Permalink
Browse files

new security features added acceptGet, optional_param, required_param…

…, clean_param, methods added to form class
  • Loading branch information...
1 parent 5f2256f commit 42f248e6591b735576d52a2de17deba6c52fbbc6 jamiesensei committed Sep 27, 2006
Showing with 87 additions and 27 deletions.
  1. +87 −27 lib/formslib.php
View
@@ -110,7 +110,7 @@ function getReqHTML(){
*
* @access public
*/
- function addHelpButtons($buttons, $suppresscheck=false){
+ function setHelpButtons($buttons, $suppresscheck=false){
foreach ($this->_elements as $no => $element){
if (array_key_exists($element->getName(), $buttons)){
@@ -131,33 +131,70 @@ function addHelpButtons($buttons, $suppresscheck=false){
print_error('nonexistentformelements', 'form', '', join(', ', array_keys($buttons)));
}
}
- /**
- * Applies a data filter for the given field(s)
- * We can use any PARAM_
- *
- * @param mixed $element Form element name or array of such names
- * @param mixed $filter Callback, either function name or array(&$object, 'method') or PARAM_ integer
- * @since 2.0
- * @access public
- */
- function applyFilter($element, $filter){
- if (is_numeric($filter)){
- $filter=create_function('$value', "clean_param(\$value, $filter);");
+ function acceptGet(){
+ $names=func_get_args();
+ foreach ($names as $name){
+ //if no form data is submitted then the page has just beeen loaded
+ //so we get the page param value from $_GET
+ if (!$this->_flagSubmitted && isset($_GET[$name])){
+ $this->_submitValues[$name]=$_GET[$name];
+ }
}
- parent::applyFilter($element, $filter);
}
+ function required_param($element, $paramtype){
+ $value = $this->getSubmitValue($element);
+ if (null !== $value) {
+ if (false === strpos($element, '[')) {
+ return $this->_submitValues[$element] = $this->_clean_param($value, $paramtype);
+ } else {
+ $idx = "['" . str_replace(array(']', '['), array('', "']['"), $element) . "']";
+ eval("return \$this->_submitValues{$idx} = \$this->_clean_param(\$value, \$paramtype);");
+ }
+ }else{
+ //could print name of param but better not to for security?
+ print_error('missingrequiredfield', 'error');
+ }
+ }
+ function optional_param($element, $default, $paramtype){
+ $value = $this->getSubmitValue($element);
+ if (null === $value) {
+ return $default;
+ }
+ if (false === strpos($element, '[')) {
+ return $this->_submitValues[$element] = $this->_clean_param($value, $paramtype);
+ } else {
+ $idx = "['" . str_replace(array(']', '['), array('', "']['"), $element) . "']";
+ eval("return \$this->_submitValues{$idx} = \$this->_clean_param(\$value, \$paramtype);");
+ }
+ }
+ function clean_param($elementList, $paramtype){
+ $value = $this->getSubmitValue($element);
+ if (false === strpos($element, '[')) {
+ return $this->_submitValues[$element] = $this->_clean_param($value, $paramtype);
+ } else {
+ $idx = "['" . str_replace(array(']', '['), array('', "']['"), $element) . "']";
+ eval("return \$this->_submitValues{$idx} = \$this->_clean_param(\$value, \$paramtype);");
+ }
+ }
+ function _clean_param($value, $paramtype){
+ //clean_param function in moodlelib expects vars with slashes
+ $value=$this->_recursiveFilter('addslashes', $value);
+ $value=clean_param($value, $paramtype);
+ return $this->_recursiveFilter('stripslashes', $value);
+ }
+
function exportValue($element, $addslashes=true){
$unfiltered=parent::exportValue($element);
if ($addslashes){
- return HTML_QuickForm::_recursiveFilter('addslashes',$unfiltered);
+ return $this->_recursiveFilter('addslashes',$unfiltered);
} else {
return $unfiltered;
}
}
- function exportValues($elementList, $addslashes=true){
+ function exportValues($elementList= null, $addslashes=true){
$unfiltered=parent::exportValues($elementList);
if ($addslashes){
