From: stronk7 Date: Tue, 29 Aug 2006 21:07:59 +0000 (+0000) Subject: relative+cleaned paths X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=4317fe985e964f3f7aed7f45bfd086888653ad02;p=moodle.git relative+cleaned paths --- diff --git a/admin/xmldb/actions/edit_xml_file/edit_xml_file.class.php b/admin/xmldb/actions/edit_xml_file/edit_xml_file.class.php index bf45dc9980..74c93bfa27 100644 --- a/admin/xmldb/actions/edit_xml_file/edit_xml_file.class.php +++ b/admin/xmldb/actions/edit_xml_file/edit_xml_file.class.php @@ -77,8 +77,8 @@ class edit_xml_file extends XMLDBAction { /// Do the job, setting $result as needed /// Get the dir containing the file - $dirpath = required_param('dir', PARAM_CLEAN); - $dirpath = stripslashes_safe($dirpath); + $dirpath = required_param('dir', PARAM_PATH); + $dirpath = $CFG->dirroot . stripslashes_safe($dirpath); /// Get the correct dir if (!empty($XMLDB->dbdirs)) { @@ -101,7 +101,7 @@ class edit_xml_file extends XMLDBAction { $structure =& $editeddir->xml_file->getStructure(); /// Add the main form $o = '
'; - $o.= ' '; + $o.= ' '; $o.= ' '; $o.= ' '; $o.= ' '; @@ -116,31 +116,31 @@ class edit_xml_file extends XMLDBAction { /// Calculate the buttons $b = '

'; /// The view original XML button - $b .= ' [' . $this->str['vieworiginal'] . ']'; + $b .= ' [' . $this->str['vieworiginal'] . ']'; /// The view edited XML button if ($structure->hasChanged()) { - $b .= ' [' . $this->str['viewedited'] . ']'; + $b .= ' [' . $this->str['viewedited'] . ']'; } else { $b .= ' [' . $this->str['viewedited'] . ']'; } /// The new table button - $b .= ' [' . $this->str['newtable'] . ']'; + $b .= ' [' . $this->str['newtable'] . ']'; /// The new from MySQL button if ($CFG->dbtype == 'mysql') { - $b .= ' [' . $this->str['newtablefrommysql'] . ']'; + $b .= ' [' . $this->str['newtablefrommysql'] . ']'; } else { $b .= ' [' . $this->str['newtablefrommysql'] . ']'; } /// The new statement button - $b .= ' [' . $this->str['newstatement'] . ']'; + $b .= ' [' . $this->str['newstatement'] . ']'; /// The back to main menu button $b .= ' [' . $this->str['backtomainview'] . ']'; $b .= '

'; $b .= '

'; /// The view sql code button - $b .= '[' .$this->str['viewsqlcode'] . ']'; + $b .= '[' .$this->str['viewsqlcode'] . ']'; /// The view php code button - $b .= ' [' . $this->str['viewphpcode'] . ']'; + $b .= ' [' . $this->str['viewphpcode'] . ']'; $b .= '

'; $o .= $b; /// Join all the reserved words into one big array @@ -164,18 +164,18 @@ class edit_xml_file extends XMLDBAction { /// Calculate buttons $b = ''; /// The edit button - $b .= '[' . $this->str['edit'] . ']'; + $b .= '[' . $this->str['edit'] . ']'; $b .= ''; /// The up button if ($table->getPrevious()) { - $b .= '[' . $this->str['up'] . ']'; + $b .= '[' . $this->str['up'] . ']'; } else { $b .= '[' . $this->str['up'] . ']'; } $b .= ''; /// The down button if ($table->getNext()) { - $b .= '[' . $this->str['down'] . ']'; + $b .= '[' . $this->str['down'] . ']'; } else { $b .= '[' . $this->str['down'] . ']'; } @@ -184,7 +184,7 @@ class edit_xml_file extends XMLDBAction { if (count($tables) > 1 && !$structure->getTableUses($table->getName())) { ///!$structure->getTableUses($table->getName())) { - $b .= '[' . $this->str['delete'] . ']'; + $b .= '[' . $this->str['delete'] . ']'; } else { $b .= '[' . $this->str['delete'] . ']'; } @@ -194,7 +194,7 @@ class edit_xml_file extends XMLDBAction { } $b .= ''; /// Print table row - $o .= '' . $table->getName() . '' . $b . ''; + $o .= '' . $table->getName() . '' . $b . ''; $row = ($row + 1) % 2; } $o .= ''; @@ -209,27 +209,27 @@ class edit_xml_file extends XMLDBAction { /// Calculate buttons $b = ''; /// The edit button - $b .= '[' . $this->str['edit'] . ']'; + $b .= '[' . $this->str['edit'] . ']'; $b .= ''; /// The up button if ($statement->getPrevious()) { - $b .= '[' . $this->str['up'] . ']'; + $b .= '[' . $this->str['up'] . ']'; } else { $b .= '[' . $this->str['up'] . ']'; } $b .= ''; /// The down button if ($statement->getNext()) { - $b .= '[' . $this->str['down'] . ']'; + $b .= '[' . $this->str['down'] . ']'; } else { $b .= '[' . $this->str['down'] . ']'; } $b .= ''; /// The delete button - $b .= '[' . $this->str['delete'] . ']'; + $b .= '[' . $this->str['delete'] . ']'; $b .= ''; /// Print statement row - $o .= '' . $statement->getName() . '' . $b . ''; + $o .= '' . $statement->getName() . '' . $b . ''; $row = ($row + 1) % 2; } $o .= ''; diff --git a/admin/xmldb/actions/edit_xml_file_save/edit_xml_file_save.class.php b/admin/xmldb/actions/edit_xml_file_save/edit_xml_file_save.class.php index 5659c3c52d..52b4714ced 100644 --- a/admin/xmldb/actions/edit_xml_file_save/edit_xml_file_save.class.php +++ b/admin/xmldb/actions/edit_xml_file_save/edit_xml_file_save.class.php @@ -61,9 +61,13 @@ class edit_xml_file_save extends XMLDBAction { /// Do the job, setting result as needed + if (!data_submitted('nomatch')) { ///Basic prevention + error('Wrong action call'); + } + /// Get parameters - $dirpath = required_param('dir', PARAM_CLEAN); - $dirpath = stripslashes_safe($dirpath); + $dirpath = required_param('dir', PARAM_PATH); + $dirpath = $CFG->dirroot . stripslashes_safe($dirpath); $comment = required_param('comment', PARAM_CLEAN); $comment = stripslashes_safe($comment);