doiphode
commented
3 years ago Issue resolved in 9ab112e380dfbf397f7678b740aaa56edc04edfa
Closed danmarsden closed 3 years ago
doiphode
commented
3 years ago Issue resolved in 9ab112e380dfbf397f7678b740aaa56edc04edfa
https://github.com/doiphode/moodle-tool_clearbackupfiles/blob/master/index.php#L39
you should be using optional/required_param functions instead of raw access to $_GET etc. https://docs.moodle.org/dev/Security#Don.27t_trust_any_input_from_users
But - moodle has a handy API that makes this confirmation stuff much easier (and a lot cleaner) do a search for $OUTPUT->confirm( usage in the existing code for examples.
When manually building forms/actions like this you also need to check Moodles CSRF token (called sesskey) - using functions like require_sesskey/confirm_sesskey etc - if you look at other examples of $OUTPUT->confirm you should hopefully see how this is done.
unfortunately as this is a security issue, it blocks approval in the plugins db but hopefully it's an easy fix!