MDL-74100 course: relax initial parameter types of external methods.

These methods can be called via UI, and would throw confusing exceptions if a user entered "unsafe" characters in a search input (e.g. "<"). Defer cleaning of supplied text to inside the methods.
2025-04-15 05:25:08 +02:00 · 2022-03-08 09:08:45 +00:00 · 2022-03-08 09:08:45 +00:00 · 598698bc10
commit 598698bc10
parent 01eb6d2e9b
3 changed files with 10 additions and 10 deletions
--- a/calendar/externallib.php
+++ b/calendar/externallib.php
@ -408,7 +408,7 @@ class core_calendar_external extends external_api {
                'limittononsuspendedevents' => new external_value(PARAM_BOOL,
                        'Limit the events to courses the user is not suspended in', VALUE_DEFAULT, false),
                'userid' => new external_value(PARAM_INT, 'The user id', VALUE_DEFAULT, null),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against', VALUE_DEFAULT, null)
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against', VALUE_DEFAULT, null)
            )
        );
    }
@ -467,7 +467,7 @@ class core_calendar_external extends external_api {
            $params['limitnum'],
            $params['limittononsuspendedevents'],
            $user,
-            $params['searchvalue']
+            clean_param($params['searchvalue'], PARAM_TEXT)
        );

        $exportercache = new events_related_objects_cache($events);
@ -499,7 +499,7 @@ class core_calendar_external extends external_api {
                'timesortto' => new external_value(PARAM_INT, 'Time sort to', VALUE_DEFAULT, null),
                'aftereventid' => new external_value(PARAM_INT, 'The last seen event id', VALUE_DEFAULT, 0),
                'limitnum' => new external_value(PARAM_INT, 'Limit number', VALUE_DEFAULT, 20),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against', VALUE_DEFAULT, null)
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against', VALUE_DEFAULT, null)
            )
        );
    }
@ -555,7 +555,7 @@ class core_calendar_external extends external_api {
            $params['timesortto'],
            $params['aftereventid'],
            $params['limitnum'],
-            $params['searchvalue']
+            clean_param($params['searchvalue'], PARAM_TEXT)
        );

        $exportercache = new events_related_objects_cache($events, $courses);
@ -587,7 +587,7 @@ class core_calendar_external extends external_api {
                'timesortfrom' => new external_value(PARAM_INT, 'Time sort from', VALUE_DEFAULT, null),
                'timesortto' => new external_value(PARAM_INT, 'Time sort to', VALUE_DEFAULT, null),
                'limitnum' => new external_value(PARAM_INT, 'Limit number', VALUE_DEFAULT, 10),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against', VALUE_DEFAULT, null)
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against', VALUE_DEFAULT, null)
            )
        );
    }
@ -639,7 +639,7 @@ class core_calendar_external extends external_api {
            $params['timesortfrom'],
            $params['timesortto'],
            $params['limitnum'],
-            $params['searchvalue']
+            clean_param($params['searchvalue'], PARAM_TEXT)
        );

        if (empty($events)) {
--- a/course/classes/external/get_enrolled_courses_with_action_events_by_timeline_classification.php
+++ b/course/classes/external/get_enrolled_courses_with_action_events_by_timeline_classification.php
@ -55,7 +55,7 @@ class get_enrolled_courses_with_action_events_by_timeline_classification extends
                    VALUE_DEFAULT, null),
                'customfieldvalue' => new external_value(PARAM_RAW, 'Used when classification = customfield',
                    VALUE_DEFAULT, null),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against',
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against',
                    VALUE_DEFAULT, null),
                'eventsfrom' => new external_value(PARAM_INT, 'Optional starting timestamp for action events',
                VALUE_DEFAULT, null),
@ -117,7 +117,7 @@ class get_enrolled_courses_with_action_events_by_timeline_classification extends
        $sort = $params['sort'];
        $customfieldname = $params['customfieldname'];
        $customfieldvalue = $params['customfieldvalue'];
-        $searchvalue = $params['searchvalue'];
+        $searchvalue = clean_param($params['searchvalue'], PARAM_TEXT);
        $eventsfrom = $params['eventsfrom'];
        $eventsto = $params['eventsto'];
        $morecoursestofetch = true;
--- a/course/externallib.php
+++ b/course/externallib.php
@ -3754,7 +3754,7 @@ class core_course_external extends external_api {
                    VALUE_DEFAULT, null),
                'customfieldvalue' => new external_value(PARAM_RAW, 'Used when classification = customfield',
                    VALUE_DEFAULT, null),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against',
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against',
                    VALUE_DEFAULT, null),
            )
        );
@ -3812,7 +3812,7 @@ class core_course_external extends external_api {
        $offset = $params['offset'];
        $sort = $params['sort'];
        $customfieldvalue = $params['customfieldvalue'];
-        $searchvalue = $params['searchvalue'];
+        $searchvalue = clean_param($params['searchvalue'], PARAM_TEXT);

        switch($classification) {
            case COURSE_TIMELINE_ALLINCLUDINGHIDDEN: