MDL-25754 improved tag sanitisation and fixed tag autocomplete

moodle · Jan 13, 2011 · 34b93e3 · 34b93e3
1 parent 5a7f931
commit 34b93e3
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -792,18 +792,16 @@ function clean_param($param, $type) {
             }
 
         case PARAM_TAG:
-            //as long as magic_quotes_gpc is used, a backslash will be a
-            //problem, so remove *all* backslash.
-            //$param = str_replace('\\', '', $param);
-            //remove some nasties
+            // Please note it is not safe to use the tag name directly anywhere,
+            // it must be processed with s(), urlencode() before embedding anywhere.
+            // remove some nasties
             $param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
             //convert many whitespace chars into one
             $param = preg_replace('/\s+/', ' ', $param);
             $textlib = textlib_get_instance();
             $param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
             return $param;
 
-
         case PARAM_TAGLIST:
             $tags = explode(',', $param);
             $result = array();

diff --git a/tag/edit.php b/tag/edit.php
@@ -55,7 +55,9 @@
 $PAGE->set_blocks_editing_capability('moodle/tag:editblocks');
 $PAGE->set_pagelayout('base');
 
+$PAGE->requires->yui2_lib('connection');
 $PAGE->requires->yui2_lib('animation');
+$PAGE->requires->yui2_lib('datasource');
 $PAGE->requires->yui2_lib('autocomplete');
 
 $tagname = tag_display_name($tag);

diff --git a/tag/lib.php b/tag/lib.php
@@ -599,7 +599,7 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) {
 
     global $CFG;
 
-    if(!isset($tagobject->name)) {
+    if (!isset($tagobject->name)) {
         return '';
     }
 
@@ -612,6 +612,9 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) {
         $tagname = $tagobject->rawname;
     }
 
+    // clean up a bit just in case the rules change again
+    $tagname = clean_param($tagname, PARAM_TAG);
+
     if ($html == TAG_RETURN_TEXT) {
         return $tagname;
     } else { // TAG_RETURN_HTML

diff --git a/tag/tag_autocomplete.php b/tag/tag_autocomplete.php
@@ -22,6 +22,8 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
+define('AJAX_SCRIPT', true);
+
 require_once('../config.php');
 require_once('lib.php');
 
@@ -35,6 +37,6 @@
 
 if ($similar_tags = tag_autocomplete($query)) {
     foreach ($similar_tags as $tag) {
-        echo $tag->name . "\t" . tag_display_name($tag) . "\n";
+        echo clean_param($tag->name, PARAM_TAG) . "\t" . tag_display_name($tag) . "\n";
     }
 }