MDL-69240 tool_moodlenet: Clean MoodleNet profile field

Amended by: Eloy Lafuente (stronk7) <stronk7@moodle.org>
- adjust versions for every branch.
- modify verify_webfinger->profileurl external to PARAM_NOTAGS.

admin/tool/moodlenet/classes/external.php

@@ -52,7 +52,7 @@ class external extends external_api {
     public static function verify_webfinger_parameters() {
         return new external_function_parameters(
             array(
-                'profileurl' => new external_value(PARAM_RAW, 'The profile url that the user has given us', VALUE_REQUIRED),
+                'profileurl' => new external_value(PARAM_NOTAGS, 'The profile url that the user has given us', VALUE_REQUIRED),
                 'course' => new external_value(PARAM_INT, 'The course we are adding to', VALUE_REQUIRED),
                 'section' => new external_value(PARAM_INT, 'The section within the course we are adding to', VALUE_REQUIRED),
             )

admin/tool/moodlenet/classes/profile_manager.php

@@ -46,7 +46,7 @@ class profile_manager {
             $user = \core_user::get_user($userid, 'moodlenetprofile');
             try {
                 $userprofile = $user->moodlenetprofile ? $user->moodlenetprofile : '';
-                return (isset($user)) ? new moodlenet_user_profile($userprofile, $userid) : null;
+                return (isset($user)) ? new moodlenet_user_profile(s($userprofile), $userid) : null;
             } catch (\moodle_exception $e) {
                 // If an exception is thrown, means there isn't a valid profile set. No need to log exception.
                 return null;
@@ -59,7 +59,7 @@ class profile_manager {
             if ($field->get_category_name() == self::get_category_name()
                     && $field->inputname == 'profile_field_mnetprofile') {
                 try {
-                    return new moodlenet_user_profile($field->display_data(), $userid);
+                    return new moodlenet_user_profile(s($field->display_data()), $userid);
                 } catch (\moodle_exception $e) {
                     // If an exception is thrown, means there isn't a valid profile set. No need to log exception.
                     return null;

admin/tool/moodlenet/db/upgrade.php

@@ -105,5 +105,23 @@ function xmldb_tool_moodlenet_upgrade(int $oldversion) {
     // Automatically generated Moodle v3.9.0 release upgrade line.
     // Put any upgrade step following this.
 
+    if ($oldversion < 2021052501) {
+
+        // Find out if there are users with MoodleNet profiles set.
+        $sql = "SELECT u.*
+                  FROM {user} u
+                 WHERE u.moodlenetprofile IS NOT NULL";
+
+        $records = $DB->get_records_sql($sql);
+
+        foreach ($records as $record) {
+            // Force clean user value just incase there is something malicious.
+            $record->moodlenetprofile = clean_text($record->moodlenetprofile, PARAM_NOTAGS);
+            $DB->update_record('user', $record);
+        }
+
+        upgrade_plugin_savepoint(true, 2021052501, 'tool', 'moodlenet');
+    }
+
     return true;
 }

admin/tool/moodlenet/version.php

@@ -25,6 +25,6 @@
 defined('MOODLE_INTERNAL') || die();
 
 $plugin->component  = 'tool_moodlenet';
-$plugin->version    = 2021052500;
+$plugin->version    = 2021052501;
 $plugin->requires   = 2021052500;
 $plugin->maturity   = MATURITY_ALPHA;

lang/en/user.php

@@ -36,6 +36,7 @@ $string['filtersetmatchdescription'] = 'How multiple filters should be combined'
 $string['match'] = 'Match';
 $string['matchofthefollowing'] = 'of the following:';
 $string['moodlenetprofile'] = 'MoodleNet profile';
+$string['moodlenetprofile_help'] = 'This field is to link your MoodleNet profile to Moodle. It expects a WebFinger compliant URI';
 $string['placeholdertypeorselect'] = 'Type or select...';
 $string['placeholdertype'] = 'Type...';
 $string['privacy:courserequestpath'] = 'Requested courses';

user/editlib.php

@@ -301,7 +301,8 @@ function useredit_shared_definition(&$mform, $editoroptions, $filemanageroptions
     $mform->addHelpButton('maildisplay', 'emaildisplay');
 
     $mform->addElement('text', 'moodlenetprofile', get_string('moodlenetprofile', 'user'));
-    $mform->setType('moodlenetprofile', PARAM_RAW_TRIMMED);
+    $mform->setType('moodlenetprofile', PARAM_NOTAGS);
+    $mform->addHelpButton('moodlenetprofile', 'moodlenetprofile', 'user');
 
     $mform->addElement('text', 'city', get_string('city'), 'maxlength="120" size="21"');
     $mform->setType('city', PARAM_TEXT);