MDL-77015 mod_data: consistent escaping of template field names.

* When creating default templates, avoid escaping the field names contained within [[ ]] brackets; * When managing field, ensure the field names are escaped.
2025-01-18 05:58:34 +01:00 · 2024-02-20 12:24:48 +00:00 · 2024-02-20 12:24:48 +00:00 · 91297498a2
commit 91297498a2
parent 4da813d35e
16 changed files with 23 additions and 23 deletions
--- a/mod/data/classes/template.php
+++ b/mod/data/classes/template.php
@ -993,7 +993,7 @@ class template {
                $errors .= $renderer->notification(get_string(
                    'missingfieldtype',
                    'data',
-                    (object)['name' => $field->field->name]
+                    (object)['name' => s($field->field->name)]
                ));
            }
        } else {
--- a/mod/data/export_form.php
+++ b/mod/data/export_form.php
@ -71,7 +71,7 @@ class mod_data_export_form extends moodleform {
        $exportfields = [];
        $unsupportedfields = [];
        foreach ($this->_datafields as $field) {
-            $label = get_string('fieldnametype', 'data', (object)['name' => $field->field->name, 'type' => $field->name()]);
+            $label = get_string('fieldnametype', 'data', (object)['name' => s($field->field->name), 'type' => $field->name()]);
            if ($field->text_export_supported()) {
                $numfieldsthatcanbeselected++;
                $exportfields[] = $mform->createElement('advcheckbox', 'field_' . $field->field->id, '', $label,
--- a/mod/data/field.php
+++ b/mod/data/field.php
@ -240,7 +240,7 @@ switch ($mode) {
                } else {
                    $fieldtypename = $field->name();
                }
-                echo $OUTPUT->confirm('<strong>' . $fieldtypename . ': ' . $field->field->name . '</strong><br /><br />' .
+                echo $OUTPUT->confirm('<strong>' . $fieldtypename . ': ' . s($field->field->name) . '</strong><br /><br />' .
                        get_string('confirmdeletefield', 'data'),
                        'field.php?d=' . $data->id . '&mode=delete&fid=' . $fid . '&confirm=1',
                        'field.php?d=' . $data->id,
@ -410,7 +410,7 @@ if (($mode == 'new') && (!empty($newtype))) { // Adding a new field.
        $actionmenutemplate = $actionmenu->export_for_template($OUTPUT);

        $table->data[] = [
-            $field->field->name,
+            s($field->field->name),
            $fieltypedata,
            $field->field->required ? get_string('yes') : get_string('no'),
            shorten_text($field->field->description, 30),
@ -435,9 +435,9 @@ if (($mode == 'new') && (!empty($newtype))) { // Adding a new field.
        echo '<optgroup label="'.get_string('fields', 'data').'">';
        foreach ($fields as $field) {
            if ($data->defaultsort == $field->id) {
-                echo '<option value="'.$field->id.'" selected="selected">'.$field->name.'</option>';
+                echo '<option value="'.$field->id.'" selected="selected">'.s($field->name).'</option>';
            } else {
-                echo '<option value="'.$field->id.'">'.$field->name.'</option>';
+                echo '<option value="'.$field->id.'">'.s($field->name).'</option>';
            }
        }
        echo '</optgroup>';
--- a/mod/data/field/checkbox/field.class.php
+++ b/mod/data/field/checkbox/field.class.php
@ -66,7 +66,7 @@ class data_field_checkbox extends data_field_base {
        }

        $str = '<div title="' . s($this->field->description) . '">';
-        $str .= '<fieldset><legend><span class="accesshide">'.$this->field->name;
+        $str .= '<fieldset><legend><span class="accesshide">'.s($this->field->name);
        if ($this->field->required) {
            $str .= '$nbsp;' . get_string('requiredelement', 'form');
            $str .= '</span></legend>';
--- a/mod/data/field/file/field.class.php
+++ b/mod/data/field/file/field.class.php
@ -70,7 +70,7 @@ class data_field_file extends data_field_base {

