Talk:Trusttext cleaning bypass

From MoodleDocs

I drafted up this little ditty before abandoning it. It doesn't require extra fields - other than the userid field which is in most tables.

Use by calling the function before an insert/update or before displaying the data.

The main advantage is that the trust is checked before being displayed. So if a users trust is revoked after they have entered some malicious script, then the script won't be displayed.


$data = new stdClass();
$data->id = 0;
$data->userid = 2;
$data->description = '<script>alert(1);</script>';


$data = my_trusttext_prepare($data, array('description'), $data->userid);

$id = $DB->insert_record('mytable', $data);

 * Returns clean text fields if the user is not trusted
 * Removes XSS nasties
 * @param object $data Record object - either pre-insert/update or after retrieval
 * @param array $fields Array of fields to clean
 * @param integer|object $updatinguserid A user id or object, this is the last editor of the record NOT the current user
 * @param object $context - Context to use, defaults to system context
 * @return object $data Cleaned data fields where appropriate
function my_trusttext_prepare($data, $fields, $updatinguserid, $context = null) {
	if (is_null($context)) {
		// Default to system context
		$context = get_context_instance(CONTEXT_SYSTEM);

	if (!is_object($data) || !is_array($fields)) {
		// Params are invalid
		print_error('error:trusttextparam', 'my_errors');

	if (!has_capability('moodle/site:trustcontent', $context, $updatinguserid)) {
		// User might be a cheeky monkey, so clean the text
		foreach ($fields as $field) {
			if (!isset($data->$field)) {
				// Oops, field doesn't exist
				print_error('error:trusttextfieldunknown', 'my_errors', null, $field);
			} else {
				$data->$field = clean_text($data->$field);

	return $data;