MDL-72249 message: stricter cleaning of processor type parameter.

2025-08-04 16:36:37 +02:00 · 2023-06-27 10:01:31 +01:00 · 2023-06-27 10:01:31 +01:00 · af04de0f3c
commit af04de0f3c
parent ec4207fc77
2 changed files with 4 additions and 4 deletions
--- a/message/externallib.php
+++ b/message/externallib.php
@ -2853,7 +2853,7 @@ class core_message_external extends external_api {
        return new external_function_parameters(
            array(
                'userid' => new external_value(PARAM_INT, 'id of the user, 0 for current user', VALUE_REQUIRED),
-                'name' => new external_value(PARAM_TEXT, 'The name of the message processor'),
+                'name' => new external_value(PARAM_SAFEDIR, 'The name of the message processor'),
                'formvalues' => new external_multiple_structure(
                    new external_single_structure(
                        array(
@ -2929,7 +2929,7 @@ class core_message_external extends external_api {
        return new external_function_parameters(
            array(
                'userid' => new external_value(PARAM_INT, 'id of the user, 0 for current user'),
-                'name' => new external_value(PARAM_TEXT, 'The name of the message processor', VALUE_REQUIRED),
+                'name' => new external_value(PARAM_SAFEDIR, 'The name of the message processor', VALUE_REQUIRED),
            )
        );
    }
--- a/message/lib.php
+++ b/message/lib.php
@ -692,8 +692,8 @@ function message_output_fragment_processor_settings($args = []) {
        throw new moodle_exception('Must provide a userid');
    }
-    $type = $args['type'];
+    $type = clean_param($args['type'], PARAM_SAFEDIR);
-    $userid = $args['userid'];
+    $userid = clean_param($args['userid'], PARAM_INT);
    $user = core_user::get_user($userid, '*', MUST_EXIST);
    if (!core_message_can_edit_message_profile($user)) {