Permalink
Browse files

MDL-34311 formslib: warn when no param type set

Params without a type set will not be getting cleaned, so if developers
really do not want cleaning, they should set it explicitly.
  • Loading branch information...
1 parent 7112729 commit b45ba7f6fa730ad96c8b8421fb0952ac3fec61f2 @danpoltawski danpoltawski committed Mar 22, 2013
Showing with 38 additions and 0 deletions.
  1. +36 −0 lib/formslib.php
  2. +2 −0 lib/upgrade.txt
View
@@ -278,6 +278,7 @@ function _process_submission($method) {
$submission = array();
$files = array();
}
+ $this->detectMissingSetType();
$this->_form->updateSubmission($submission, $files);
}
@@ -914,6 +915,9 @@ function display() {
$this->_definition_finalized = true;
$this->definition_after_data();
}
+
+ $this->detectMissingSetType();
+
$this->_form->display();
}
@@ -1238,6 +1242,38 @@ public static function get_js_module() {
'requires' => array('base', 'node')
);
}
+
+ /**
+ * Detects elements with missing setType() declerations.
+ *
+ * Finds elements in the form which should a PARAM_ type set and throws a
+ * developer debug warning for any elements without it. This is to reduce the
+ * risk of potential security issues by developers mistakenly forgetting to set
+ * the type.
+ *
+ * @return void
+ */
+ private function detectMissingSetType() {
+ if (!debugging('', DEBUG_DEVELOPER)) {
+ // Only for devs.
+ return;
+ }
+
+ $mform = $this->_form;
+ foreach ($mform->_elements as $element) {
+ switch ($element->getType()) {
+ case 'hidden':
+ case 'text':
+ case 'url':
+ $key = $element->getName();
+ if (!array_key_exists($key, $mform->_types)) {
+ debugging("Did you remember to call setType() for '$key'? ".
+ 'Defaulting to PARAM_RAW cleaning.', DEBUG_DEVELOPER);
+ }
+ break;
+ }
+ }
+ }
}
/**
View
@@ -26,6 +26,8 @@ information provided here is intended especially for developers.
* Function get_users_listing now return list of users except guest and deleted users. Previously
deleted users were excluded by get_users_listing. As guest user is not expected while browsing users,
and not included in get_user function, it will not be returned by get_users_listing.
+* Formslib will now throw a developer warning if a PARAM_ type hasn't been set for elements which
+ need it. Please set PARAM_RAW explicitly if you do not want any cleaning.
YUI changes:
* M.util.help_icon has been deprecated. Code should be updated to use moodle-core-popuphelp

0 comments on commit b45ba7f

Please sign in to comment.