Validate the values of $_POST['timefilter_visitstats'], $_POST['timefilter_poststats'], $_POST['timefilter_commentstats'], $_POST['timefilter_commentpoststats']

[tmuras]

Those values are read from $_POST directly:

• $_POST['timefilter_visitstats']
• $_POST['timefilter_poststats']
• $_POST['timefilter_commentstats']
• $_POST['timefilter_commentpoststats']

Then they are saved into mdl_user_preferences, ie: set_user_preference('mod_oublog_commentpostformfilter', $_POST['timefilter_commentpoststats']); Then read: $default = get_user_preferences('mod_oublog_commentpostformfilter', OUBLOG_STATS_TIMEFILTER_MONTH); And used as "default" option for select form element:

            'options' => array(OUBLOG_STATS_TIMEFILTER_ALL => get_string('timefilter_alltime', 'oublog'),
                    OUBLOG_STATS_TIMEFILTER_YEAR => get_string('timefilter_thisyear', 'oublog'),
                    OUBLOG_STATS_TIMEFILTER_MONTH => get_string('timefilter_thismonth', 'oublog')),
            'default' => $default,

Even though the raw value is saved into the database, I don't see any way of exploiting it for XSS. However, it would be a good idea to check the value of $POST['timefilter*'] before persisting it - compare it with the white list of the correct, allowed values.