Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-22631 Added some clean_param calls to clean the $_GET data and al…

…so added lots of warnings and info there.
  • Loading branch information...
commit e595058242b31aba82c9523582f34198eb06fb72 1 parent 1bdb4ed
Martin Dougiamas moodler authored
Showing with 10 additions and 7 deletions.
  1. +10 −7 blog/lib.php
17 blog/lib.php
View
@@ -659,17 +659,20 @@ function get_viewable_entry_count($postid='', $fetchlimit=10,
/// Find the base url from $_GET variables, for print_paging_bar
+ /// WARNING: EVIL EVIL EVIL! This function directly acesses $_GET which is a big no no. MDL-22631
+ /// I added some clean_param() calls for now but $_GET should just not ever be used directly.
+ /// The function is totally gone in Moodle 2.0.
function get_baseurl($filtertype, $filterselect) {
- $getcopy = $_GET;
-
- unset($getcopy['blogpage']);
+ unset($_GET['blogpage']);
$strippedurl = strip_querystring(qualified_me());
- if(!empty($getcopy)) {
+ if(!empty($_GET)) {
$first = false;
$querystring = '';
- foreach($getcopy as $var => $val) {
+ foreach($_GET as $var => $val) {
+ $var = clean_param($var, PARAM_ALPHANUM); // See MDL-22631
+ $val = clean_param($val, PARAM_CLEAN);
if(!$first) {
$first = true;
if ($var != 'filterselect' && $var != 'filtertype') {
@@ -680,8 +683,8 @@ function get_baseurl($filtertype, $filterselect) {
}
} else {
if ($var != 'filterselect' && $var != 'filtertype') {
- $querystring .= '&'.$var.'='.$val;
- $hasparam = true;
+ $querystring .= '&'.$var.'='.$val;
+ $hasparam = true;
}
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.