Skip to content
Browse files

Stronger validation of form data in user/edit, and validation of lang…

… in current_language() -- closes SC#67
  • Loading branch information...
1 parent fd0c975 commit ddeaac719524c8896c70de6cb395b0a606cd8dde martinlanghoff committed Jan 27, 2005
Showing with 20 additions and 6 deletions.
  1. +4 −4 lib/moodlelib.php
  2. +16 −2 user/edit.php
View
8 lib/moodlelib.php
@@ -2230,16 +2230,16 @@ function current_language() {
global $CFG, $USER, $SESSION;
if (!empty($CFG->courselang)) { // Course language can override all other settings for this page
- return $CFG->courselang;
+ return clean_param($CFG->courselang, PARAM_FILE);
} else if (!empty($SESSION->lang)) { // Session language can override other settings
- return $SESSION->lang;
+ return clean_param($SESSION->lang, PARAM_FILE);
} else if (!empty($USER->lang)) { // User language can override site language
- return $USER->lang;
+ return clean_param($USER->lang, PARAM_FILE);
} else {
- return $CFG->lang;
+ return clean_param($CFG->lang, PARAM_FILE);
}
}
View
18 user/edit.php
@@ -3,8 +3,8 @@
require_once("../config.php");
require_once("$CFG->libdir/gdlib.php");
- optional_variable($id); // user id
- optional_variable($course); // course id
+ $id = optional_param('id', PARAM_INT); // user id
+ $course = optional_param('course', PARAM_INT); // course id
if (empty($id)) { // See your own profile by default
require_login();
@@ -64,6 +64,20 @@
check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
}
+ // data cleanup
+ // username is validated in find_form_errors
+ $usernew->country = clean_param($usernew->country, PARAM_ALPHA);
+ $usernew->lang = clean_param($usernew->lang, PARAM_FILE);
+ $usernew->url = clean_param($usernew->url, PARAM_URL);
+ $usernew->icq = clean_param($usernew->icq, PARAM_INT);
+
+ $usernew->maildisplay = clean_param($usernew->maildisplay, PARAM_INT);
+ $usernew->mailformat = clean_param($usernew->mailformat, PARAM_INT);
+ $usernew->maildigest = clean_param($usernew->maildigest, PARAM_INT);
+ $usernew->autosubscribe = clean_param($usernew->autosubscribe, PARAM_INT);
+ $usernew->htmleditor = clean_param($usernew->htmleditor, PARAM_INT);
+ $usernew->emailstop = clean_param($usernew->emailstop, PARAM_INT);
+
foreach ($usernew as $key => $data) {
$usernew->$key = addslashes(clean_text(stripslashes($usernew->$key), FORMAT_MOODLE));
}

0 comments on commit ddeaac7

Please sign in to comment.
Something went wrong with that request. Please try again.