mirror of
https://github.com/moodle/moodle.git
synced 2025-01-18 22:08:20 +01:00
82a8d0d21d
The PARAM_TEXT has been misused in certain cases here. The 'action' parameter seems to always be alphabetic, with values like savesubmission, editsubmission and others as handled in assign::view(). Fixing the action handling fixes the reported XSS issue. While working on it, I spotted two more places where PARAM_TEXT does not seem appropriate. I include changes for them too, even if they are no strictly related to the reported bug and there are no known ways to abuse it. * The 'plugin' looks like PARAM_PLUGIN and is even declared as such in some other parts of the assignment code (such as feedback forms). * The 'workflowstate' is one of the ASSIGN_MARKING_WORKFLOW_STATE constants and is supposed to be alpha in external function input parameters handling, too.
ACTIVITY MODULES
----------------
These are main modules in Moodle, allowing various activities.
Each of these modules contains a number of expected components:
mod_form.php: a form to setup/update a module instance
version.php: defines some meta-info and provides upgrading code
pix/icon.gif: a 16x16 icon for the module
db/install.xml: an SQL dump of all the required db tables and data
index.php: a page to list all instances in a course
view.php: a page to view a particular instance
lib.php: any/all functions defined by the module should be in here.
constants should be defined using MODULENAME_xxxxxx
functions should be defined using modulename_xxxxxx
There are a number of standard functions:
modulename_add_instance()
modulename_update_instance()
modulename_delete_instance()
modulename_user_complete()
modulename_user_outline()
modulename_cron()
modulename_print_recent_activity()
If you are a developer and interested in developing new Modules see:
Moodle Documentation: http://moodle.org/doc
Moodle Community: http://moodle.org/community