MDL-57596 forms: CLEANHTML in persistent forms

Add special handling for text fields with the CLEANHTML type. This should
be used when students and teachers can edit the same field (you can't trust those students).

Applies cleaning on submitted data, and on data stored in the DB before it is put back in an editing form.

diff --git a/admin/tool/lp/classes/form/competency.php b/admin/tool/lp/classes/form/competency.php
index 0a6e154..a59427c 100644 (file)
--- a/admin/tool/lp/classes/form/competency.php
+++ b/admin/tool/lp/classes/form/competency.php
@@ -103,7 +103,7 @@ class competency extends persistent {
         // Description.
         $mform->addElement('editor', 'description',
                            get_string('description', 'tool_lp'), array('rows' => 4));
-        $mform->setType('description', PARAM_RAW);
+        $mform->setType('description', PARAM_CLEANHTML);
         // ID number.
         $mform->addElement('text', 'idnumber', get_string('idnumber', 'tool_lp'), 'maxlength="100"');
         $mform->setType('idnumber', PARAM_RAW);

diff --git a/admin/tool/lp/classes/form/competency_framework.php b/admin/tool/lp/classes/form/competency_framework.php
index 6a20db2..ee5d8f7 100644 (file)
--- a/admin/tool/lp/classes/form/competency_framework.php
+++ b/admin/tool/lp/classes/form/competency_framework.php
@@ -63,7 +63,7 @@ class competency_framework extends persistent {
         // Description.
         $mform->addElement('editor', 'description',
                            get_string('description', 'tool_lp'), array('rows' => 4));
-        $mform->setType('description', PARAM_RAW);
+        $mform->setType('description', PARAM_CLEANHTML);
         // ID number.
         $mform->addElement('text', 'idnumber', get_string('idnumber', 'tool_lp'), 'maxlength="100"');
         $mform->setType('idnumber', PARAM_RAW);

diff --git a/admin/tool/lp/classes/form/plan.php b/admin/tool/lp/classes/form/plan.php
index 3ce193d..7954f87 100644 (file)
--- a/admin/tool/lp/classes/form/plan.php
+++ b/admin/tool/lp/classes/form/plan.php
@@ -60,7 +60,7 @@ class plan extends persistent {
         $mform->addRule('name', get_string('maximumchars', '', 100), 'maxlength', 100, 'client');
         // Description.
         $mform->addElement('editor', 'description', get_string('plandescription', 'tool_lp'), array('rows' => 4));
-        $mform->setType('description', PARAM_RAW);
+        $mform->setType('description', PARAM_CLEANHTML);
 
         $mform->addElement('date_time_selector', 'duedate', get_string('duedate', 'tool_lp'), array('optional' => true));
         $mform->addHelpButton('duedate', 'duedate', 'tool_lp');

diff --git a/admin/tool/lp/classes/form/template.php b/admin/tool/lp/classes/form/template.php
index c73b93c..c2d6bc3 100644 (file)
--- a/admin/tool/lp/classes/form/template.php
+++ b/admin/tool/lp/classes/form/template.php
@@ -60,7 +60,7 @@ class template extends persistent {
         // Description.
         $mform->addElement('editor', 'description',
                            get_string('description', 'tool_lp'), array('rows' => 4));
-        $mform->setType('description', PARAM_RAW);
+        $mform->setType('description', PARAM_CLEANHTML);
         $mform->addElement('selectyesno', 'visible',
                            get_string('visible', 'tool_lp'));
         $mform->addElement('date_time_selector',

diff --git a/admin/tool/lp/classes/form/user_evidence.php b/admin/tool/lp/classes/form/user_evidence.php
index 9d9ccf8..a5982de 100644 (file)
--- a/admin/tool/lp/classes/form/user_evidence.php
+++ b/admin/tool/lp/classes/form/user_evidence.php
@@ -56,7 +56,7 @@ class user_evidence extends persistent {
         $mform->addRule('name', get_string('maximumchars', '', 100), 'maxlength', 100, 'client');
         // Description.
         $mform->addElement('editor', 'description', get_string('userevidencedescription', 'tool_lp'), array('rows' => 10));
-        $mform->setType('description', PARAM_RAW);
+        $mform->setType('description', PARAM_CLEANHTML);
 
         $mform->addElement('url', 'url', get_string('userevidenceurl', 'tool_lp'), array('size' => '60'), array('usefilepicker' => false));
         $mform->setType('url', PARAM_RAW_TRIMMED);      // Can not use PARAM_URL, it silently converts bad URLs to ''.

diff --git a/competency/classes/competency.php b/competency/classes/competency.php
index 675e722..a38681c 100644 (file)
--- a/competency/classes/competency.php
+++ b/competency/classes/competency.php
@@ -68,7 +68,7 @@ class competency extends persistent {
             ),
             'description' => array(
                 'default' => '',
-                'type' => PARAM_RAW
+                'type' => PARAM_CLEANHTML
             ),
             'descriptionformat' => array(
                 'choices' => array(FORMAT_HTML, FORMAT_MOODLE, FORMAT_PLAIN, FORMAT_MARKDOWN),

diff --git a/competency/classes/competency_framework.php b/competency/classes/competency_framework.php
index 54a770f..f47a1ab 100644 (file)
--- a/competency/classes/competency_framework.php
+++ b/competency/classes/competency_framework.php
@@ -90,7 +90,7 @@ class competency_framework extends persistent {
                 'type' => PARAM_RAW
             ),
             'description' => array(
-                'type' => PARAM_RAW,
+                'type' => PARAM_CLEANHTML,
                 'default' => ''
             ),
             'descriptionformat' => array(