- return HTML_QuickForm::_recursiveFilter('addslashes',$unfiltered);
+ return $this->_recursiveFilter('addslashes',$unfiltered);
} else {
return $unfiltered;
}
@@ -181,10 +218,37 @@ class moodleform_renderer extends HTML_QuickForm_Renderer_Tableless{
* @access private
*/
var $_elementTemplates;
+
+// uncomment this and edit formslib.php below for
+// ol li containers for form items.
+
+// /**
+// * Template used when opening a hidden fieldset
+// * (i.e. a fieldset that is opened when there is no header element)
+// * @var string
+// * @access private
+// */
+// var $_openHiddenFieldsetTemplate = "\n\t<fieldset class=\"hidden\">\n\t\t<ol>";
+// /**
+// * Header Template string
+// * @var string
+// * @access private
+// */
+// var $_headerTemplate =
+// "\n\t\t<legend>{header}</legend>\n\t\t<ol>";
+// /**
+// * Template used when closing a fieldset
+// * @var string
+// * @access private
+// */
+// var $_closeFieldsetTemplate = "\n\t\t</ol>\n\t</fieldset>";
+
var $_htmleditors=array();
function moodleform_renderer(){
+ // switch next two lines for ol li containers for form items.
+ // $this->_elementTemplates=array('default'=>"\n\t\t<li class=\"qfrow\"><label class=\"qflabel\">{label}{help}<!-- BEGIN required -->{req}<!-- END required --></label><div class=\"qfelement<!-- BEGIN error --> error<!-- END error --> {type}\"><!-- BEGIN error --><span class=\"error\">{error}</span><br /><!-- END error -->{element}</div></li>");
$this->_elementTemplates=array('default'=>"\n\t\t<div class=\"qfrow\"><label class=\"qflabel\">{label}{help}<!-- BEGIN required -->{req}<!-- END required --></label><div class=\"qfelement<!-- BEGIN error --> error<!-- END error --> {type}\"><!-- BEGIN error --><span class=\"error\">{error}</span><br /><!-- END error -->{element}</div></div>",
- 'wide'=>"\n\t\t<div class=\"qfrow\"><label class=\"qflabel\">{label}{help}<!-- BEGIN required -->{req}<!-- END required --></label><br /><div class=\"qfelementwide<!-- BEGIN error --> error<!-- END error --> {type}\"><!-- BEGIN error --><span class=\"error\">{error}</span><br /><!-- END error -->{element}</span></div>");
+ 'fieldset'=>"\n\t\t<div class=\"qfrow\"><label class=\"qflabel\">{label}{help}<!-- BEGIN required -->{req}<!-- END required --></label><fieldset class=\"qfelement<!-- BEGIN error --> error<!-- END error --> {type}\"><!-- BEGIN error --><span class=\"error\">{error}</span><br /><!-- END error -->{element}</fieldset></div>");
parent::HTML_QuickForm_Renderer_Tableless();
}
@@ -242,10 +306,10 @@ function renderElement(&$element, $required, $error){
}
-class moodleform_filter{
+/*class moodleform_filter{
var $paramtype;
var $default;
- function moodleform_filter($paramtype, $default){
+ function moodleform_filter($paramtype, $default=NULL){
$this->paramtype=$paramtype;
$this->default=$default;
}
@@ -264,13 +328,8 @@ function optional_param($value){
}
return $this->clean_param($value);
}
- function clean_param($value){
- //clean param expects vars with slashes
- $value=HTML_QuickForm::_recursiveFilter('addslashes', $value);
- $value=clean_param($value, $this->paramtype);
- return HTML_QuickForm::_recursiveFilter('stripslashes', $value);
- }
-}
+
+} */
$GLOBALS['_HTML_QuickForm_default_renderer']=& new moodleform_renderer();
@@ -285,6 +344,7 @@ function clean_param($value){
moodleform::registerElementType('date_selector', "$CFG->libdir/form/dateselector.php", 'moodleform_date_selector');
moodleform::registerElementType('htmleditor', "$CFG->libdir/form/htmleditor.php", 'moodleform_htmleditor');
moodleform::registerElementType('static', "$CFG->libdir/form/static.php", 'moodleform_static');
+moodleform::registerElementType('hidden', "$CFG->libdir/form/hidden.php", 'moodleform_hidden');
?>

0 comments on commit 42f248e

Please sign in to comment.