From 5a5f95e843dbbefac45dd5c52cac27301e5b4c96 Mon Sep 17 00:00:00 2001 From: Mathew May Date: Mon, 10 Aug 2020 11:39:37 +0800 Subject: [PATCH] MDL-69240 tool_moodlenet: Clean MoodleNet profile field Amended by: Eloy Lafuente (stronk7) - adjust versions for every branch. - modify verify_webfinger->profileurl external to PARAM_NOTAGS. --- admin/tool/moodlenet/classes/external.php | 2 +- .../tool/moodlenet/classes/profile_manager.php | 4 ++-- admin/tool/moodlenet/db/upgrade.php | 18 ++++++++++++++++++ admin/tool/moodlenet/version.php | 2 +- lang/en/user.php | 1 + user/editlib.php | 3 ++- 6 files changed, 25 insertions(+), 5 deletions(-) diff --git a/admin/tool/moodlenet/classes/external.php b/admin/tool/moodlenet/classes/external.php index 5fbfd2052d816..b2286381f8682 100644 --- a/admin/tool/moodlenet/classes/external.php +++ b/admin/tool/moodlenet/classes/external.php @@ -52,7 +52,7 @@ class external extends external_api { public static function verify_webfinger_parameters() { return new external_function_parameters( array( - 'profileurl' => new external_value(PARAM_RAW, 'The profile url that the user has given us', VALUE_REQUIRED), + 'profileurl' => new external_value(PARAM_NOTAGS, 'The profile url that the user has given us', VALUE_REQUIRED), 'course' => new external_value(PARAM_INT, 'The course we are adding to', VALUE_REQUIRED), 'section' => new external_value(PARAM_INT, 'The section within the course we are adding to', VALUE_REQUIRED), ) diff --git a/admin/tool/moodlenet/classes/profile_manager.php b/admin/tool/moodlenet/classes/profile_manager.php index f1a922adac642..49027fdc59d56 100644 --- a/admin/tool/moodlenet/classes/profile_manager.php +++ b/admin/tool/moodlenet/classes/profile_manager.php @@ -46,7 +46,7 @@ public static function get_moodlenet_user_profile(int $userid): ?moodlenet_user_ $user = \core_user::get_user($userid, 'moodlenetprofile'); try { $userprofile = $user->moodlenetprofile ? $user->moodlenetprofile : ''; - return (isset($user)) ? new moodlenet_user_profile($userprofile, $userid) : null; + return (isset($user)) ? new moodlenet_user_profile(s($userprofile), $userid) : null; } catch (\moodle_exception $e) { // If an exception is thrown, means there isn't a valid profile set. No need to log exception. return null; @@ -59,7 +59,7 @@ public static function get_moodlenet_user_profile(int $userid): ?moodlenet_user_ if ($field->get_category_name() == self::get_category_name() && $field->inputname == 'profile_field_mnetprofile') { try { - return new moodlenet_user_profile($field->display_data(), $userid); + return new moodlenet_user_profile(s($field->display_data()), $userid); } catch (\moodle_exception $e) { // If an exception is thrown, means there isn't a valid profile set. No need to log exception. return null; diff --git a/admin/tool/moodlenet/db/upgrade.php b/admin/tool/moodlenet/db/upgrade.php index 0442276c116f7..c3f696a748c16 100644 --- a/admin/tool/moodlenet/db/upgrade.php +++ b/admin/tool/moodlenet/db/upgrade.php @@ -105,5 +105,23 @@ function xmldb_tool_moodlenet_upgrade(int $oldversion) { // Automatically generated Moodle v3.9.0 release upgrade line. // Put any upgrade step following this. + if ($oldversion < 2021052501) { + + // Find out if there are users with MoodleNet profiles set. + $sql = "SELECT u.* + FROM {user} u + WHERE u.moodlenetprofile IS NOT NULL"; + + $records = $DB->get_records_sql($sql); + + foreach ($records as $record) { + // Force clean user value just incase there is something malicious. + $record->moodlenetprofile = clean_text($record->moodlenetprofile, PARAM_NOTAGS); + $DB->update_record('user', $record); + } + + upgrade_plugin_savepoint(true, 2021052501, 'tool', 'moodlenet'); + } + return true; } diff --git a/admin/tool/moodlenet/version.php b/admin/tool/moodlenet/version.php index 7a3d19f15b751..539a58d362a9d 100644 --- a/admin/tool/moodlenet/version.php +++ b/admin/tool/moodlenet/version.php @@ -25,6 +25,6 @@ defined('MOODLE_INTERNAL') || die(); $plugin->component = 'tool_moodlenet'; -$plugin->version = 2021052500; +$plugin->version = 2021052501; $plugin->requires = 2021052500; $plugin->maturity = MATURITY_ALPHA; diff --git a/lang/en/user.php b/lang/en/user.php index 9c28d5e7373a6..9da847621b673 100644 --- a/lang/en/user.php +++ b/lang/en/user.php @@ -36,6 +36,7 @@ $string['match'] = 'Match'; $string['matchofthefollowing'] = 'of the following:'; $string['moodlenetprofile'] = 'MoodleNet profile'; +$string['moodlenetprofile_help'] = 'This field is to link your MoodleNet profile to Moodle. It expects a WebFinger compliant URI'; $string['placeholdertypeorselect'] = 'Type or select...'; $string['placeholdertype'] = 'Type...'; $string['privacy:courserequestpath'] = 'Requested courses'; diff --git a/user/editlib.php b/user/editlib.php index b3ec83811a992..9704a789e82ec 100644 --- a/user/editlib.php +++ b/user/editlib.php @@ -301,7 +301,8 @@ function useredit_shared_definition(&$mform, $editoroptions, $filemanageroptions $mform->addHelpButton('maildisplay', 'emaildisplay'); $mform->addElement('text', 'moodlenetprofile', get_string('moodlenetprofile', 'user')); - $mform->setType('moodlenetprofile', PARAM_RAW_TRIMMED); + $mform->setType('moodlenetprofile', PARAM_NOTAGS); + $mform->addHelpButton('moodlenetprofile', 'moodlenetprofile', 'user'); $mform->addElement('text', 'city', get_string('city'), 'maxlength="120" size="21"'); $mform->setType('city', PARAM_TEXT);