From f05dd15ae1f42089efcc39126f7864458959d0a5 Mon Sep 17 00:00:00 2001 From: Michael Pound <46933623+MichPound@users.noreply.github.com> Date: Mon, 17 Feb 2025 18:49:13 +0000 Subject: [PATCH] TW21240098, Improved comments processing (#164) --- classes/comment.php | 2 +- classes/tables/comments_table.php | 11 +++++++++++ external.php | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/classes/comment.php b/classes/comment.php index efe42e1..0726da4 100644 --- a/classes/comment.php +++ b/classes/comment.php @@ -170,7 +170,7 @@ public function save() { global $DB, $USER; $this->timemodified = time(); - $this->content = html_to_text($this->content, 5000, false); + $this->content = clean_param(html_to_text($this->content, 5000, false), PARAM_TEXT); if ($this->id > 0) { $DB->update_record('board_comments', $this); diff --git a/classes/tables/comments_table.php b/classes/tables/comments_table.php index a7e5027..7aaf509 100644 --- a/classes/tables/comments_table.php +++ b/classes/tables/comments_table.php @@ -134,6 +134,17 @@ public function other_cols($colname, $value) { } } + /** + * Format each row of returned data. + * + * @param array|object $row row of data from db used to make one row of the table. + * @return array one row for the table with sanitised content. + */ + public function format_row($row): array { + $row->content = clean_param($row->content, PARAM_TEXT); + return parent::format_row($row); + } + /** * Displays the table. */ diff --git a/external.php b/external.php index c35cac0..53eefde 100755 --- a/external.php +++ b/external.php @@ -708,7 +708,7 @@ public static function get_comments($noteid) { $comment = (object)[]; $comment->id = $note->id; $comment->noteid = $note->noteid; - $comment->content = $note->content; + $comment->content = clean_param($note->content, PARAM_TEXT); $comment->candelete = (($canpost && $note->userid === $USER->id) || $candeleteall) ? true : false; $comment->date = userdate($note->timecreated); $comments[] = $comment;