MDL-59273 core: Remove mailto links support in clean_param.

2025-04-22 00:42:54 +02:00 · 2017-06-16 16:12:09 +01:00 · 2017-06-16 16:12:09 +01:00 · e5ece45e84
commit e5ece45e84
parent 229ae617c5
2 changed files with 6 additions and 2 deletions
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@ -1033,10 +1033,11 @@ function clean_param($param, $type) {
            }
            return $param;

-        case PARAM_URL:          // Allow safe ftp, http, mailto urls.
+        case PARAM_URL:
+            // Allow safe urls.
            $param = fix_utf8($param);
            include_once($CFG->dirroot . '/lib/validateurlsyntax.php');
-            if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E?u-P-a?I?p?f?q?r?')) {
+            if (!empty($param) && validateUrlSyntax($param, 's?H?S?F?E-u-P-a?I?p?f?q?r?')) {
                // All is ok, param is respected.
            } else {
                // Not really ok.
--- a/lib/tests/moodlelib_test.php
+++ b/lib/tests/moodlelib_test.php
@ -615,6 +615,9 @@ class core_moodlelib_testcase extends advanced_testcase {
        $this->assertSame('', clean_param('rtmp://example.com/livestream', PARAM_URL));
        $this->assertSame('', clean_param('rtmp://example.com/live&foo', PARAM_URL));
        $this->assertSame('', clean_param('rtmp://example.com/fms&mp4:path/to/file.mp4', PARAM_URL));
+        $this->assertSame('', clean_param('mailto:support@moodle.org', PARAM_URL));
+        $this->assertSame('', clean_param('mailto:support@moodle.org?subject=Hello%20Moodle', PARAM_URL));
+        $this->assertSame('', clean_param('mailto:support@moodle.org?subject=Hello%20Moodle&cc=feedback@moodle.org', PARAM_URL));
    }

    public function test_clean_param_localurl() {