better cleaning of $file parameter SC#276; merged from MOODLE_16_STABLE

diff --git a/help.php b/help.php
index 3d5b8dbb300b6a47cd3d71f231a44d01d4080b75..e24b6160877821fd367e5bccefd6e8b929eab5ff 100644 (file)
--- a/help.php
+++ b/help.php
@@ -16,17 +16,13 @@
 
     require_once('config.php');
 
-    $file   = optional_param('file', '', PARAM_CLEAN);
+    $file   = optional_param('file', '', PARAM_PATH);
     $text   = optional_param('text', 'No text to display', PARAM_CLEAN);
     $module = optional_param('module', 'moodle', PARAM_ALPHAEXT);
     $forcelang = optional_param('forcelang', '', PARAM_ALPHAEXT);
 
     print_header();
 
-    if (detect_munged_arguments($module .'/'. $file)) {
-        error('Filenames contain illegal characters!');
-    }
-
     print_simple_box_start('center', '96%');
 
     $helpfound = false;