- rename the main_frame variable to framename, because it
- might have caused some confusion
- none of the global variables have underscores
- put the config in the config table, with a default of _top
This change removes the smilie variable assignment from the global namespace.
This change retains the original user input as the alt text.
The main reason for this change is to make it possible for me to use my
make_class function on weblib.php (still need to do something about the defines
though).
I've added the variable CFG->main_frame to config-dist.php, and replaced _top
targets with the variable in all the php files. HTML files, like those in the
documentation, have not been modified, as they are not (yet) parsed.
The variable should probably get moved into the config table, and get some
documentation.
I've also included, but commented out, a slight change in weblib.php, which
would guarantee that messages would be seen before redirecting the user (unless
delay intentionally set to 0 when redirect is used).
This will only fix these three cases:
\'
\"
\\
and leaves all other backslashes alone. Should fix problems in forums
and forms where backslashes were sometimes disappearing from windows
paths like C:\temp - usually only in the richtext editor, but still.
Firstly, I'm replacing all use of old-style global variables like
$HTTY_REFERER with their new-style equivalent $_SERVER["HTTP_REFERER"]
Also using $_POST instead $HTTP_POST_VARS etc
Secondly, if gdversion == 0 (ie GD is not installed) then:
- users are not even allowed to upload new images
- graphs now just print a message instead of failing.
this allows Moodle to still be used even if GD is not present
Should be fixed now. As a bonus, I've removed all the uses of
HTTP_POST_VARS from all scripts.
All forms should use the new data_submitted() function to collect
form data (it does the match_referer thing internally now).
Much nicer.
Basically all the Database functions are in lib/datalib.php
and the web functions are all in lib/weblib.php, so
moodlelib.php is much thinner than it was.
Data functions have been extended ... most old calls will
still work, but now many more SQL commands can be performed
using the datalib functions rather than using SQL. I'm
currently moving through the whole tree replacing SQL
calls or at least concentrating them in one section of
mod/xxx/lib.php
Still working on forums, quizzes, surveys, resources.
The tree is currently not full working ... some things are
half-completed ... will resume tomorrow.
HTML text allow the same range of HTML tags (so it doesn't matter is you
switch from one to the other).
<IMG> and <A> are now ALLOWED in Moodle text. However, the clean_text
function now checks for and removes any embedded javascript triggers
to avoid cross-site scripting attacks that way.
clean_text() should be called on ANY text that comes in from students.
up smileys etc if the text has been edited at any stage using the
richtext editor.
I realise it's possible for students to really mess up forums display
etc if they wanted to include a huge picture ... I'm not sure if there
are any cross-site scripting attacks possible with images in there.
But there is also now the HTML format for most things, which is editable
using an ordinary form, so this problem is currently already exposed.
I think it's OK as long as can find a filter to strip all javascript
out of ANY format text in Moodle.
