form { ...@@ -91,18 +91,17 @@ class question_edit_calculated_form extends question_edit_form {
$mform->addGroup($anslengrp, 'anslengrp', get_string('correctanswershows', 'qtype_calculated'), null, false); $mform->addGroup($anslengrp, 'anslengrp', get_string('correctanswershows', 'qtype_calculated'), null, false);
$mform->addElement('htmleditor', 'feedback[0]', get_string('feedback', 'quiz')); $mform->addElement('htmleditor', 'feedback[0]', get_string('feedback', 'quiz'));
$mform->setType('feedback[0]', PARAM_RAW); $mform->setType('feedback', PARAM_RAW);
//------------------------------------------------------------------------------------------ //------------------------------------------------------------------------------------------
$repeated = array(); $repeated = array();
$repeatedoptions = array();
$repeated[] =& $mform->createElement('header', 'unithdr', get_string('unithdr', 'qtype_numerical', '{no}')); $repeated[] =& $mform->createElement('header', 'unithdr', get_string('unithdr', 'qtype_numerical', '{no}'));
$repeated[] =& $mform->createElement('text', 'unit', get_string('unit', 'quiz')); $repeated[] =& $mform->createElement('text', 'unit', get_string('unit', 'quiz'));
$repeatedoptions['unit']['type'] = PARAM_NOTAGS; $mform->setType('unit', PARAM_NOTAGS);
$repeated[] =& $mform->createElement('text', 'multiplier', get_string('multiplier', 'quiz')); $repeated[] =& $mform->createElement('text', 'multiplier', get_string('multiplier', 'quiz'));
$repeatedoptions['multiplier']['type'] = PARAM_NUMBER; $mform->setType('multiplier', PARAM_NUMBER);
if (isset($this->question->options)){ if (isset($this->question->options)){
$countunits = count($this->question->options->units); $countunits = count($this->question->options->units);
...@@ -110,7 +109,7 @@ class question_edit_calculated_form extends question_edit_form { ...@@ -110,7 +109,7 @@ class question_edit_calculated_form extends question_edit_form {
$countunits = 0; $countunits = 0;
} }
$repeatsatstart = $countunits + 1; $repeatsatstart = $countunits + 1;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_calculated', '{no}')); $this->repeat_elements($repeated, $repeatsatstart, array(), 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_calculated', '{no}'));
$firstunit = $mform->getElement('multiplier[0]'); $firstunit = $mform->getElement('multiplier[0]');
$firstunit->freeze(); $firstunit->freeze();
......
...@@ -37,11 +37,10 @@ class question_edit_match_form extends question_edit_form { ...@@ -37,11 +37,10 @@ class question_edit_match_form extends question_edit_form {
} }
$repeatsatstart = (QUESTION_NUMANS_START > ($countsubquestions + QUESTION_NUMANS_ADD))? $repeatsatstart = (QUESTION_NUMANS_START > ($countsubquestions + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countsubquestions + QUESTION_NUMANS_ADD); QUESTION_NUMANS_START : ($countsubquestions + QUESTION_NUMANS_ADD);
$repeatedoptions = array(); $mform->setType('subanswer', PARAM_TEXT);
$repeatedoptions['subanswer']['type'] = PARAM_TEXT; $mform->setType('subquestion', PARAM_TEXT);
$repeatedoptions['subquestion']['type'] = PARAM_TEXT;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreqblanks', 'qtype_match')); $this->repeat_elements($repeated, $repeatsatstart, array(), 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreqblanks', 'qtype_match'));
} }
......
...@@ -34,8 +34,8 @@ class question_edit_missingtype_form extends question_edit_form { ...@@ -34,8 +34,8 @@ class question_edit_missingtype_form extends question_edit_form {
$repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))? $repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD); QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD);
$repeatedoptions = array(); $repeatedoptions = array();
$repeatedoptions['answer']['type'] = PARAM_NOTAGS;//text with no multilang support
$repeatedoptions['fraction']['default'] = 0; $repeatedoptions['fraction']['default'] = 0;
$mform->setType('answer', PARAM_NOTAGS);
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmorechoiceblanks', 'qtype_multichoice')); $this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmorechoiceblanks', 'qtype_multichoice'));
} }
......
...@@ -45,8 +45,8 @@ class question_edit_multichoice_form extends question_edit_form { ...@@ -45,8 +45,8 @@ class question_edit_multichoice_form extends question_edit_form {
$repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))? $repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD); QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD);
$repeatedoptions = array(); $repeatedoptions = array();
$repeatedoptions['answer']['type'] = PARAM_NOTAGS;//text with no multilang support
$repeatedoptions['fraction']['default'] = 0; $repeatedoptions['fraction']['default'] = 0;
$mform->setType('answer', PARAM_NOTAGS);
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmorechoiceblanks', 'qtype_multichoice')); $this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmorechoiceblanks', 'qtype_multichoice'));
$mform->addElement('header', 'overallfeedbackhdr', get_string('overallfeedback', 'qtype_multichoice')); $mform->addElement('header', 'overallfeedbackhdr', get_string('overallfeedback', 'qtype_multichoice'));
......
