MDL-47927 LTI: Use PARAM_TEXT and p() for returned messages and errors

mod/lti/locallib.php

@@ -179,7 +179,10 @@ function lti_view($instance) {
         $instance->instructorcustomparameters, $islti2));
 
     $launchcontainer = lti_get_launch_container($instance, $typeconfig);
-    $returnurlparams = array('course' => $course->id, 'launch_container' => $launchcontainer, 'instanceid' => $instance->id);
+    $returnurlparams = array('course' => $course->id,
+                             'launch_container' => $launchcontainer,
+                             'instanceid' => $instance->id,
+                             'sesskey' => sesskey());
 
     // Add the return URL. We send the launch container along to help us avoid frames-within-frames when the user returns.
     $url = new \moodle_url('/mod/lti/return.php', $returnurlparams);

mod/lti/return.php

@@ -30,8 +30,8 @@
 $courseid = required_param('course', PARAM_INT);
 $instanceid = optional_param('instanceid', 0, PARAM_INT);
 
-$errormsg = optional_param('lti_errormsg', '', PARAM_RAW);
-$msg = optional_param('lti_msg', '', PARAM_RAW);
+$errormsg = optional_param('lti_errormsg', '', PARAM_TEXT);
+$msg = optional_param('lti_msg', '', PARAM_TEXT);
 $unsigned = optional_param('unsigned', '0', PARAM_INT);
 
 $launchcontainer = optional_param('launch_container', LTI_LAUNCH_CONTAINER_WINDOW, PARAM_INT);
@@ -47,6 +47,7 @@
 
 
 require_login($course);
+require_sesskey();
 
 if (!empty($errormsg) || !empty($msg)) {
     $url = new moodle_url('/mod/lti/return.php', array('course' => $courseid));
@@ -72,7 +73,7 @@
 if (!empty($errormsg)) {
     echo get_string('lti_launch_error', 'lti');
 
-    echo htmlspecialchars($errormsg);
+    p($errormsg);
 
     if ($unsigned == 1) {
 
@@ -99,7 +100,7 @@
     echo $OUTPUT->footer();
 } else if (!empty($msg)) {
 
-    echo htmlspecialchars($msg);
+    p($msg);
 
     echo $OUTPUT->footer();