MDL-72249 message: stricter cleaning of processor type parameter.

message/externallib.php

@@ -2845,7 +2845,7 @@ public static function message_processor_config_form_parameters() {
         return new external_function_parameters(
             array(
                 'userid' => new external_value(PARAM_INT, 'id of the user, 0 for current user', VALUE_REQUIRED),
-                'name' => new external_value(PARAM_TEXT, 'The name of the message processor'),
+                'name' => new external_value(PARAM_SAFEDIR, 'The name of the message processor'),
                 'formvalues' => new external_multiple_structure(
                     new external_single_structure(
                         array(
@@ -2921,7 +2921,7 @@ public static function get_message_processor_parameters() {
         return new external_function_parameters(
             array(
                 'userid' => new external_value(PARAM_INT, 'id of the user, 0 for current user'),
-                'name' => new external_value(PARAM_TEXT, 'The name of the message processor', VALUE_REQUIRED),
+                'name' => new external_value(PARAM_SAFEDIR, 'The name of the message processor', VALUE_REQUIRED),
             )
         );
     }

message/lib.php

@@ -734,8 +734,8 @@ function message_output_fragment_processor_settings($args = []) {
         throw new moodle_exception('Must provide a userid');
     }
 
-    $type = $args['type'];
-    $userid = $args['userid'];
+    $type = clean_param($args['type'], PARAM_SAFEDIR);
+    $userid = clean_param($args['userid'], PARAM_INT);
 
     $user = core_user::get_user($userid, '*', MUST_EXIST);
     if (!core_message_can_edit_message_profile($user)) {