MDL-60233 mod_assign: Avoid HTML in the item field of external warnings
authorJuan Leyva <juanleyvadelgado@gmail.com>
Tue, 26 Sep 2017 09:43:46 +0000 (11:43 +0200)
committerJuan Leyva <juanleyvadelgado@gmail.com>
Tue, 26 Sep 2017 10:12:50 +0000 (12:12 +0200)
The item field is defined as PARAM_TEXT (no HTML tags allowed except
for multilang).
Using the s that add quotes to HTML characters we avoid potential Web
Services invalid parameters errors.

mod/assign/externallib.php

index adb0a79..c4059c9 100644 (file)
@@ -62,7 +62,7 @@ class mod_assign_external extends external_api {
             $message = 'Unknown warning type.';
         }
 
-        return array('item'=>$detail,
+        return array('item' => s($detail),
                      'itemid'=>$assignmentid,
                      'warningcode'=>$warningcode,
                      'message'=>$message);