Alternative blog module for Moodle 2 (including course blogs)
31
stars
29
forks
source link
Validate the values of $_POST['timefilter_visitstats'], $_POST['timefilter_poststats'], $_POST['timefilter_commentstats'], $_POST['timefilter_commentpoststats'] #110
Then they are saved into mdl_user_preferences, ie:
set_user_preference('mod_oublog_commentpostformfilter', $_POST['timefilter_commentpoststats']);
Then read:
$default = get_user_preferences('mod_oublog_commentpostformfilter', OUBLOG_STATS_TIMEFILTER_MONTH);
And used as "default" option for select form element:
Even though the raw value is saved into the database, I don't see any way of exploiting it for XSS.
However, it would be a good idea to check the value of $POST['timefilter*'] before persisting it - compare it with the white list of the correct, allowed values.
Those values are read from $_POST directly:
Then they are saved into mdl_user_preferences, ie:
set_user_preference('mod_oublog_commentpostformfilter', $_POST['timefilter_commentpoststats']);
Then read:$default = get_user_preferences('mod_oublog_commentpostformfilter', OUBLOG_STATS_TIMEFILTER_MONTH);
And used as "default" option for select form element:Even though the raw value is saved into the database, I don't see any way of exploiting it for XSS. However, it would be a good idea to check the value of $POST['timefilter*'] before persisting it - compare it with the white list of the correct, allowed values.