Talk:Trusttext cleaning bypass

Jump to: navigation, search

I drafted up this little ditty before abandoning it. It doesn't require extra fields - other than the userid field which is in most tables.

Use by calling the function before an insert/update or before displaying the data.

The main advantage is that the trust is checked before being displayed. So if a users trust is revoked after they have entered some malicious script, then the script won't be displayed.

eg:

$data = new stdClass();
$data->id = 0;
$data->userid = 2;
$data->description = '<script>alert(1);</script>';
 
...
 
$data = my_trusttext_prepare($data, array('description'), $data->userid);
 
$id = $DB->insert_record('mytable', $data);
 
 
 
 
/**
 * Returns clean text fields if the user is not trusted
 *
 * Removes XSS nasties
 *
 * @param object $data Record object - either pre-insert/update or after retrieval
 * @param array $fields Array of fields to clean
 * @param integer|object $updatinguserid A user id or object, this is the last editor of the record NOT the current user
 * @param object $context - Context to use, defaults to system context
 * @return object $data Cleaned data fields where appropriate
 */
function my_trusttext_prepare($data, $fields, $updatinguserid, $context = null) {
	if (is_null($context)) {
		// Default to system context
		$context = get_context_instance(CONTEXT_SYSTEM);
	}
 
	if (!is_object($data) || !is_array($fields)) {
		// Params are invalid
		print_error('error:trusttextparam', 'my_errors');
	}
 
	if (!has_capability('moodle/site:trustcontent', $context, $updatinguserid)) {
		// User might be a cheeky monkey, so clean the text
		foreach ($fields as $field) {
			if (!isset($data->$field)) {
				// Oops, field doesn't exist
				print_error('error:trusttextfieldunknown', 'my_errors', null, $field);
			} else {
				$data->$field = clean_text($data->$field);
			}
		}
	}
 
	return $data;
}