        // database entry label
        $html = '<div title="' . s($this->field->description) . '">';
-        $html .= '<fieldset><legend><span class="accesshide">'.$this->field->name;
+        $html .= '<fieldset><legend><span class="accesshide">'.s($this->field->name);

        if ($this->field->required) {
            $html .= '&nbsp;' . get_string('requiredelement', 'form') . '</span></legend>';
@ -105,7 +105,7 @@ class data_field_file extends data_field_base {
    }

    function display_search_field($value = '') {
-        return '<label class="accesshide" for="f_' . $this->field->id . '">' . $this->field->name . '</label>' .
+        return '<label class="accesshide" for="f_' . $this->field->id . '">' . s($this->field->name) . '</label>' .
               '<input type="text" size="16" id="f_'.$this->field->id.'" name="f_'.$this->field->id.'" ' .
                    'value="'.s($value).'" class="form-control"/>';
    }
--- a/mod/data/field/latlong/field.class.php
+++ b/mod/data/field/latlong/field.class.php
@ -77,7 +77,7 @@ class data_field_latlong extends data_field_base {
            }
        }
        $str = '<div title="'.s($this->field->description).'">';
-        $str .= '<fieldset><legend><span class="accesshide">'.$this->field->name.'</span></legend>';
+        $str .= '<fieldset><legend><span class="accesshide">'.s($this->field->name).'</span></legend>';
        $str .= '<table class="d-flex flex-wrap align-items-center"><tr><td align="right">';
        $classes = 'mod-data-input form-control-static';
        $str .= '<label for="field_'.$this->field->id.'_0" class="' . $classes . '">' . get_string('latitude', 'data');
--- a/mod/data/field/multimenu/field.class.php
+++ b/mod/data/field/multimenu/field.class.php
@ -74,7 +74,7 @@ class data_field_multimenu extends data_field_base {
        $str .= '<input name="field_' . $this->field->id . '[xxx]" type="hidden" value="xxx"/>'; // hidden field - needed for empty selection

        $str .= '<label for="field_' . $this->field->id . '">';
-        $str .= '<legend><span class="accesshide">' . $this->field->name;
+        $str .= '<legend><span class="accesshide">' . s($this->field->name);

        if ($this->field->required) {
            $str .= '&nbsp;' . get_string('requiredelement', 'form') . '</span></legend>';
@ -119,7 +119,7 @@ class data_field_multimenu extends data_field_base {

        static $c = 0;

-        $str = '<label class="accesshide" for="f_' . $this->field->id . '">' . $this->field->name . '</label>';
+        $str = '<label class="accesshide" for="f_' . $this->field->id . '">' . s($this->field->name) . '</label>';
        $str .= '<select id="f_'.$this->field->id.'" name="f_'.$this->field->id.'[]" multiple="multiple" class="form-control">';

        // display only used options
--- a/mod/data/field/picture/field.class.php
+++ b/mod/data/field/picture/field.class.php
@ -87,7 +87,7 @@ class data_field_picture extends data_field_base {
            $itemid = file_get_unused_draft_itemid();
        }
        $str = '<div title="' . s($this->field->description) . '">';
-        $str .= '<fieldset><legend><span class="accesshide">'.$this->field->name;
+        $str .= '<fieldset><legend><span class="accesshide">'.s($this->field->name);

        if ($this->field->required) {
            $str .= '&nbsp;' . get_string('requiredelement', 'form') . '</span></legend>';
--- a/mod/data/field/radiobutton/field.class.php
+++ b/mod/data/field/radiobutton/field.class.php
@ -69,7 +69,7 @@ class data_field_radiobutton extends data_field_base {
        }

        $str = '<div title="' . s($this->field->description) . '">';
-        $str .= '<fieldset><legend><span class="accesshide">' . $this->field->name;
+        $str .= '<fieldset><legend><span class="accesshide">' . s($this->field->name);

        if ($this->field->required) {
            $str .= '&nbsp;' . get_string('requiredelement', 'form') . '</span></legend>';
--- a/mod/data/field/text/field.class.php
+++ b/mod/data/field/text/field.class.php
@ -50,7 +50,7 @@ class data_field_text extends data_field_base {
    }

