Permalink
Browse files

Merge branch 'MDL-25754_19_wip' of git://github.com/skodak/moodle int…

…o MOODLE_19_STABLE
  • Loading branch information...
Sam Hemelryk
Sam Hemelryk committed Jan 18, 2011
2 parents 12e3dc1 + fd29b2a commit e7682e584a78f10cd48e9deb386974920febf1ae
Showing with 125 additions and 110 deletions.
  1. +5 −2 lib/moodlelib.php
  2. +9 −9 tag/edit.php
  3. +100 −97 tag/lib.php
  4. +11 −2 tag/tag_autocomplete.php
View
@@ -567,16 +567,19 @@ function clean_param($param, $type) {
}
case PARAM_TAG:
+ // Please note it is not safe to use the tag name directly anywhere,
+ // it must be processed with s(), urlencode() before embedding anywhere.
+ // remove some nasties
+ $param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
//as long as magic_quotes_gpc is used, a backslash will be a
- //problem, so remove *all* backslash.
+ //problem, so remove *all* backslash - BUT watch out for SQL injections caused by this sloppy design (skodak)
$param = str_replace('\\', '', $param);
//convert many whitespace chars into one
$param = preg_replace('/\s+/', ' ', $param);
$textlib = textlib_get_instance();
$param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
return $param;
-
case PARAM_TAGLIST:
$tags = explode(',', $param);
$result = array();
View
@@ -4,7 +4,7 @@
require_once('lib.php');
require_once('edit_form.php');
-require_js(array('yui_dom-event', 'yui_connection', 'yui_animation', 'yui_autocomplete'));
+require_js(array('yui_dom-event', 'yui_connection', 'yui_animation', 'yui_datasource', 'yui_autocomplete'));
require_login();
@@ -92,21 +92,21 @@
error('Error updating tag record');
}
}
-
+
//log tag changes activity
//if tag name exist from form, renaming is allow. record log action as rename
- //otherwise, record log action as update
+ //otherwise, record log action as update
if (isset($tagnew->name) && ($tag->name != $tagnew->name)){
add_to_log($COURSE->id, 'tag', 'update', 'index.php?id='. $tag->id, $tag->name . '->'. $tagnew->name);
- } elseif ($tag->description != $tagnew->description) {
+ } elseif ($tag->description != $tagnew->description) {
add_to_log($COURSE->id, 'tag', 'update', 'index.php?id='. $tag->id, $tag->name);
}
-
+
//updated related tags
tag_set('tag', $tagnew->id, explode(',', trim($tagnew->relatedtags)));
//print_object($tagnew); die();
-
+
redirect($CFG->wwwroot.'/tag/index.php?tag='.rawurlencode($tag->name)); // must use $tag here, as the name isn't in the edit form
}
}
@@ -133,9 +133,9 @@
<script type="text/javascript">
// An XHR DataSource
-var myServer = "./tag_autocomplete.php";
-var myDataSource = new YAHOO.widget.DS_XHR(myServer, ["\n", "\t"]);
-myDataSource.responseType = YAHOO.widget.DS_XHR.TYPE_FLAT;
+var myDataSource = new YAHOO.util.XHRDataSource("./tag_autocomplete.php");
+myDataSource.responseType = YAHOO.util.XHRDataSource.TYPE_TEXT;
+myDataSource.responseSchema = {recordDelim: "\n", fieldDelim: "\t"};
myDataSource.maxCacheEntries = 60;
myDataSource.queryMatchSubset = true;
Oops, something went wrong.

0 comments on commit e7682e5

Please sign in to comment.