MDL-62889 message_popup: redirect to notification page if url is empty
authorMark Nelson <markn@moodle.com>
Wed, 11 Jul 2018 05:29:18 +0000 (13:29 +0800)
committerMark Nelson <markn@moodle.com>
Tue, 17 Jul 2018 03:54:52 +0000 (11:54 +0800)
If you pass a URL that is not a valid URL (for example
';') it is cleaned to an empty string which redirects to
$CFG->wwwroot/message/output/popup/ which is not a valid
page.

message/output/popup/mark_notification_read.php

index ad92b37..f2dd609 100644 (file)
@@ -31,9 +31,14 @@ if (isguestuser()) {
 }
 
 $notificationid = required_param('notificationid', PARAM_INT);
-$redirecturl = optional_param('redirecturl', $CFG->wwwroot, PARAM_URL);
+$redirecturl = optional_param('redirecturl', '', PARAM_URL);
 $notification = $DB->get_record('notifications', array('id' => $notificationid));
 
+// If the redirect URL after filtering is empty, or it was never passed, then redirect to the notification page.
+if (empty($redirecturl)) {
+    $redirecturl = new moodle_url('/message/output/popup/notifications.php', ['notificationid' => $notificationid]);
+}
+
 // Check notification belongs to this user.
 if ($USER->id != $notification->useridto) {
     redirect($CFG->wwwroot);