From 0c700cc48d12af5e377a674b4df6670b2a5c3a41 Mon Sep 17 00:00:00 2001 From: Sam Hemelryk Date: Wed, 28 Mar 2012 12:24:52 +1300 Subject: [PATCH] MDL-32018 mod_wiki: Improved form definitions to ensure they consistent and secure --- mod/wiki/comments_form.php | 7 +++---- mod/wiki/create_form.php | 11 +++++++---- mod/wiki/edit_form.php | 34 +++++++++++++++++----------------- mod/wiki/filesedit_form.php | 6 +++++- mod/wiki/mod_form.php | 31 ++++++++++++++----------------- 5 files changed, 46 insertions(+), 43 deletions(-) diff --git a/mod/wiki/comments_form.php b/mod/wiki/comments_form.php index 0dc86403b3a..fe53834d317 100644 --- a/mod/wiki/comments_form.php +++ b/mod/wiki/comments_form.php @@ -7,9 +7,8 @@ if (!defined('MOODLE_INTERNAL')) { require_once($CFG->dirroot . '/lib/formslib.php'); class mod_wiki_comments_form extends moodleform { - function definition() { - $pageid = optional_param('pageid', 0, PARAM_INT); - $mform =& $this->_form; + protected function definition() { + $mform = $this->_form; $current = $this->_customdata['current']; $commentoptions = $this->_customdata['commentoptions']; @@ -24,7 +23,7 @@ class mod_wiki_comments_form extends moodleform { $mform->setType('id', PARAM_INT); $mform->addElement('hidden', 'action', ''); - $mform->setType('action', PARAM_ACTION); + $mform->setType('action', PARAM_ALPHAEXT); //------------------------------------------------------------------------------- // buttons diff --git a/mod/wiki/create_form.php b/mod/wiki/create_form.php index a6099913473..ff2b7afeeb3 100644 --- a/mod/wiki/create_form.php +++ b/mod/wiki/create_form.php @@ -29,8 +29,7 @@ require_once($CFG->libdir.'/formslib.php'); class mod_wiki_create_form extends moodleform { protected function definition() { - global $CFG; - $mform =& $this->_form; + $mform = $this->_form; $formats = $this->_customdata['formats']; $defaultformat = $this->_customdata['defaultformat']; @@ -43,6 +42,8 @@ class mod_wiki_create_form extends moodleform { $textoptions = array('readonly'=>'readonly'); } $mform->addElement('text', 'pagetitle', get_string('newpagetitle', 'wiki'), $textoptions); + $mform->setType('pagetitle', PARAM_TEXT); + $mform->addRule('pagetitle', get_string('required'), 'required', null, 'client'); if ($forceformat) { $mform->addElement('hidden', 'pageformat', $defaultformat); @@ -60,10 +61,12 @@ class mod_wiki_create_form extends moodleform { $mform->addElement('radio', 'pageformat', '', get_string('format'.$format, 'wiki'), $format, $attr); } } + $mform->setType('pageformat', PARAM_ALPHANUMEXT); + $mform->addRule('pageformat', get_string('required'), 'required', null, 'client'); //hiddens - $mform->addElement('hidden', 'action'); - $mform->setDefault('action', 'create'); + $mform->addElement('hidden', 'action', 'create'); + $mform->setType('action', PARAM_ALPHA); $this->add_action_buttons(false, get_string('createpage', 'wiki')); } diff --git a/mod/wiki/edit_form.php b/mod/wiki/edit_form.php index b121f8c0148..cc56932219e 100644 --- a/mod/wiki/edit_form.php +++ b/mod/wiki/edit_form.php @@ -38,20 +38,16 @@ class mod_wiki_edit_form extends moodleform { protected function definition() { global $CFG; - $mform =& $this->_form; + $mform = $this->_form; $version = $this->_customdata['version']; $format = $this->_customdata['format']; - $tags = !isset($this->_customdata['tags'])?"":$this->_customdata['tags']; - - if ($format != 'html') { - $contextid = $this->_customdata['contextid']; - $filearea = $this->_customdata['filearea']; - $fileitemid = $this->_customdata['fileitemid']; - } + $pagetitle = $this->_customdata['pagetitle']; + $contextid = $this->_customdata['contextid']; if (isset($this->_customdata['pagetitle'])) { - $pagetitle = get_string('editingpage', 'wiki', $this->_customdata['pagetitle']); + // Page title must be formatted properly here as this is output and not an element. + $pagetitle = get_string('editingpage', 'wiki', format_string($pagetitle, true, array('context' => get_context_instance_by_id($contextid, MUST_EXIST)))); } else { $pagetitle = get_string('editing', 'wiki'); } @@ -65,7 +61,7 @@ class mod_wiki_edit_form extends moodleform { $ft = new filetype_parser; $extensions = $ft->get_extensions('image'); $fs = get_file_storage(); - $tree = $fs->get_area_tree($contextid, 'mod_wiki', 'attachments', $fileitemid); + $tree = $fs->get_area_tree($contextid, 'mod_wiki', $this->_customdata['filearea'], $this->_customdata['fileitemid']); $files = array(); foreach ($tree['files'] as $file) { $filename = $file->get_filename(); @@ -77,30 +73,34 @@ class mod_wiki_edit_form extends moodleform { } $mform->addElement('wikieditor', 'newcontent', $fieldname, array('cols' => 100, 'rows' => 20, 'wiki_format' => $format, 'files'=>$files)); $mform->addHelpButton('newcontent', 'format'.$format, 'wiki'); + $mform->setType('newcontent', PARAM_RAW); // processed by trust text or cleaned before the display } else { $mform->addElement('editor', 'newcontent_editor', $fieldname, null, page_wiki_edit::$attachmentoptions); $mform->addHelpButton('newcontent_editor', 'formathtml', 'wiki'); + $mform->setType('newcontent_editor', PARAM_RAW); // processed by trust text or cleaned before the display } //hiddens if ($version >= 0) { - $mform->addElement('hidden', 'version'); - $mform->setDefault('version', $version); + $mform->addElement('hidden', 'version', $version); + $mform->setType('version', PARAM_FLOAT); } - $mform->addElement('hidden', 'contentformat'); - $mform->setDefault('contentformat', $format); + $mform->addElement('hidden', 'contentformat', $format); + $mform->setType('contentformat', PARAM_ALPHANUMEXT); if (!empty($CFG->usetags)) { + $tags = !isset($this->_customdata['tags'])?"":$this->_customdata['tags']; $mform->addElement('header', 'tagshdr', get_string('tags', 'tag')); $mform->addElement('tags', 'tags', get_string('tags')); $mform->setDefault('tags', $tags); + $mform->setType('tags', PARAM_TEXT); } $buttongroup = array(); - $buttongroup[] =& $mform->createElement('submit', 'editoption', get_string('save', 'wiki'), array('id' => 'save')); - $buttongroup[] =& $mform->createElement('submit', 'editoption', get_string('preview'), array('id' => 'preview')); - $buttongroup[] =& $mform->createElement('submit', 'editoption', get_string('cancel'), array('id' => 'cancel')); + $buttongroup[] = $mform->createElement('submit', 'editoption', get_string('save', 'wiki'), array('id' => 'save')); + $buttongroup[] = $mform->createElement('submit', 'editoption', get_string('preview'), array('id' => 'preview')); + $buttongroup[] = $mform->createElement('submit', 'editoption', get_string('cancel'), array('id' => 'cancel')); $mform->addGroup($buttongroup, 'buttonar', '', array(' '), false); $mform->closeHeaderBefore('buttonar'); diff --git a/mod/wiki/filesedit_form.php b/mod/wiki/filesedit_form.php index f086611a7e7..a440a53ee5b 100644 --- a/mod/wiki/filesedit_form.php +++ b/mod/wiki/filesedit_form.php @@ -27,15 +27,19 @@ defined('MOODLE_INTERNAL') || die(); require_once("$CFG->libdir/formslib.php"); class mod_wiki_filesedit_form extends moodleform { - function