Merge branch 'MDL-34311-master' of git://github.com/danpoltawski/moodle

Conflicts:
	course/moodleform_mod.php
	lib/upgrade.txt

course/edit_form.php

@@ -190,7 +190,9 @@ class course_edit_form extends moodleform {
         }
 
 //--------------------------------------------------------------------------------
+        // Just a placeholder..
         $mform->addElement('hidden', 'addcourseformatoptionshere');
+        $mform->setType('addcourseformatoptionshere', PARAM_BOOL);
 
 //--------------------------------------------------------------------------------
         enrol_course_edit_form($mform, $course, $context);

course/moodleform_mod.php

@@ -468,6 +468,7 @@ abstract class moodleform_mod extends moodleform {
 
         if ($this->_features->idnumber) {
             $mform->addElement('text', 'cmidnumber', get_string('idnumbermod'));
+            $mform->setType('cmidnumber', PARAM_RAW);
             $mform->addHelpButton('cmidnumber', 'idnumbermod');
         }
 

lib/formslib.php

@@ -278,6 +278,7 @@ abstract class moodleform {
             $submission = array();
             $files = array();
         }
+        $this->detectMissingSetType();
 
         $this->_form->updateSubmission($submission, $files);
     }
@@ -914,6 +915,9 @@ abstract class moodleform {
             $this->_definition_finalized = true;
             $this->definition_after_data();
         }
+
+        $this->detectMissingSetType();
+
         $this->_form->display();
     }
 
@@ -1233,6 +1237,38 @@ abstract class moodleform {
             'requires' => array('base', 'node')
         );
     }
+
+    /**
+     * Detects elements with missing setType() declerations.
+     *
+     * Finds elements in the form which should a PARAM_ type set and throws a
+     * developer debug warning for any elements without it. This is to reduce the
+     * risk of potential security issues by developers mistakenly forgetting to set
+     * the type.
+     *
+     * @return void
+     */
+    private function detectMissingSetType() {
+        if (!debugging('', DEBUG_DEVELOPER)) {
+            // Only for devs.
+            return;
+        }
+
+        $mform = $this->_form;
+        foreach ($mform->_elements as $element) {
+            switch ($element->getType()) {
+                case 'hidden':
+                case 'text':
+                case 'url':
+                    $key = $element->getName();
+                    if (!array_key_exists($key, $mform->_types)) {
+                        debugging("Did you remember to call setType() for '$key'? ".
+                            'Defaulting to PARAM_RAW cleaning.', DEBUG_DEVELOPER);
+                    }
+                    break;
+            }
+        }
+    }
 }
 
 /**

lib/upgrade.txt

@@ -35,6 +35,8 @@ information provided here is intended especially for developers.
   param $formatoptions, that will determine if the field names are processed by
   format_string() with the passed options.
 * remove all references to $CFG->gdversion, GD PHP extension is now required
+* Formslib will now throw a developer warning if a PARAM_ type hasn't been set for elements which
+  need it. Please set PARAM_RAW explicitly if you do not want any cleaning.
 
 YUI changes:
 * M.util.help_icon has been deprecated. Code should be updated to use moodle-core-popuphelp

mod/url/mod_form.php

@@ -50,6 +50,7 @@ class mod_url_mod_form extends moodleform_mod {
         //-------------------------------------------------------
         $mform->addElement('header', 'content', get_string('contentheader', 'url'));
         $mform->addElement('url', 'externalurl', get_string('externalurl', 'url'), array('size'=>'60'), array('usefilepicker'=>true));
+        $mform->setType('externalurl', PARAM_URL);
         $mform->addRule('externalurl', null, 'required', null, 'client');
         //-------------------------------------------------------
         $mform->addElement('header', 'optionssection', get_string('optionsheader', 'url'));