MDL-74100 course: relax initial parameter types of external methods.

These methods can be called via UI, and would throw confusing exceptions if a user entered "unsafe" characters in a search input (e.g. "<"). Defer cleaning of supplied text to inside the methods.
clenisson · Mar 8, 2022 · 598698b · 598698b
1 parent 01eb6d2
commit 598698b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/calendar/externallib.php b/calendar/externallib.php
@@ -408,7 +408,7 @@ public static function get_calendar_action_events_by_timesort_parameters() {
                 'limittononsuspendedevents' => new external_value(PARAM_BOOL,
                         'Limit the events to courses the user is not suspended in', VALUE_DEFAULT, false),
                 'userid' => new external_value(PARAM_INT, 'The user id', VALUE_DEFAULT, null),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against', VALUE_DEFAULT, null)
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against', VALUE_DEFAULT, null)
             )
         );
     }
@@ -467,7 +467,7 @@ public static function get_calendar_action_events_by_timesort($timesortfrom = 0,
             $params['limitnum'],
             $params['limittononsuspendedevents'],
             $user,
-            $params['searchvalue']
+            clean_param($params['searchvalue'], PARAM_TEXT)
         );
 
         $exportercache = new events_related_objects_cache($events);
@@ -499,7 +499,7 @@ public static function get_calendar_action_events_by_course_parameters() {
                 'timesortto' => new external_value(PARAM_INT, 'Time sort to', VALUE_DEFAULT, null),
                 'aftereventid' => new external_value(PARAM_INT, 'The last seen event id', VALUE_DEFAULT, 0),
                 'limitnum' => new external_value(PARAM_INT, 'Limit number', VALUE_DEFAULT, 20),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against', VALUE_DEFAULT, null)
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against', VALUE_DEFAULT, null)
             )
         );
     }
@@ -555,7 +555,7 @@ public static function get_calendar_action_events_by_course(
             $params['timesortto'],
             $params['aftereventid'],
             $params['limitnum'],
-            $params['searchvalue']
+            clean_param($params['searchvalue'], PARAM_TEXT)
         );
 
         $exportercache = new events_related_objects_cache($events, $courses);
@@ -587,7 +587,7 @@ public static function get_calendar_action_events_by_courses_parameters() {
                 'timesortfrom' => new external_value(PARAM_INT, 'Time sort from', VALUE_DEFAULT, null),
                 'timesortto' => new external_value(PARAM_INT, 'Time sort to', VALUE_DEFAULT, null),
                 'limitnum' => new external_value(PARAM_INT, 'Limit number', VALUE_DEFAULT, 10),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against', VALUE_DEFAULT, null)
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against', VALUE_DEFAULT, null)
             )
         );
     }
@@ -639,7 +639,7 @@ public static function get_calendar_action_events_by_courses(
             $params['timesortfrom'],
             $params['timesortto'],
             $params['limitnum'],
-            $params['searchvalue']
+            clean_param($params['searchvalue'], PARAM_TEXT)
         );
 
         if (empty($events)) {

diff --git a/...e/classes/external/get_enrolled_courses_with_action_events_by_timeline_classification.php b/...e/classes/external/get_enrolled_courses_with_action_events_by_timeline_classification.php
@@ -55,7 +55,7 @@ public static function execute_parameters(): external_function_parameters {
                     VALUE_DEFAULT, null),
                 'customfieldvalue' => new external_value(PARAM_RAW, 'Used when classification = customfield',
                     VALUE_DEFAULT, null),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against',
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against',
                     VALUE_DEFAULT, null),
                 'eventsfrom' => new external_value(PARAM_INT, 'Optional starting timestamp for action events',
                 VALUE_DEFAULT, null),
@@ -117,7 +117,7 @@ public static function execute(
         $sort = $params['sort'];
         $customfieldname = $params['customfieldname'];
         $customfieldvalue = $params['customfieldvalue'];
-        $searchvalue = $params['searchvalue'];
+        $searchvalue = clean_param($params['searchvalue'], PARAM_TEXT);
         $eventsfrom = $params['eventsfrom'];
         $eventsto = $params['eventsto'];
         $morecoursestofetch = true;

diff --git a/course/externallib.php b/course/externallib.php
@@ -3754,7 +3754,7 @@ public static function get_enrolled_courses_by_timeline_classification_parameter
                     VALUE_DEFAULT, null),
                 'customfieldvalue' => new external_value(PARAM_RAW, 'Used when classification = customfield',
                     VALUE_DEFAULT, null),
-                'searchvalue' => new external_value(PARAM_TEXT, 'The value a user wishes to search against',
+                'searchvalue' => new external_value(PARAM_RAW, 'The value a user wishes to search against',
                     VALUE_DEFAULT, null),
             )
         );
@@ -3812,7 +3812,7 @@ public static function get_enrolled_courses_by_timeline_classification(
         $offset = $params['offset'];
         $sort = $params['sort'];
         $customfieldvalue = $params['customfieldvalue'];
-        $searchvalue = $params['searchvalue'];
+        $searchvalue = clean_param($params['searchvalue'], PARAM_TEXT);
 
         switch($classification) {
             case COURSE_TIMELINE_ALLINCLUDINGHIDDEN: