From cb21b5b7fb18408163c73074bc18a177f66ab37e Mon Sep 17 00:00:00 2001
From: Mark Nelson <markn@moodle.com>
Date: Fri, 9 Feb 2018 17:31:38 +0800
Subject: [PATCH] MDL-61196 message_popup: clean params before returning via WS

---
 message/output/popup/classes/output/popup_notification.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/message/output/popup/classes/output/popup_notification.php b/message/output/popup/classes/output/popup_notification.php
index 215b7795a12..0644a223967 100644
--- a/message/output/popup/classes/output/popup_notification.php
+++ b/message/output/popup/classes/output/popup_notification.php
@@ -70,6 +70,10 @@ class popup_notification implements templatable, renderable {
         $context->timecreatedpretty = get_string('ago', 'message', format_time(time() - $context->timecreated));
         $context->text = message_format_message_text($context);
         $context->read = $context->timeread ? true : false;
+
+        // Need to strip any HTML from these.
+        $context->subject = clean_param($context->subject, PARAM_TEXT);
+        $context->contexturlname = clean_param($context->contexturlname, PARAM_TEXT);
         $context->shortenedsubject = shorten_text($context->subject, 125);
 
         if (!empty($context->component) && substr($context->component, 0, 4) == 'mod_') {