MDL-79557 message: Clean subject field content for get_messages WS

moodle · Oct 2, 2023 · 83461bc · 83461bc
1 parent 43d5aec
commit 83461bc
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/message/externallib.php b/message/externallib.php
@@ -2141,6 +2141,8 @@ public static function get_messages($useridto, $useridfrom = 0, $type = 'both',
                     $message->usertofullname = $usertofullname;
                 }
 
+                // Clean subject of html.
+                $message->subject = clean_param($message->subject, PARAM_TEXT);
                 $message->text = message_format_message_text($message);
                 $messages[$mid] = (array) $message;
             }

diff --git a/message/tests/externallib_test.php b/message/tests/externallib_test.php
@@ -1438,13 +1438,14 @@ public function test_get_messages() {
         $eventdata->smallmessage      = $eventdata->subject;
         message_send($eventdata);
 
+        // This event contains HTML in the subject field that will be removed by the WS (otherwise it will generate an exception).
         $eventdata = new \core\message\message();
         $eventdata->courseid         = $course->id;
         $eventdata->name             = 'submission';
         $eventdata->component        = 'mod_feedback';
         $eventdata->userfrom         = $user1;
         $eventdata->userto           = $user2;
-        $eventdata->subject          = 'Feedback submitted';
+        $eventdata->subject          = 'Feedback submitted <span>with html</span>';
         $eventdata->fullmessage      = 'Feedback submitted from an user';
         $eventdata->fullmessageformat = FORMAT_PLAIN;
         $eventdata->fullmessagehtml  = '<strong>Feedback submitted</strong>';