}
case PARAM_TAG:
- //as long as magic_quotes_gpc is used, a backslash will be a
- //problem, so remove *all* backslash.
- //$param = str_replace('\\', '', $param);
- //remove some nasties
+ // Please note it is not safe to use the tag name directly anywhere,
+ // it must be processed with s(), urlencode() before embedding anywhere.
+ // remove some nasties
$param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
//convert many whitespace chars into one
$param = preg_replace('/\s+/', ' ', $param);
$param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
return $param;
-
case PARAM_TAGLIST:
$tags = explode(',', $param);
$result = array();
$PAGE->set_blocks_editing_capability('moodle/tag:editblocks');
$PAGE->set_pagelayout('base');
+$PAGE->requires->yui2_lib('connection');
$PAGE->requires->yui2_lib('animation');
+$PAGE->requires->yui2_lib('datasource');
$PAGE->requires->yui2_lib('autocomplete');
$tagname = tag_display_name($tag);
global $CFG;
- if(!isset($tagobject->name)) {
+ if (!isset($tagobject->name)) {
return '';
}
$tagname = $tagobject->rawname;
}
+ // clean up a bit just in case the rules change again
+ $tagname = clean_param($tagname, PARAM_TAG);
+
if ($html == TAG_RETURN_TEXT) {
return $tagname;
} else { // TAG_RETURN_HTML
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
+define('AJAX_SCRIPT', true);
+
require_once('../config.php');
require_once('lib.php');
if ($similar_tags = tag_autocomplete($query)) {
foreach ($similar_tags as $tag) {
- echo $tag->name . "\t" . tag_display_name($tag) . "\n";
+ echo clean_param($tag->name, PARAM_TAG) . "\t" . tag_display_name($tag) . "\n";
}
}
