Permalink
Browse files

MDL-27823 messaging: preventing html tags from being output to the UI

  • Loading branch information...
1 parent 24654d9 commit a47827691a38e461f3ad8bed98e3ec9935cf5db3 @andyjdavis andyjdavis committed Aug 19, 2011
Showing with 30 additions and 13 deletions.
  1. +14 −5 lib/moodlelib.php
  2. +8 −2 message/lib.php
  3. +8 −6 user/messageselect.php
View
@@ -9292,11 +9292,13 @@ function message_popup_window() {
}
//got unread messages so now do another query that joins with the user table
- $messagesql = "SELECT m.id, m.smallmessage, m.notification, u.firstname, u.lastname FROM {message} m
-JOIN {message_working} mw ON m.id=mw.unreadmessageid
-JOIN {message_processors} p ON mw.processorid=p.id
-JOIN {user} u ON m.useridfrom=u.id
-WHERE m.useridto = :userid AND p.name='popup'";
+ $messagesql = "SELECT m.id, m.smallmessage, m.fullmessageformat, m.notification, u.firstname, u.lastname
+ FROM {message} m
+ JOIN {message_working} mw ON m.id=mw.unreadmessageid
+ JOIN {message_processors} p ON mw.processorid=p.id
+ JOIN {user} u ON m.useridfrom=u.id
+ WHERE m.useridto = :userid
+ AND p.name='popup'";
//if the user was last notified over an hour ago we can renotify them of old messages
//so don't worry about when the new message was sent
@@ -9331,6 +9333,13 @@ function message_popup_window() {
} else {
$smallmessage = $message_users->smallmessage;
}
+
+ //prevent html symbols being displayed
+ if ($message_users->fullmessageformat == FORMAT_HTML) {
+ $smallmessage = html_to_text($smallmessage);
+ } else {
+ $smallmessage = s($smallmessage);
+ }
} else if ($message_users->notification) {
//its a notification with no smallmessage so just say they have a notification
$smallmessage = get_string('unreadnewnotification', 'message');
View
@@ -1944,9 +1944,15 @@ function message_format_message($message, $format='', $keywords='', $class='othe
//if supplied display small messages as fullmessage may contain boilerplate text that shouldnt appear in the messaging UI
if (!empty($message->smallmessage)) {
- $messagetext = format_text(s($message->smallmessage), FORMAT_MOODLE, $options);
+ $messagetext = $message->smallmessage;
} else {
- $messagetext = format_text(s($message->fullmessage), $message->fullmessageformat, $options);
+ $messagetext = $message->fullmessage;
+ }
+ if ($message->fullmessageformat == FORMAT_HTML) {
+ //dont escape html tags by calling s() if html format or they will display in the UI
+ $messagetext = html_to_text(format_text($messagetext, $message->fullmessageformat, $options));
+ } else {
+ $messagetext = format_text(s($messagetext), $message->fullmessageformat, $options);
}
$messagetext .= message_format_contexturl($message);
View
@@ -91,12 +91,14 @@
$count = 0;
-foreach ($_POST as $k => $v) {
- if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
- if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
- if ($user = $DB->get_record_select('user', "id = ?", array($m[2]), 'id,firstname,lastname,idnumber,email,mailformat,lastaccess, lang')) {
- $SESSION->emailto[$id][$m[2]] = $user;
- $count++;
+if ($data = data_submitted()) {
+ foreach ($data as $k => $v) {
+ if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
+ if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
+ if ($user = $DB->get_record_select('user', "id = ?", array($m[2]), 'id,firstname,lastname,idnumber,email,mailformat,lastaccess, lang')) {
+ $SESSION->emailto[$id][$m[2]] = $user;
+ $count++;
+ }
}
}
}

0 comments on commit a478276

Please sign in to comment.