    function display_search_field($value = '') {
-        return '<label class="accesshide" for="f_' . $this->field->id . '">' . $this->field->name.'</label>' .
+        return '<label class="accesshide" for="f_' . $this->field->id . '">' . s($this->field->name) . '</label>' .
               '<input type="text" class="form-control" size="16" id="f_' . $this->field->id . '" ' .
               'name="f_' . $this->field->id . '" value="' . s($value) . '" />';
    }
--- a/mod/data/field/textarea/field.class.php
+++ b/mod/data/field/textarea/field.class.php
@ -203,7 +203,7 @@ class data_field_textarea extends data_field_base {


    function display_search_field($value = '') {
-        return '<label class="accesshide" for="f_' . $this->field->id . '">' . $this->field->name . '</label>' .
+        return '<label class="accesshide" for="f_' . $this->field->id . '">' . s($this->field->name) . '</label>' .
               '<input type="text" size="16" id="f_' . $this->field->id . '" name="f_' . $this->field->id . '" ' .
               'value="' . s($value) . '" class="form-control"/>';
    }
--- a/mod/data/lib.php
+++ b/mod/data/lib.php
@ -380,7 +380,7 @@ class data_field_base {     // Base class for Database Field Types (see field/*/
        }

        $str = '<div title="' . s($this->field->description) . '">';
-        $str .= '<label for="field_'.$this->field->id.'"><span class="accesshide">'.$this->field->name.'</span>';
+        $str .= '<label for="field_'.$this->field->id.'"><span class="accesshide">'.s($this->field->name).'</span>';
        if ($this->field->required) {
            $image = $OUTPUT->pix_icon('req', get_string('requiredelement', 'form'));
            $str .= html_writer::div($image, 'inline-req');
@ -1805,9 +1805,9 @@ function data_print_preference_form($data, $perpage, $search, $sort='', $order='
        echo '<optgroup label="'.get_string('fields', 'data').'">';
        foreach ($fields as $field) {
            if ($field->id == $sort) {
-                echo '<option value="'.$field->id.'" selected="selected">'.$field->name.'</option>';
+                echo '<option value="'.$field->id.'" selected="selected">'.s($field->name).'</option>';
            } else {
-                echo '<option value="'.$field->id.'">'.$field->name.'</option>';
+                echo '<option value="'.$field->id.'">'.s($field->name).'</option>';
            }
        }
        echo '</optgroup>';
--- a/mod/data/templates/defaulttemplate_asearchtemplate.mustache
+++ b/mod/data/templates/defaulttemplate_asearchtemplate.mustache
@ -47,7 +47,7 @@
        {{#fields}}
            <div class="mb-3 col">
                <div class="font-weight-bold mb-2">{{fieldname}}</div>
-                {{fieldcontent}}
+                {{{fieldcontent}}}
            </div>
        {{/fields}}

--- a/mod/data/templates/defaulttemplate_listtemplate.mustache
+++ b/mod/data/templates/defaulttemplate_listtemplate.mustache
@ -57,7 +57,7 @@
        {{#fields}}
            <div class="row my-3 align-items-start justify-content-start">
                <div class="col-4 col-lg-3 font-weight-bold">{{fieldname}}</div>
-                <div class="col-8 col-lg-9 ml-n3">{{fieldcontent}}</div>
+                <div class="col-8 col-lg-9 ml-n3">{{{fieldcontent}}}</div>
            </div>
        {{/fields}}
        {{#tags}}
--- a/mod/data/templates/defaulttemplate_rsstemplate.mustache
+++ b/mod/data/templates/defaulttemplate_rsstemplate.mustache
@ -38,7 +38,7 @@
        {{#fields}}
            <div class="mt-4">
                <span class="font-weight-bold">{{fieldname}}</span>
-                <p class="mt-2">{{fieldcontent}}</p>
+                <p class="mt-2">{{{fieldcontent}}}</p>
            </div>
        {{/fields}}
    </div>
--- a/mod/data/templates/defaulttemplate_singletemplate.mustache
+++ b/mod/data/templates/defaulttemplate_singletemplate.mustache
@ -58,7 +58,7 @@
        {{#fields}}
            <div class="mt-4">
                <span class="font-weight-bold">{{fieldname}}</span>
-                <p class="mt-2">{{fieldcontent}}</p>
+                <p class="mt-2">{{{fieldcontent}}}</p>
            </div>
        {{/fields}}
        ##otherfields##