Permalink
Browse files

MDL_11608 The $rename param was obtained with PARAM_NOTAG, I changed …

…that to PARAM_RAW. I also changed the rename field's value to htmlspecialchars($category->name)
  • Loading branch information...
1 parent b65f805 commit 2bb9c62bf8755b440eef473506298002c53329d8 nicolasconnault committed Oct 9, 2007
Showing with 3 additions and 3 deletions.
  1. +3 −3 course/category.php
View
@@ -15,7 +15,7 @@
$moveup = optional_param('moveup', 0, PARAM_INT);
$movedown = optional_param('movedown', 0, PARAM_INT);
$moveto = optional_param('moveto', 0, PARAM_INT);
- $rename = optional_param('rename', '', PARAM_NOTAGS);
+ $rename = optional_param('rename', '', PARAM_RAW);
$resort = optional_param('resort', 0, PARAM_BOOL);
$addsubcategory=optional_param('addsubcategory', '', PARAM_NOTAGS);
@@ -66,7 +66,7 @@
if (has_capability('moodle/category:update', $context)) {
/// Rename the category if requested
if (!empty($rename) and confirm_sesskey()) {
- $category->name = $rename;
+ $category->name = stripslashes_safe($rename);
if (! set_field("course_categories", "name", $category->name, "id", $category->id)) {
notify("An error occurred while renaming the category");
}
@@ -478,7 +478,7 @@
echo '<form id="renameform" action="category.php" method="post"><div>';
echo '<input type="hidden" name="id" value="'.$category->id.'" />';
echo '<input type="hidden" name="sesskey" value="'.$USER->sesskey.'" />';
- echo '<input type="text" size="30" name="rename" value="'.format_string($category->name).'" alt="'.$strrename.'" />';
+ echo '<input type="text" size="30" name="rename" value="'.htmlspecialchars($category->name).'" alt="'.$strrename.'" />';
echo '<input type="submit" value="'.$strrename.'" />';
echo '</div></form>';
echo '<br />';

0 comments on commit 2bb9c62

Please sign in to comment.