MDL-15896 - Clean 'page' and 'q' parameters to only allow normal page name characters.

diff --git a/mod/wiki/view.php b/mod/wiki/view.php
index 38ea503b666d752728054d32b73c3ba07eaa5d04..51dc4aed0d906fb3623fd8b4ab05bf3ba2769b00 100644 (file)
--- a/mod/wiki/view.php
+++ b/mod/wiki/view.php
@@ -13,12 +13,12 @@
     $ewiki_action = optional_param('ewiki_action', '', PARAM_ALPHA);     // Action on Wiki-Page
     $id           = optional_param('id', 0, PARAM_INT);                  // Course Module ID, or
     $wid          = optional_param('wid', 0, PARAM_INT);                 // Wiki ID
-    $page         = optional_param('page', false);       // Wiki Page Name
-    $q            = optional_param('q',"");              // Search Context
+    $page         = optional_param('page', false, PARAM_PATH);           // Wiki Page Name
+    $q            = optional_param('q',"", PARAM_PATH);                  // Search Context
     $userid       = optional_param('userid', 0, PARAM_INT);              // User wiki.
     $groupid      = optional_param('groupid', 0, PARAM_INT);             // Group wiki.
-    $canceledit   = optional_param('canceledit','', PARAM_ALPHA);          // Editing has been cancelled
-    $cacheme      = optional_param('allowcache', 1, PARAM_INT);   // Set this to 0 to try and disable page caching.
+    $canceledit   = optional_param('canceledit','', PARAM_ALPHA);        // Editing has been cancelled
+    $cacheme      = optional_param('allowcache', 1, PARAM_INT);          // Set this to 0 to try and disable page caching.
     
     // Only want to add edit log entries if we have made some changes ie submitted a form
     $editsave = optional_param('thankyou', '');