MDL-64651 comments: Do not send referrer

Use blanktarget option on all comments to prevent malicious links.
moodle · Mar 5, 2019 · 1fc481d · 1fc481d
1 parent cd3060d
commit 1fc481d
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/comment/classes/external.php b/comment/classes/external.php
@@ -102,6 +102,7 @@ public static function get_comments($contextlevel, $instanceid, $component, $ite
         if ($comments === false) {
             throw new moodle_exception('nopermissions', 'error', '', 'view comments');
         }
+        $options = array('blanktarget' => true);
 
         foreach ($comments as $key => $comment) {
 
@@ -110,7 +111,8 @@ public static function get_comments($contextlevel, $instanceid, $component, $ite
                                                                                                  $context->id,
                                                                                                  $params['component'],
                                                                                                  '',
-                                                                                                 0);
+                                                                                                 0,
+                                                                                                 $options);
         }
 
         $results = array(

diff --git a/comment/lib.php b/comment/lib.php
@@ -570,7 +570,7 @@ public function get_comments($page = '') {
         $params['itemid'] = $this->itemid;
 
         $comments = array();
-        $formatoptions = array('overflowdiv' => true);
+        $formatoptions = array('overflowdiv' => true, 'blanktarget' => true);
         $rs = $DB->get_recordset_sql($sql, $params, $start, $perpage);
         foreach ($rs as $u) {
             $c = new stdClass();
@@ -717,7 +717,8 @@ public function add($content, $format = FORMAT_MOODLE) {
             $newcmt->fullname = fullname($USER);
             $url = new moodle_url('/user/view.php', array('id' => $USER->id, 'course' => $this->courseid));
             $newcmt->profileurl = $url->out();
-            $newcmt->content = format_text($newcmt->content, $newcmt->format, array('overflowdiv'=>true));
+            $formatoptions = array('overflowdiv' => true, 'blanktarget' => true);
+            $newcmt->content = format_text($newcmt->content, $newcmt->format, $formatoptions);
             $newcmt->avatar = $OUTPUT->user_picture($USER, array('size'=>16));
 
             $commentlist = array($newcmt);

diff --git a/comment/locallib.php b/comment/locallib.php
@@ -68,7 +68,7 @@ function get_comments($page) {
                        ON u.id=c.userid
               ORDER BY c.timecreated ASC";
         $rs = $DB->get_recordset_sql($sql, null, $start, $this->perpage);
-        $formatoptions = array('overflowdiv' => true);
+        $formatoptions = array('overflowdiv' => true, 'blanktarget' => true);
         foreach ($rs as $item) {
             // Set calculated fields
             $item->fullname = fullname($item);