From ce38fda65125a7cd8d0521fc08254facea400d01 Mon Sep 17 00:00:00 2001 From: Paul Holden Date: Tue, 27 Jun 2023 10:01:31 +0100 Subject: [PATCH] MDL-72249 message: stricter cleaning of processor type parameter. --- message/externallib.php | 4 ++-- message/lib.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/message/externallib.php b/message/externallib.php index 6e6bc119497a..8676c05f1973 100644 --- a/message/externallib.php +++ b/message/externallib.php @@ -2845,7 +2845,7 @@ public static function message_processor_config_form_parameters() { return new external_function_parameters( array( 'userid' => new external_value(PARAM_INT, 'id of the user, 0 for current user', VALUE_REQUIRED), - 'name' => new external_value(PARAM_TEXT, 'The name of the message processor'), + 'name' => new external_value(PARAM_SAFEDIR, 'The name of the message processor'), 'formvalues' => new external_multiple_structure( new external_single_structure( array( @@ -2921,7 +2921,7 @@ public static function get_message_processor_parameters() { return new external_function_parameters( array( 'userid' => new external_value(PARAM_INT, 'id of the user, 0 for current user'), - 'name' => new external_value(PARAM_TEXT, 'The name of the message processor', VALUE_REQUIRED), + 'name' => new external_value(PARAM_SAFEDIR, 'The name of the message processor', VALUE_REQUIRED), ) ); } diff --git a/message/lib.php b/message/lib.php index 79646bd164e7..ceeaa1808e57 100644 --- a/message/lib.php +++ b/message/lib.php @@ -734,8 +734,8 @@ function message_output_fragment_processor_settings($args = []) { throw new moodle_exception('Must provide a userid'); } - $type = $args['type']; - $userid = $args['userid']; + $type = clean_param($args['type'], PARAM_SAFEDIR); + $userid = clean_param($args['userid'], PARAM_INT); $user = core_user::get_user($userid, '*', MUST_EXIST); if (!core_message_can_edit_message_profile($user)) {