MDL-61196 message_popup: clean params before returning via WS
authorMark Nelson <markn@moodle.com>
Fri, 9 Feb 2018 09:31:38 +0000 (17:31 +0800)
committerMark Nelson <markn@moodle.com>
Fri, 9 Feb 2018 09:35:51 +0000 (17:35 +0800)
message/output/popup/classes/output/popup_notification.php

index 215b779..0644a22 100644 (file)
@@ -70,6 +70,10 @@ class popup_notification implements templatable, renderable {
         $context->timecreatedpretty = get_string('ago', 'message', format_time(time() - $context->timecreated));
         $context->text = message_format_message_text($context);
         $context->read = $context->timeread ? true : false;
+
+        // Need to strip any HTML from these.
+        $context->subject = clean_param($context->subject, PARAM_TEXT);
+        $context->contexturlname = clean_param($context->contexturlname, PARAM_TEXT);
         $context->shortenedsubject = shorten_text($context->subject, 125);
 
         if (!empty($context->component) && substr($context->component, 0, 4) == 'mod_') {