MDL-66228 mod_lesson: ensure return URL parameters are always local.
authorPaul Holden <paulh@moodle.com>
Wed, 24 Jul 2019 10:46:31 +0000 (11:46 +0100)
committerJenkins <jenkins@worker07.test.in.moodle.com>
Tue, 5 Nov 2019 12:44:37 +0000 (13:44 +0100)
mod/lesson/editpage.php
mod/lesson/locallib.php

index 7f7bef8..1e28d9e 100644 (file)
@@ -32,8 +32,11 @@ $pageid = required_param('pageid', PARAM_INT);
 $id     = required_param('id', PARAM_INT);         // Course Module ID
 $qtype  = optional_param('qtype', 0, PARAM_INT);
 $edit   = optional_param('edit', false, PARAM_BOOL);
-$returnto = optional_param('returnto', null, PARAM_URL);
-if (empty($returnto)) {
+$returnto = optional_param('returnto', null, PARAM_LOCALURL);
+
+if (!empty($returnto)) {
+    $returnto = new moodle_url($returnto);
+} else {
     $returnto = new moodle_url('/mod/lesson/edit.php', array('id' => $id));
     $returnto->set_anchor('lesson-' . $pageid);
 }
index 7ce6b74..30a8d4b 100644 (file)
@@ -584,7 +584,7 @@ function lesson_add_header_buttons($cm, $context, $extraeditbuttons=false, $less
                 'id'       => $cm->id,
                 'pageid'   => $lessonpageid,
                 'edit'     => 1,
-                'returnto' => $PAGE->url->out(false)
+                'returnto' => $PAGE->url->out_as_local_url(false)
             ));
             $PAGE->set_button($OUTPUT->single_button($url, get_string('editpagecontent', 'lesson')));
         }
@@ -1363,7 +1363,7 @@ abstract class lesson_add_page_form_base extends moodleform {
 
         if (!empty($this->_customdata['returnto'])) {
             $mform->addElement('hidden', 'returnto', $this->_customdata['returnto']);
-            $mform->setType('returnto', PARAM_URL);
+            $mform->setType('returnto', PARAM_LOCALURL);
         }
 
         $mform->addElement('hidden', 'id');