diff --git a/competency/classes/plan.php b/competency/classes/plan.php
index 3d1363d..92c0d20 100644 (file)
--- a/competency/classes/plan.php
+++ b/competency/classes/plan.php
@@ -71,7 +71,7 @@ class plan extends persistent {
                 'type' => PARAM_TEXT,
             ),
             'description' => array(
-                'type' => PARAM_RAW,
+                'type' => PARAM_CLEANHTML,
                 'default' => ''
             ),
             'descriptionformat' => array(

diff --git a/competency/classes/template.php b/competency/classes/template.php
index 6cc0d3f..2cb5713 100644 (file)
--- a/competency/classes/template.php
+++ b/competency/classes/template.php
@@ -53,7 +53,7 @@ class template extends persistent {
             ),
             'description' => array(
                 'default' => '',
-                'type' => PARAM_RAW,
+                'type' => PARAM_CLEANHTML,
             ),
             'descriptionformat' => array(
                 'choices' => array(FORMAT_HTML, FORMAT_MOODLE, FORMAT_PLAIN, FORMAT_MARKDOWN),

diff --git a/competency/classes/user_evidence.php b/competency/classes/user_evidence.php
index ffbc9d4..d70084b 100644 (file)
--- a/competency/classes/user_evidence.php
+++ b/competency/classes/user_evidence.php
@@ -53,7 +53,7 @@ class user_evidence extends persistent {
                 'type' => PARAM_TEXT
             ),
             'description' => array(
-                'type' => PARAM_RAW,
+                'type' => PARAM_CLEANHTML,
                 'default' => '',
             ),
             'descriptionformat' => array(

diff --git a/lib/classes/external/exporter.php b/lib/classes/external/exporter.php
index dcfeb4e..9a26281 100644 (file)
--- a/lib/classes/external/exporter.php
+++ b/lib/classes/external/exporter.php
@@ -394,7 +394,8 @@ abstract class exporter {
      */
     final protected static function get_format_field($definitions, $property) {
         $formatproperty = $property . 'format';
-        if ($definitions[$property]['type'] == PARAM_RAW && isset($definitions[$formatproperty])
+        if (($definitions[$property]['type'] == PARAM_RAW || $definitions[$property]['type'] == PARAM_CLEANHTML)
+                && isset($definitions[$formatproperty])
                 && $definitions[$formatproperty]['type'] == PARAM_INT) {
             return $formatproperty;
         }
@@ -512,7 +513,7 @@ abstract class exporter {
                 // This is a nested array of more properties.
                 $thisvalue = self::get_read_structure_from_properties($type, $proprequired, $propdefault);
             } else {
-                if ($definition['type'] == PARAM_TEXT) {
+                if ($definition['type'] == PARAM_TEXT || $definition['type'] == PARAM_CLEANHTML) {
                     // PARAM_TEXT always becomes PARAM_RAW because filters may be applied.
                     $type = PARAM_RAW;
                 }

diff --git a/lib/classes/form/persistent.php b/lib/classes/form/persistent.php
index 817bed9..8d99533 100644 (file)
--- a/lib/classes/form/persistent.php
+++ b/lib/classes/form/persistent.php
@@ -223,9 +223,14 @@ abstract class persistent extends moodleform {
         $data = $this->get_persistent()->to_record();
         $class = static::$persistentclass;
         $properties = $class::get_formatted_properties();
+        $allproperties = $class::properties_definition();
 
         foreach ($data as $field => $value) {
-            // Convert formatted properties.
+            // Clean data if it is to be displayed in a form.
+            if (isset($allproperties[$field]['type'])) {
+                $data->$field = clean_param($data->$field, $allproperties[$field]['type']);
+            }
+
             if (isset($properties[$field])) {
                 $data->$field = array(
                     'text' => $data->$field,

diff --git a/lib/classes/persistent.php b/lib/classes/persistent.php
index fbd5326..ac214b0 100644 (file)
--- a/lib/classes/persistent.php
+++ b/lib/classes/persistent.php
@@ -312,7 +312,8 @@ abstract class persistent {
         $formatted = array();
         foreach ($properties as $property => $definition) {
             $propertyformat = $property . 'format';
-            if ($definition['type'] == PARAM_RAW && array_key_exists($propertyformat, $properties)
+            if (($definition['type'] == PARAM_RAW || $definition['type'] == PARAM_CLEANHTML)
+                    && array_key_exists($propertyformat, $properties)
                     && $properties[$propertyformat]['type'] == PARAM_INT) {
                 $formatted[$property] = $propertyformat;
             }
@@ -696,6 +697,10 @@ abstract class persistent {
                         // Validate_param() does not like false with PARAM_BOOL, better to convert it to int.
                         $value = 0;
                     }
+                    if ($definition['type'] === PARAM_CLEANHTML) {
+                        // We silently clean for this type. It may introduce changes even to valid data.
+                        $value = clean_param($value, PARAM_CLEANHTML);
+                    }
                     validate_param($value, $definition['type'], $definition['null']);
                 } catch (invalid_parameter_exception $e) {
                     $errors[$property] = static::get_property_error_message($property);