mirror of
https://github.com/moodle/moodle.git
synced 2025-01-19 06:18:28 +01:00
82a8d0d21d
The PARAM_TEXT has been misused in certain cases here. The 'action' parameter seems to always be alphabetic, with values like savesubmission, editsubmission and others as handled in assign::view(). Fixing the action handling fixes the reported XSS issue. While working on it, I spotted two more places where PARAM_TEXT does not seem appropriate. I include changes for them too, even if they are no strictly related to the reported bug and there are no known ways to abuse it. * The 'plugin' looks like PARAM_PLUGIN and is even declared as such in some other parts of the assignment code (such as feedback forms). * The 'workflowstate' is one of the ASSIGN_MARKING_WORKFLOW_STATE constants and is supposed to be alpha in external function input parameters handling, too.
.-..-.
_____ | || |
/____/-.---_ .---. .---. .-.| || | .---.
| | _ _ |/ _ \/ _ \/ _ || |/ __ \
* | | | | | || |_| || |_| || |_| || || |___/
|_| |_| |_|\_____/\_____/\_____||_|\_____)
Moodle - the world's open source learning platform
Moodle <https://moodle.org> is a learning platform designed to provide
educators, administrators and learners with a single robust, secure and
integrated system to create personalised learning environments.
You can download Moodle <https://download.moodle.org> and run it on your own
web server, ask one of our Moodle Partners <https://moodle.com/partners/> to
assist you, or have a MoodleCloud site <https://moodle.com/cloud/> set up for
you.
Moodle is widely used around the world by universities, schools, companies and
all manner of organisations and individuals.
Moodle is provided freely as open source software, under the GNU General Public
License <https://docs.moodle.org/dev/License>.
Moodle is written in PHP and JavaScript and uses an SQL database for storing
the data.
See <https://docs.moodle.org> for details of Moodle's many features.