From 94070dea5270f960ed4ed441721a1050bdea4993 Mon Sep 17 00:00:00 2001
From: Michael Pound <michwpound@gmail.com>
Date: Mon, 17 Feb 2025 15:57:06 +0000
Subject: [PATCH 1/3] TW21240103, cleaning new comments before database

---
 classes/comment.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/comment.php b/classes/comment.php
index efe42e1..0726da4 100644
--- a/classes/comment.php
+++ b/classes/comment.php
@@ -170,7 +170,7 @@ public function save() {
         global $DB, $USER;
 
         $this->timemodified = time();
-        $this->content = html_to_text($this->content, 5000, false);
+        $this->content = clean_param(html_to_text($this->content, 5000, false), PARAM_TEXT);
 
         if ($this->id > 0) {
             $DB->update_record('board_comments', $this);

From ffdb962bc5bad1fc520f148fcd18f8ed232dc396 Mon Sep 17 00:00:00 2001
From: Michael Pound <michwpound@gmail.com>
Date: Mon, 17 Feb 2025 15:57:30 +0000
Subject: [PATCH 2/3] TW21240105, cleaning comments before rendering

---
 external.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/external.php b/external.php
index c35cac0..53eefde 100755
--- a/external.php
+++ b/external.php
@@ -708,7 +708,7 @@ public static function get_comments($noteid) {
             $comment = (object)[];
             $comment->id = $note->id;
             $comment->noteid = $note->noteid;
-            $comment->content = $note->content;
+            $comment->content = clean_param($note->content, PARAM_TEXT);
             $comment->candelete = (($canpost && $note->userid === $USER->id) || $candeleteall) ? true : false;
             $comment->date = userdate($note->timecreated);
             $comments[] = $comment;

From 63cd7ac7039475335f589bf6a58c9594fb48aff1 Mon Sep 17 00:00:00 2001
From: Michael Pound <michwpound@gmail.com>
Date: Mon, 17 Feb 2025 17:53:08 +0000
Subject: [PATCH 3/3] TW21243544, cleaning comments for exporting

---
 classes/tables/comments_table.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/classes/tables/comments_table.php b/classes/tables/comments_table.php
index a7e5027..7aaf509 100644
--- a/classes/tables/comments_table.php
+++ b/classes/tables/comments_table.php
@@ -134,6 +134,17 @@ public function other_cols($colname, $value) {
         }
     }
 
+    /**
+     * Format each row of returned data.
+     *
+     * @param array|object $row row of data from db used to make one row of the table.
+     * @return array one row for the table with sanitised content.
+     */
+    public function format_row($row): array {
+        $row->content = clean_param($row->content, PARAM_TEXT);
+        return parent::format_row($row);
+    }
+
     /**
      * Displays the table.
      */