From 17977846249e56f05d77d0918d79bbdb35b241c4 Mon Sep 17 00:00:00 2001
From: Petr Skoda <skodak@moodle.org>
Date: Sat, 21 Nov 2009 22:23:32 +0000
Subject: [PATCH] MDL-20901 fixed input validation

---
 mod/glossary/formats.php  | 5 +++--
 mod/glossary/settings.php | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/mod/glossary/formats.php b/mod/glossary/formats.php
index a336e3376c..88774c0cbd 100644
--- a/mod/glossary/formats.php
+++ b/mod/glossary/formats.php
@@ -22,7 +22,7 @@ if ( !$displayformat = $DB->get_record("glossary_formats", array("id"=>$id))) {
 }
 
 $form = data_submitted();
-if ( $mode == 'visible' ) {
+if ( $mode == 'visible' and confirm_sesskey()) {
     if ( $displayformat ) {
         if ( $displayformat->visible ) {
             $displayformat->visible = 0;
@@ -33,7 +33,7 @@ if ( $mode == 'visible' ) {
     }
     redirect("$CFG->wwwroot/$CFG->admin/settings.php?section=modsettingglossary#glossary_formats_header");
     die;
-} elseif ( $mode == 'edit' and $form) {
+} elseif ( $mode == 'edit' and $form and confirm_sesskey()) {
 
     $displayformat->popupformatname = $form->popupformatname;
     $displayformat->showgroup   = $form->showgroup;
@@ -253,6 +253,7 @@ echo '<table width="90%" align="center" class="generalbox">';
     <input type="submit" value="<?php print_string("savechanges") ?>" /></td>
 </tr>
 <input type="hidden" name="id"    value="<?php p($id) ?>" />
+<input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
 <input type="hidden" name="mode"    value="edit" />
 <?php
 
diff --git a/mod/glossary/settings.php b/mod/glossary/settings.php
index 16ffaae61d..ae01cd37ed 100644
--- a/mod/glossary/settings.php
+++ b/mod/glossary/settings.php
@@ -71,7 +71,7 @@ foreach ($formats as $formatid=>$formatname) {
         $vtitle = get_string("show");
         $vicon  = "show.gif";
     }
-    $vicon = "<a title=\"".$vtitle."\" href=\"$CFG->wwwroot/mod/glossary/formats.php?id=$formatid&amp;mode=visible\"><img class=\"iconsmall\" src=\"$pixpath/t/".$vicon."\" alt=\"$vtitle\" /></a>";
+    $vicon = "<a title=\"".$vtitle."\" href=\"$CFG->wwwroot/mod/glossary/formats.php?id=$formatid&amp;mode=visible&amp;sesskey=".sesskey()."\"><img class=\"iconsmall\" src=\"$pixpath/t/".$vicon."\" alt=\"$vtitle\" /></a>";
 
     $str .= '<td align="center">'.$eicon.'&nbsp;&nbsp;'.$vicon.'</td>';
     $str .= '</tr>';
-- 
2.39.5