From 34b93e39a64a68e4a676b93ccf2bd87a1d3b5ef8 Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Tue, 11 Jan 2011 21:28:24 +0100 Subject: [PATCH] MDL-25754 improved tag sanitisation and fixed tag autocomplete --- lib/moodlelib.php | 8 +++----- tag/edit.php | 2 ++ tag/lib.php | 5 ++++- tag/tag_autocomplete.php | 4 +++- 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 30eb4212b6d..d59b5f38727 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -792,10 +792,9 @@ function clean_param($param, $type) { } case PARAM_TAG: - //as long as magic_quotes_gpc is used, a backslash will be a - //problem, so remove *all* backslash. - //$param = str_replace('\\', '', $param); - //remove some nasties + // Please note it is not safe to use the tag name directly anywhere, + // it must be processed with s(), urlencode() before embedding anywhere. + // remove some nasties $param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param); //convert many whitespace chars into one $param = preg_replace('/\s+/', ' ', $param); @@ -803,7 +802,6 @@ function clean_param($param, $type) { $param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH); return $param; - case PARAM_TAGLIST: $tags = explode(',', $param); $result = array(); diff --git a/tag/edit.php b/tag/edit.php index 3b41373d45e..306d5576a59 100644 --- a/tag/edit.php +++ b/tag/edit.php @@ -55,7 +55,9 @@ $PAGE->set_context($systemcontext); $PAGE->set_blocks_editing_capability('moodle/tag:editblocks'); $PAGE->set_pagelayout('base'); +$PAGE->requires->yui2_lib('connection'); $PAGE->requires->yui2_lib('animation'); +$PAGE->requires->yui2_lib('datasource'); $PAGE->requires->yui2_lib('autocomplete'); $tagname = tag_display_name($tag); diff --git a/tag/lib.php b/tag/lib.php index 00533d7134d..ae9e4c0c646 100644 --- a/tag/lib.php +++ b/tag/lib.php @@ -599,7 +599,7 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) { global $CFG; - if(!isset($tagobject->name)) { + if (!isset($tagobject->name)) { return ''; } @@ -612,6 +612,9 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) { $tagname = $tagobject->rawname; } + // clean up a bit just in case the rules change again + $tagname = clean_param($tagname, PARAM_TAG); + if ($html == TAG_RETURN_TEXT) { return $tagname; } else { // TAG_RETURN_HTML diff --git a/tag/tag_autocomplete.php b/tag/tag_autocomplete.php index ce8d23c300f..f55c2c3e78e 100644 --- a/tag/tag_autocomplete.php +++ b/tag/tag_autocomplete.php @@ -22,6 +22,8 @@ * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later */ +define('AJAX_SCRIPT', true); + require_once('../config.php'); require_once('lib.php'); @@ -35,6 +37,6 @@ $query = optional_param('query', '', PARAM_RAW); if ($similar_tags = tag_autocomplete($query)) { foreach ($similar_tags as $tag) { - echo $tag->name . "\t" . tag_display_name($tag) . "\n"; + echo clean_param($tag->name, PARAM_TAG) . "\t" . tag_display_name($tag) . "\n"; } } -- 2.43.0