mirror of
https://github.com/moodle/moodle.git
synced 2025-04-24 01:44:27 +02:00
MDL-25754 improved tag sanitisation and fixed tag autocomplete
This commit is contained in:
Petr Skoda
parent
5a7f931ee5
commit
34b93e39a6
@ -792,10 +792,9 @@ function clean_param($param, $type) {
|
||||
}
|
||||
|
||||
case PARAM_TAG:
|
||||
//as long as magic_quotes_gpc is used, a backslash will be a
|
||||
//problem, so remove *all* backslash.
|
||||
//$param = str_replace('\\', '', $param);
|
||||
//remove some nasties
|
||||
// Please note it is not safe to use the tag name directly anywhere,
|
||||
// it must be processed with s(), urlencode() before embedding anywhere.
|
||||
// remove some nasties
|
||||
$param = preg_replace('~[[:cntrl:]]|[<>`]~u', '', $param);
|
||||
//convert many whitespace chars into one
|
||||
$param = preg_replace('/\s+/', ' ', $param);
|
||||
@ -803,7 +802,6 @@ function clean_param($param, $type) {
|
||||
$param = $textlib->substr(trim($param), 0, TAG_MAX_LENGTH);
|
||||
return $param;
|
||||
|
||||
|
||||
case PARAM_TAGLIST:
|
||||
$tags = explode(',', $param);
|
||||
$result = array();
|
||||
|
||||
@ -55,7 +55,9 @@ $PAGE->set_context($systemcontext);
|
||||
$PAGE->set_blocks_editing_capability('moodle/tag:editblocks');
|
||||
$PAGE->set_pagelayout('base');
|
||||
|
||||
$PAGE->requires->yui2_lib('connection');
|
||||
$PAGE->requires->yui2_lib('animation');
|
||||
$PAGE->requires->yui2_lib('datasource');
|
||||
$PAGE->requires->yui2_lib('autocomplete');
|
||||
|
||||
$tagname = tag_display_name($tag);
|
||||
|
||||
@ -599,7 +599,7 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) {
|
||||
|
||||
global $CFG;
|
||||
|
||||
if(!isset($tagobject->name)) {
|
||||
if (!isset($tagobject->name)) {
|
||||
return '';
|
||||
}
|
||||
|
||||
@ -612,6 +612,9 @@ function tag_display_name($tagobject, $html=TAG_RETURN_HTML) {
|
||||
$tagname = $tagobject->rawname;
|
||||
}
|
||||
|
||||
// clean up a bit just in case the rules change again
|
||||
$tagname = clean_param($tagname, PARAM_TAG);
|
||||
|
||||
if ($html == TAG_RETURN_TEXT) {
|
||||
return $tagname;
|
||||
} else { // TAG_RETURN_HTML
|
||||
|
||||
@ -22,6 +22,8 @@
|
||||
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
||||
*/
|
||||
|
||||
define('AJAX_SCRIPT', true);
|
||||
|
||||
require_once('../config.php');
|
||||
require_once('lib.php');
|
||||
|
||||
@ -35,6 +37,6 @@ $query = optional_param('query', '', PARAM_RAW);
|
||||
|
||||
if ($similar_tags = tag_autocomplete($query)) {
|
||||
foreach ($similar_tags as $tag) {
|
||||
echo $tag->name . "\t" . tag_display_name($tag) . "\n";
|
||||
echo clean_param($tag->name, PARAM_TAG) . "\t" . tag_display_name($tag) . "\n";
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user