definition() { + protected function definition() { $mform = $this->_form; $data = $this->_customdata['data']; $options = $this->_customdata['options']; $mform->addElement('filemanager', 'files_filemanager', get_string('files'), null, $options); + $mform->addElement('hidden', 'returnurl', $data->returnurl); + $mform->setType('returnurl', PARAM_URL); + $mform->addElement('hidden', 'subwiki', $data->subwikiid); + $mform->setType('subwiki', PARAM_INT); $this->add_action_buttons(true, get_string('savechanges')); diff --git a/mod/wiki/mod_form.php b/mod/wiki/mod_form.php index dcf9a06b642..ef5b26907e2 100644 --- a/mod/wiki/mod_form.php +++ b/mod/wiki/mod_form.php @@ -41,28 +41,24 @@ require_once($CFG->dirroot . '/lib/datalib.php'); class mod_wiki_mod_form extends moodleform_mod { - function definition() { - - global $COURSE; - $mform =& $this->_form; + protected function definition() { + $mform = $this->_form; + $required = get_string('required'); //------------------------------------------------------------------------------- - /// Adding the "general" fieldset, where all the common settings are showed + // Adding the "general" fieldset, where all the common settings are showed $mform->addElement('header', 'general', get_string('general', 'form')); - /// Adding the standard "name" field + + // Adding the standard "name" field $mform->addElement('text', 'name', get_string('wikiname', 'wiki'), array('size' => '64')); $mform->setType('name', PARAM_TEXT); - $mform->addRule('name', null, 'required', null, 'client'); - /// Adding the optional "intro" and "introformat" pair of fields - // $mform->addElement('htmleditor', 'intro', get_string('wikiintro', 'wiki')); - // $mform->setType('intro', PARAM_RAW); - // $mform->addRule('intro', get_string('required'), 'required', null, 'client'); - // - // $mform->addElement('format', 'introformat', get_string('format')); + $mform->addRule('name', $required, 'required', null, 'client'); + // Adding the optional "intro" and "introformat" pair of fields $this->add_intro_editor(true, get_string('wikiintro', 'wiki')); + //------------------------------------------------------------------------------- - /// Adding the rest of wiki settings, spreeading all them into this fieldset - /// or adding more fieldsets ('header' elements) if needed for better logic + // Adding the rest of wiki settings, spreeading all them into this fieldset + // or adding more fieldsets ('header' elements) if needed for better logic $mform->addElement('header', 'wikifieldset', get_string('wikisettings', 'wiki')); @@ -75,9 +71,9 @@ class mod_wiki_mod_form extends moodleform_mod { $mform->addElement('text', 'firstpagetitle', get_string('firstpagetitle', 'wiki'), $attr); $mform->addHelpButton('firstpagetitle', 'firstpagetitle', 'wiki'); - + $mform->setType('firstpagetitle', PARAM_TEXT); if (empty($this->_instance)) { - $mform->addRule('firstpagetitle', null, 'required', null, 'client'); + $mform->addRule('firstpagetitle', $required, 'required', null, 'client'); } $wikimodeoptions = array ('collaborative' => get_string('wikimodecollaborative', 'wiki'), 'individual' => get_string('wikimodeindividual', 'wiki')); @@ -96,6 +92,7 @@ class mod_wiki_mod_form extends moodleform_mod { } $mform->addElement('select', 'defaultformat', get_string('defaultformat', 'wiki'), $editoroptions); $mform->addHelpButton('defaultformat', 'defaultformat', 'wiki'); + $mform->addElement('checkbox', 'forceformat', get_string('forceformat', 'wiki')); $mform->addHelpButton('forceformat', 'forceformat', 'wiki');