From: Petr Skoda <skodak@moodle.org>
Date: Sun, 22 Nov 2009 11:09:11 +0000 (+0000)
Subject: MDL-20929 fixed input validation
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=afb6f77dd9ef4ca79db74c68c41888d9baf923fd;p=moodle.git

MDL-20929 fixed input validation
---

diff --git a/mod/choice/lib.php b/mod/choice/lib.php
index 6bf3e6f9f7..4fdc1986e1 100644
--- a/mod/choice/lib.php
+++ b/mod/choice/lib.php
@@ -443,6 +443,7 @@ function choice_show_results($choice, $course, $cm, $allresponses, $forcepublish
                 echo '<form id="attemptsform" method="post" action="'.$FULLSCRIPT.'" onsubmit="var menu = document.getElementById(\'menuaction\'); return (menu.options[menu.selectedIndex].value == \'delete\' ? \''.addslashes_js(get_string('deleteattemptcheck','quiz')).'\' : true);">';
                 echo '<div>';
                 echo '<input type="hidden" name="id" value="'.$cm->id.'" />';
+                echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
                 echo '<input type="hidden" name="mode" value="overview" />';
             }
 
diff --git a/mod/choice/report.php b/mod/choice/report.php
index 89458f2afe..3d0cefc12f 100644
--- a/mod/choice/report.php
+++ b/mod/choice/report.php
@@ -45,7 +45,7 @@
 
     add_to_log($course->id, "choice", "report", "report.php?id=$cm->id", "$choice->id",$cm->id);
 
-    if ($action == 'delete' && has_capability('mod/choice:deleteresponses',$context)) {
+    if (data_submitted() && $action == 'delete' && has_capability('mod/choice:deleteresponses',$context) && confirm_sesskey()) {
         choice_delete_responses($attemptids, $choice->id); //delete responses.
         redirect("report.php?id=$cm->id");
     }