-
Improvement
-
Resolution: Fixed
-
Minor
-
2.3, 2.5
-
MOODLE_23_STABLE, MOODLE_25_STABLE
-
MOODLE_25_STABLE
-
MDL-34311-master -
This is just an idea I wanted to explore...
Right now people use mforms and it occasionally happens that devs forget to specify a PARAM type and we fall back to PARAM_RAW. This brings us relatively regular security issues. This seems preventable, if devs want PARAM_RAW the they can specify it manually and in other cases, we can throw a developer warning to catch it early.
I attach a proof of concept patch below. It has the problem that we are throwing warnings in selects etc where not necessary, so we'd need to resolve that. Is there another reason we haven't considered this before?
diff --git a/lib/formslib.php b/lib/formslib.php
|
index 306c4e5..11b4292 100644
|
--- a/lib/formslib.php
|
+++ b/lib/formslib.php
|
@@ -1466,6 +1466,7 @@ class MoodleQuickForm extends HTML_QuickForm_DHTMLRulesTableless {
|
$type = $this->_types[$key];
|
} else {
|
$type = PARAM_RAW;
|
+ debugging("Reverting to defaulting to DEFAULT cleaning of param $key", DEBUG_DEVELOPER);
|
}
|
if (is_array($s)) {
|
$submission[$key] = clean_param_array($s, $type, true);
|
- Discovered while testing
-
MDL-38709 Add support for element groups in detectMissingSetType()
-
- Closed
-