MDL-20929 fixed input validation

diff --git a/mod/choice/lib.php b/mod/choice/lib.php
index 6bf3e6f9f70d95ccd8b13eb27ce67e41d764d36f..4fdc1986e1383fb9fbbb55f93a77b96e65b6fb9a 100644 (file)
--- a/mod/choice/lib.php
+++ b/mod/choice/lib.php
@@ -443,6 +443,7 @@ function choice_show_results($choice, $course, $cm, $allresponses, $forcepublish
                 echo '<form id="attemptsform" method="post" action="'.$FULLSCRIPT.'" onsubmit="var menu = document.getElementById(\'menuaction\'); return (menu.options[menu.selectedIndex].value == \'delete\' ? \''.addslashes_js(get_string('deleteattemptcheck','quiz')).'\' : true);">';
                 echo '<div>';
                 echo '<input type="hidden" name="id" value="'.$cm->id.'" />';
+                echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
                 echo '<input type="hidden" name="mode" value="overview" />';
             }
 

diff --git a/mod/choice/report.php b/mod/choice/report.php
index 89458f2afe4f6620d542d3772e9d5e07e357d08c..3d0cefc12fcc35dfbc3a77fd3e0deb30a1273ba2 100644 (file)
--- a/mod/choice/report.php
+++ b/mod/choice/report.php
@@ -45,7 +45,7 @@
 
     add_to_log($course->id, "choice", "report", "report.php?id=$cm->id", "$choice->id",$cm->id);
 
-    if ($action == 'delete' && has_capability('mod/choice:deleteresponses',$context)) {
+    if (data_submitted() && $action == 'delete' && has_capability('mod/choice:deleteresponses',$context) && confirm_sesskey()) {
         choice_delete_responses($attemptids, $choice->id); //delete responses.
         redirect("report.php?id=$cm->id");
     }