From c5f78e9bd35688ab3ce99f85d1fce3c7f9a1a228 Mon Sep 17 00:00:00 2001
From: Mark Johnson <mark.johnson@catalyst-eu.net>
Date: Fri, 4 Oct 2024 14:55:36 +0100
Subject: [PATCH] MDL-83357 question: Additional cleaning of filter params

---
 question/editlib.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/question/editlib.php b/question/editlib.php
index a50f83ab048..d6eb449b71c 100644
--- a/question/editlib.php
+++ b/question/editlib.php
@@ -217,7 +217,20 @@ function question_build_edit_resources($edittab, $baseurl, $params,
         if (!is_array($params['filter'])) {
             $params['filter'] = json_decode($params['filter'], true);
         }
-        $cleanparams['filter'] = $params['filter'];
+        $cleanparams['filter'] = [];
+        foreach ($params['filter'] as $filterkey => $filtervalue) {
+            if ($filterkey == 'jointype') {
+                $cleanparams['filter']['jointype'] = clean_param($filtervalue, PARAM_INT);
+            } else {
+                $cleanfilter = [
+                    'name' => clean_param($filtervalue['name'], PARAM_ALPHANUM),
+                    'jointype' => clean_param($filtervalue['jointype'], PARAM_INT),
+                    'values' => $filtervalue['values'],
+                    'filteroptions' => $filtervalue['filteroptions'],
+                ];
+                $cleanparams['filter'][$filterkey] = $cleanfilter;
+            }
+        }
     }
 
     if (isset($params['sortdata'])) {