From 4879477632279731427f711f60b740fa1725b013 Mon Sep 17 00:00:00 2001
From: Frederic Massart <fred@moodle.com>
Date: Thu, 8 Oct 2015 17:51:05 +0800
Subject: [PATCH] MDL-51700 ajax: Clean the external function return values

---
 lib/ajax/service.php | 6 ++++++
 lib/upgrade.txt      | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/lib/ajax/service.php b/lib/ajax/service.php
index ce58f01d026..e72f1650ef2 100644
--- a/lib/ajax/service.php
+++ b/lib/ajax/service.php
@@ -82,6 +82,12 @@ foreach ($requests as $request) {
         $result = call_user_func_array($callable,
                                        array_values($params));
 
+        // Validate the return parameters.
+        if ($externalfunctioninfo->returns_desc !== null) {
+            $callable = array($externalfunctioninfo->classname, 'clean_returnvalue');
+            $result = call_user_func($callable, $externalfunctioninfo->returns_desc, $result);
+        }
+
         $response['error'] = false;
         $response['data'] = $result;
         $responses[$index] = $response;
diff --git a/lib/upgrade.txt b/lib/upgrade.txt
index c38064a04ee..aa16374fc53 100644
--- a/lib/upgrade.txt
+++ b/lib/upgrade.txt
@@ -1,6 +1,10 @@
 This files describes API changes in core libraries and APIs,
 information provided here is intended especially for developers.
 
+=== 3.1 ===
+
+* Ajax calls going through lib/ajax/* now validate the return values before sending the response. If the validation does not pass an exception is raised. This behaviour is consistent with web services.
+
 === 3.0 ===
 
 * Minify updated to 2.2.1