From eff5f81276a909bbccfd43e0e8c718bc73d06c18 Mon Sep 17 00:00:00 2001
From: Nelson Cheng <nelson.cheng@edalexsolutions.com>
Date: Fri, 20 Jul 2018 15:16:51 +1000
Subject: [PATCH] Fixed issue #2 and #3

---
 block_equella_links.php |  4 ++--
 managelinks.php         | 19 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/block_equella_links.php b/block_equella_links.php
index e2aeddc..3019d1a 100644
--- a/block_equella_links.php
+++ b/block_equella_links.php
@@ -46,7 +46,7 @@ function instance_config_save($data, $nolongerused = false) {
         $contextid = $context->id;
         $DB->delete_records('block_equella_links', array('contextid'=>$contextid, 'tagged'=>1));
         if (!empty($data->includetaggeditems) && !empty($idnumber)) {
-            $xml = self::grab_tagged_items($data->xmlpath, $idnumber);
+            $xml = self::grab_tagged_items(filter_var($data->xmlpath, FILTER_SANITIZE_STRING), $idnumber);
             self::update_records_from_xml($xml, $this->instance->id, $contextid);
         }
 
@@ -88,7 +88,7 @@ function get_content() {
         $this->content->icons = array();
 
         if (has_any_capability(array('block/equella_links:manageanylinks'), $this->context)) {
-            $url = new moodle_url('/blocks/equella_links/managelinks.php', array('courseid'=>$this->page->course->id));
+            $url = new moodle_url('/blocks/equella_links/managelinks.php', array('courseid'=>$this->page->course->id, 'sesskey' => sesskey()));
             $this->content->footer = $OUTPUT->action_icon($url, new pix_icon('t/edit', get_string('edit')));
         }
 
diff --git a/managelinks.php b/managelinks.php
index 0bd2dcb..1e1a700 100644
--- a/managelinks.php
+++ b/managelinks.php
@@ -9,7 +9,7 @@
 $action = optional_param('action', '', PARAM_ALPHA);
 $linkid = optional_param('linkid', '', PARAM_INT);
 
-$baseurl = new moodle_url('/blocks/equella_links/managelinks.php', array('courseid'=>$courseid));
+$baseurl = new moodle_url('/blocks/equella_links/managelinks.php', array('courseid'=>$courseid, 'sesskey' => sesskey()));
 $course = $DB->get_record('course', array('id' => $courseid), '*', MUST_EXIST);
 $context = context_course::instance($courseid);
 
@@ -19,7 +19,7 @@
 $PAGE->set_heading(get_string('linksaddedit', 'block_equella_links'));
 
 require_capability('block/equella_links:manageanylinks', $context);
-
+require_sesskey();
 
 if (!empty($action)) {
     $link = $DB->get_record('block_equella_links', array('id' => $linkid, 'contextid'=>$context->id), '*', MUST_EXIST);
@@ -42,17 +42,16 @@
 if ($formdata = $mform->get_data()) {
     if (!empty($formdata->linkid)) {
         $editinglink = new stdClass;
-        $editinglink->id = $formdata->linkid;
-        $editinglink->title = $formdata->title;
-        $editinglink->url   = $formdata->url;
+        $editinglink->id = filter_var($formdata->linkid, FILTER_SANITIZE_STRING);
+        $editinglink->title = filter_var($formdata->title, FILTER_SANITIZE_STRING);
+        $editinglink->url   = filter_var($formdata->url, FILTER_SANITIZE_URL);
         $editinglink->contextid  = $context->id;
         $DB->update_record('block_equella_links', $editinglink);
     } else {
         $addinglink = new stdClass;
-        $addinglink->title = $formdata->title;
-        $addinglink->url   = $formdata->url;
+        $addinglink->title = filter_var($formdata->title, FILTER_SANITIZE_STRING);
+        $addinglink->url   = filter_var($formdata->url, FILTER_SANITIZE_URL);
         $addinglink->created = time();
-        $addinglink->tagged  = 0;
         $addinglink->contextid  = $context->id;
         $DB->insert_record('block_equella_links', $addinglink);
     }
@@ -72,10 +71,10 @@
 $table->setup();
 $links = $DB->get_records('block_equella_links', array('contextid'=>$context->id));
 foreach ($links as $link) {
-    $editurl = new moodle_url('/blocks/equella_links/managelinks.php', array('linkid'=>$link->id, 'action'=>'edit', 'courseid'=>$courseid));
+    $editurl = new moodle_url('/blocks/equella_links/managelinks.php', array('linkid'=>$link->id, 'action'=>'edit', 'courseid'=>$courseid, 'sesskey' => sesskey()));
     $editaction = $OUTPUT->action_icon($editurl, new pix_icon('t/edit', get_string('edit')));
 
-    $deleteurl = new moodle_url('/blocks/equella_links/managelinks.php', array('linkid'=>$link->id, 'action'=>'delete', 'courseid'=>$courseid));
+    $deleteurl = new moodle_url('/blocks/equella_links/managelinks.php', array('linkid'=>$link->id, 'action'=>'delete', 'courseid'=>$courseid, 'sesskey' => sesskey()));
     $deleteicon = new pix_icon('t/delete', get_string('delete'));
     $deleteaction = $OUTPUT->action_icon($deleteurl, $deleteicon, new confirm_action(get_string('deletelinkconfirm', 'block_equella_links')));
     $action = $editaction . ' ' . $deleteaction;