Stronger validation of form data in user/edit, and validation of lang…

… in current_language() -- closes SC#67
moodle · Jan 27, 2005 · ddeaac7 · ddeaac7
1 parent fd0c975
commit ddeaac7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/lib/moodlelib.php b/lib/moodlelib.php
@@ -2230,16 +2230,16 @@ function current_language() {
     global $CFG, $USER, $SESSION;
 
     if (!empty($CFG->courselang)) {    // Course language can override all other settings for this page
-        return $CFG->courselang;
+        return clean_param($CFG->courselang, PARAM_FILE);
 
     } else if (!empty($SESSION->lang)) {    // Session language can override other settings
-        return $SESSION->lang;
+        return clean_param($SESSION->lang, PARAM_FILE);
 
     } else if (!empty($USER->lang)) {    // User language can override site language
-        return $USER->lang;
+        return clean_param($USER->lang, PARAM_FILE);
 
     } else {
-        return $CFG->lang;
+        return clean_param($CFG->lang, PARAM_FILE);
     }
 }
 

diff --git a/user/edit.php b/user/edit.php
@@ -3,8 +3,8 @@
     require_once("../config.php");
     require_once("$CFG->libdir/gdlib.php");
 
-    optional_variable($id);       // user id
-    optional_variable($course);   // course id
+    $id     = optional_param('id',     PARAM_INT);   // user id
+    $course = optional_param('course', PARAM_INT);   // course id
 
     if (empty($id)) {         // See your own profile by default
         require_login();
@@ -64,6 +64,20 @@
             check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
         }
 
+        // data cleanup 
+        // username is validated in find_form_errors
+        $usernew->country = clean_param($usernew->country, PARAM_ALPHA);
+        $usernew->lang    = clean_param($usernew->lang,    PARAM_FILE);
+        $usernew->url     = clean_param($usernew->url,     PARAM_URL);
+        $usernew->icq     = clean_param($usernew->icq,     PARAM_INT);
+
+        $usernew->maildisplay   = clean_param($usernew->maildisplay,   PARAM_INT);
+        $usernew->mailformat    = clean_param($usernew->mailformat,    PARAM_INT);
+        $usernew->maildigest    = clean_param($usernew->maildigest,    PARAM_INT);
+        $usernew->autosubscribe = clean_param($usernew->autosubscribe, PARAM_INT);
+        $usernew->htmleditor    = clean_param($usernew->htmleditor,    PARAM_INT);
+        $usernew->emailstop     = clean_param($usernew->emailstop,     PARAM_INT);
+
         foreach ($usernew as $key => $data) {
             $usernew->$key = addslashes(clean_text(stripslashes($usernew->$key), FORMAT_MOODLE));
         }