X-Git-Url: http://git.moodle.org/gw?p=moodle.git;a=blobdiff_plain;f=lib%2Fmoodlelib.php;h=dd9bbef861900c1ae955ed28987dc9b5e891099a;hp=0e0cc3ab7ddac3089e02c866f3e14a21eaab490e;hb=e5654cad1e10d34073e5b06be2f4494846c7779e;hpb=ec9b044d12e8b5e508a951c40c52be09d22e2bf9

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 0e0cc3ab7dd..dd9bbef8619 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -792,10 +792,9 @@ function clean_param($param, $type) {
             }
 
         case PARAM_TAG:
-            //as long as magic_quotes_gpc is used, a backslash will be a
-            //problem, so remove *all* backslash.
-            //$param = str_replace('\\', '', $param);
-            //remove some nasties
+            // Please note it is not safe to use the tag name directly anywhere,
+            // it must be processed with s(), urlencode() before embedding anywhere.
+            // remove some nasties
             $param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
             //convert many whitespace chars into one
             $param = preg_replace('/\s+/', ' ', $param);
@@ -803,7 +802,6 @@ function clean_param($param, $type) {
             $param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
             return $param;
 
-
         case PARAM_TAGLIST:
             $tags = explode(',', $param);
             $result = array();