MDL-44605 calendar: improved returnurl validation

Now we will only redirect to a local url (though sesskey was already preventing this redirect from being open)
2025-06-02 22:25:04 +02:00 · 2014-07-03 14:30:36 +01:00 · 2014-07-03 14:30:36 +01:00 · abc5f84539
commit abc5f84539
parent b77130af5e
2 changed files with 3 additions and 3 deletions
--- a/calendar/lib.php
+++ b/calendar/lib.php
@ -1018,7 +1018,7 @@ function calendar_filter_controls(moodle_url $returnurl) {

    $groupevents = true;
    $id = optional_param( 'id',0,PARAM_INT );
-    $seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out(false)), 'sesskey'=>sesskey()));
+    $seturl = new moodle_url('/calendar/set.php', array('return' => base64_encode($returnurl->out_as_local_url(false)), 'sesskey'=>sesskey()));
    $content = html_writer::start_tag('ul');

    $seturl->param('var', 'showglobal');
--- a/calendar/set.php
+++ b/calendar/set.php
@ -44,14 +44,14 @@ require_once($CFG->dirroot.'/calendar/lib.php');
 require_sesskey();

 $var = required_param('var', PARAM_ALPHA);
-$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_URL);
+$return = clean_param(base64_decode(required_param('return', PARAM_RAW)), PARAM_LOCALURL);
 $courseid = optional_param('id', -1, PARAM_INT);
 if ($courseid != -1) {
    $return = new moodle_url($return, array('course' => $courseid));
 } else {
    $return = new moodle_url($return);
 }
-$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey()));
+$url = new moodle_url('/calendar/set.php', array('return'=>base64_encode($return->out_as_local_url(false)), 'course' => $courseid, 'var'=>$var, 'sesskey'=>sesskey()));
 $PAGE->set_url($url);
 $PAGE->set_context(context_system::instance());