From 05b24f4a903d9c2fd407e7219864c3bcd2e22285 Mon Sep 17 00:00:00 2001 From: Tim Hunt Date: Thu, 23 Sep 2021 10:28:12 +0100 Subject: [PATCH] Ad-hoc DB queries: form validation messages not properly escaped #503283 --- edit_form.php | 14 +++++++------- locallib.php | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/edit_form.php b/edit_form.php index dc514ff..49491e0 100644 --- a/edit_form.php +++ b/edit_form.php @@ -246,10 +246,10 @@ public function validation($data, $files) { $rs->close(); } catch (dml_exception $e) { $errors['querysql'] = get_string('queryfailed', 'report_customsql', - $e->getMessage() . ' ' . $e->debuginfo); + s($e->getMessage() . ' ' . $e->debuginfo)); } catch (Exception $e) { $errors['querysql'] = get_string('queryfailed', 'report_customsql', - $e->getMessage()); + s($e->getMessage())); } } } @@ -266,12 +266,12 @@ public function validation($data, $files) { // The path either needs to be a writable directory ... if (is_dir($path) ) { if (!is_writable($path)) { - $errors['customdir'] = get_string('customdirnotwritable', 'report_customsql', $path); + $errors['customdir'] = get_string('customdirnotwritable', 'report_customsql', s($path)); } } else if (substr($path, -1) == DIRECTORY_SEPARATOR) { // ... and it must exist... - $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', $path); + $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', s($path)); } else { @@ -279,16 +279,16 @@ public function validation($data, $files) { $dir = dirname($path); if (!is_dir($dir)) { - $errors['customdir'] = get_string('customdirnotadirectory', 'report_customsql', $dir); + $errors['customdir'] = get_string('customdirnotadirectory', 'report_customsql', s($dir)); } else { if (file_exists($path)) { if (!is_writable($path)) { - $errors['customdir'] = get_string('filenotwritable', 'report_customsql', $path); + $errors['customdir'] = get_string('filenotwritable', 'report_customsql', s($path)); } } else { if (!is_writable($dir)) { - $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', $dir); + $errors['customdir'] = get_string('customdirmustexist', 'report_customsql', s($dir)); } } } diff --git a/locallib.php b/locallib.php index 602c8d8..b90951f 100644 --- a/locallib.php +++ b/locallib.php @@ -647,7 +647,7 @@ function report_customsql_validate_users($userids, $capability) { // User does not have the chosen access level. $context = context_user::instance($user->id); $a->userid = $userid; - $a->name = fullname($user); + $a->name = s(fullname($user)); if (!has_capability($capability, $context, $user)) { return get_string('userhasnothiscapability', 'report_customsql', $a); }