Following code from portfolio/add.php is a security nightmare - allowing anybody (including guests) to include ANY moodle file from dirroot and instantiate ANY class with ANY parameters is unacceptable, please note that there is also no sesskey CSRF protection!

$callbackfile = optional_param('callbackfile', null, PARAM_PATH); // callback file eg /mod/forum/lib.php - the location of the exporting content
$callbackclass = optional_param('callbackclass', null, PARAM_ALPHAEXT); // callback class eg forum_portfolio_caller - the class to handle the exporting content.

$callbackargs = array();
foreach (array_keys(array_merge($_GET, $_POST)) as $key) {
if (strpos($key, 'ca_') === 0) {
if (!$value = optional_param($key, false, PARAM_ALPHAEXT)) {
if (!$value = optional_param($key, false, PARAM_NUMBER))

}
// strip off ca_ for niceness
$callbackargs[substr($key, 3)] = $value;
}
}
// righto, now we have the callback args set up
// load up the caller file and class and tell it to set up all the data
// it needs
require_once($CFG->dirroot . $callbackfile);
$caller = new $callbackclass($callbackargs);