mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-14 12:40:01 +01:00
Code Issues Projects Releases Wiki Activity

MDL-45596 roles: Escape filter value before using it in form field

Browse Source
This commit is contained in:
Frederic Massart 2014-07-04 11:48:39 +08:00
parent 7a4832ecb9
commit af2a1e4e33
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
admin/roles/classes/capability_table_base.php
View File

@ -74,8 +74,16 @@ abstract class core_role_capability_table_base {
public function display() {
if (count($this->capabilities) > self::NUM_CAPS_FOR_SEARCH) {
global $PAGE;
$PAGE->requires->strings_for_js(array('filter', 'clear'), 'moodle');
$PAGE->requires->js_init_call('M.core_role.init_cap_table_filter', array($this->id, $this->context->id));
$jsmodule = array(
'name' => 'rolescapfilter',
'fullpath' => '/admin/roles/module.js',
'strings' => array(
array('filter', 'moodle'),
array('clear', 'moodle'), ),
'requires' => array('node', 'cookie', 'escape')
);
$PAGE->requires->js_init_call('M.core_role.init_cap_table_filter', array($this->id, $this->context->id), false,
$jsmodule);
}
echo '<table class="' . implode(' ', $this->classes) . '" id="' . $this->id . '">' . "\n<thead>\n";
echo '<tr><th class="name" align="left" scope="col">' . get_string('capability', 'core_role') . '</th>';

2
admin/roles/module.js
View File

@ -51,7 +51,7 @@ M.core_role.init_cap_table_filter = function(Y, tableid, contextid) {
marginRight : 'auto'
});
// Create the capability search input.
this.input = Y.Node.create('<input type="text" id="'+this.table.get('id')+'capabilitysearch" value="'+filtervalue+'" />');
this.input = Y.Node.create('<input type="text" id="'+this.table.get('id')+'capabilitysearch" value="'+Y.Escape.html(filtervalue)+'" />');
// Create a label for the search input.
this.label = Y.Node.create('<label for="'+this.input.get('id')+'">'+M.str.moodle.filter+' </label>');
// Create a clear button to clear the input.