Please sign in to comment.
MDL-57580 mod_assign: Fix the incorrect type of some input parameters
The PARAM_TEXT has been misused in certain cases here. The 'action' parameter seems to always be alphabetic, with values like savesubmission, editsubmission and others as handled in assign::view(). Fixing the action handling fixes the reported XSS issue. While working on it, I spotted two more places where PARAM_TEXT does not seem appropriate. I include changes for them too, even if they are no strictly related to the reported bug and there are no known ways to abuse it. * The 'plugin' looks like PARAM_PLUGIN and is even declared as such in some other parts of the assignment code (such as feedback forms). * The 'workflowstate' is one of the ASSIGN_MARKING_WORKFLOW_STATE constants and is supposed to be alpha in external function input parameters handling, too.
- Loading branch information...
Showing with 8 additions and 8 deletions.