...@@ -27,16 +27,16 @@ class question_edit_numerical_form extends question_edit_form { ...@@ -27,16 +27,16 @@ class question_edit_numerical_form extends question_edit_form {
$repeated[] =& $mform->createElement('header', 'answerhdr', get_string('answerno', 'qtype_numerical', '{no}')); $repeated[] =& $mform->createElement('header', 'answerhdr', get_string('answerno', 'qtype_numerical', '{no}'));
$repeated[] =& $mform->createElement('text', 'answer', get_string('answer', 'quiz')); $repeated[] =& $mform->createElement('text', 'answer', get_string('answer', 'quiz'));
$repeatedoptions['answer']['type'] = PARAM_NUMBER; $mform->setType('answer', PARAM_NUMBER);
$repeated[] =& $mform->createElement('text', 'tolerance', get_string('acceptederror', 'quiz')); $repeated[] =& $mform->createElement('text', 'tolerance', get_string('acceptederror', 'quiz'));
$repeatedoptions['tolerance']['type'] = PARAM_NUMBER; $mform->setType('tolerance', PARAM_NUMBER);
$repeated[] =& $mform->createElement('select', 'fraction', get_string('grade'), $gradeoptions); $repeated[] =& $mform->createElement('select', 'fraction', get_string('grade'), $gradeoptions);
$repeatedoptions['fraction']['default'] = 0; $repeatedoptions['fraction']['default'] = 0;
$repeated[] =& $mform->createElement('htmleditor', 'feedback', get_string('feedback', 'quiz')); $repeated[] =& $mform->createElement('htmleditor', 'feedback', get_string('feedback', 'quiz'));
$repeatedoptions['feedback']['type'] = PARAM_RAW; $mform->setType('feedback', PARAM_RAW);
if (isset($this->question->options)){ if (isset($this->question->options)){
...@@ -51,14 +51,13 @@ class question_edit_numerical_form extends question_edit_form { ...@@ -51,14 +51,13 @@ class question_edit_numerical_form extends question_edit_form {
//------------------------------------------------------------------------------------------ //------------------------------------------------------------------------------------------
$repeated = array(); $repeated = array();
$repeatedoptions = array();
$repeated[] =& $mform->createElement('header', 'unithdr', get_string('unithdr', 'qtype_numerical', '{no}')); $repeated[] =& $mform->createElement('header', 'unithdr', get_string('unithdr', 'qtype_numerical', '{no}'));
$repeated[] =& $mform->createElement('text', 'unit', get_string('unit', 'quiz')); $repeated[] =& $mform->createElement('text', 'unit', get_string('unit', 'quiz'));
$repeatedoptions['unit']['type'] = PARAM_NOTAGS; $mform->setType('unit', PARAM_NOTAGS);
$repeated[] =& $mform->createElement('text', 'multiplier', get_string('multiplier', 'quiz')); $repeated[] =& $mform->createElement('text', 'multiplier', get_string('multiplier', 'quiz'));
$repeatedoptions['multiplier']['type'] = PARAM_NUMBER; $mform->setType('multiplier', PARAM_NOTAGS);
if (isset($this->question->options)){ if (isset($this->question->options)){
$countunits = count($this->question->options->units); $countunits = count($this->question->options->units);
...@@ -66,7 +65,7 @@ class question_edit_numerical_form extends question_edit_form { ...@@ -66,7 +65,7 @@ class question_edit_numerical_form extends question_edit_form {
$countunits = 0; $countunits = 0;
} }
$repeatsatstart = $countunits + 2; $repeatsatstart = $countunits + 2;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_numerical')); $this->repeat_elements($repeated, $repeatsatstart, array(), 'nounits', 'addunits', 2, get_string('addmoreunitblanks', 'qtype_numerical'));
$firstunit = $mform->getElement('multiplier[0]'); $firstunit = $mform->getElement('multiplier[0]');
$firstunit->freeze(); $firstunit->freeze();
......
...@@ -40,7 +40,7 @@ class question_edit_shortanswer_form extends question_edit_form { ...@@ -40,7 +40,7 @@ class question_edit_shortanswer_form extends question_edit_form {
$repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))? $repeatsatstart = (QUESTION_NUMANS_START > ($countanswers + QUESTION_NUMANS_ADD))?
QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD); QUESTION_NUMANS_START : ($countanswers + QUESTION_NUMANS_ADD);
$repeatedoptions = array(); $repeatedoptions = array();
$repeatedoptions['answer']['type'] = PARAM_TEXT; $mform->setType('answer', PARAM_NOTAGS);
$repeatedoptions['fraction']['default'] = 0; $repeatedoptions['fraction']['default'] = 0;
$this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreanswerblanks', 'qtype_shortanswer')); $this->repeat_elements($repeated, $repeatsatstart, $repeatedoptions, 'noanswers', 'addanswers', QUESTION_NUMANS_ADD, get_string('addmoreanswerblanks', 'qtype_shortanswer'));
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment