-
Bug
-
Resolution: Fixed
-
Minor
-
3.1.4, 3.2.1, 3.3
-
MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE
-
MOODLE_33_STABLE
-
m33_
MDL-58027_Restore_Missing_HTMLEntities_Call -
While refactoring send_stored_file() in MDL-57789, a missing htmlentities() has been found: https://github.com/scara/moodle/blob/9ec952f237d74cb161217045a40c2ae1d56a30bf/lib/filelib.php#L2428.
No one has complained about this missing so far, given that none of the modules should apply filters while serving a file, e.g. SCORM: https://moodle.org/mod/forum/discuss.php?d=167328#p810497. More examples:
# grep -R "send_stored_file(\$file, \$lifetime," *
|
admin/lib.php: send_stored_file($file, $lifetime, 0, false, $options);
|
lib/outputlib.php: send_stored_file($file, $lifetime, 0, $forcedownload, $options);
|
mod/book/lib.php: send_stored_file($file, $lifetime, 0, $forcedownload, $options);
|
mod/scorm/lib.php: send_stored_file($file, $lifetime, 0, false, $options);
|
repository/filesystem/lib.php: send_stored_file($file, $lifetime, 0, $forcedownload, $options);
|
The code potentially affected by serving (plain text) files w/o the missing call looks like:
file.php:send_stored_file($file, null, $CFG->filteruploadedfiles, $forcedownload);
|
mod/resource/lib.php: send_stored_file($file, null, $filter, $forcedownload, $options);
|
repository/dropbox/lib.php: send_stored_file($storedfile, $lifetime, $filter, $forcedownload, $options);
|
repository/lib.php: send_stored_file($srcfile, $lifetime, $filter, $forcedownload, $options);
|
