This issue mostly affects the search form fields. Submitted values for
these fields are typically obtained via optional_param() with
PARAM_NOTAGS specified as the parameter type - see parse_search_field()
methods. Such values themselves are not safe enough to be printed back
directly into the HTML as they might contain malicious code.
While working on the patch, some other places with weak protection were
detected and fixed.
In case of the itemid parameters, explicit clean_param() is added to
make sure we cast the value as an integer. That should make the s()
unnecessary but it was added anyway as an extra protection (just in case
the code flow changes or the parts of the code are re-used elsewhere).
When students are given the appropriate permissions
to view ratings, in the situation where there are
separate groups. The students can view the ratings
of an entry that is in the all participants group.
When selecting a rating method, the restrict rating
to items with dates would be automatically enabled if
not checked. This code brings the data module inline
with forum and glossary.
New function data_user_can_manage_entry checks whether a user is allowed to manage an entry.
Considering manageentries capability, data_in_readonly_period() result,
ownership (determined by data_isowner()), approval and manageapproved setting.
Mainly to verify groups visibility this new callback has been created.
Note this was originally 3 commits but for amending purposes they have
been squashed.
Fix accidental <tr> in some field modify screens
Update mod_data version
Change required asterisk to image
Improve required error message
Fix required icon positions
Remove required code from date field
Add name in labels for fields
Add required field option for multimenu
Remove old required field title text modifier
Add multimenu to behat
Add more comprehensive behat tests
Reload old input when an input error occurs
Behat grammar fixes
Allow location of 0, 0
Use html_writer
Fix existing mod_data behat tests
This is implemented for most fields but not all. The reason is that there are
some fields for which this does not make sense because no entry is a valid entry.
The supported fields are:
checkbox
file
latlong
menu
number
picture
radio
text
textarea
url
The unsupported fields are:
date
multimenu
In new logging api, xxx_get_view_actions() and xxx_get_post_actions()
will not be used to identify the paticipation of user. Event's crud
and edulevel status will define user's participation.
