WebSVN – Moodle – Diff – /lib/classes/param.php

  */
 enum param: string {
     /**
      * PARAM_ALPHA - contains only English ascii letters [a-zA-Z].
      */
+    #[param_clientside_regex('^[a-zA-Z]+$')]
     case ALPHA = 'alpha';
     /**
      * PARAM_ALPHAEXT the same contents as PARAM_ALPHA (English ascii letters [a-zA-Z]) plus the chars in quotes: "_-" allowed
      * NOTE: originally this allowed "/" too, please use PARAM_SAFEPATH if "/" needed
+     */
-     */
+    #[param_clientside_regex('^[a-zA-Z_\-]*$')]
     case ALPHAEXT = 'alphaext';
     /**
+     * PARAM_ALPHANUM - expected numbers 0-9 and English ascii letters [a-zA-Z] only.
-     * PARAM_ALPHANUM - expected numbers 0-9 and English ascii letters [a-zA-Z] only.
+     */
-     */
+    #[param_clientside_regex('^[a-zA-Z0-9]*$')]
     case ALPHANUM = 'alphanum';
+    /**
-    /**
+     * PARAM_ALPHANUMEXT - expected numbers 0-9, letters (English ascii letters [a-zA-Z]) and _- only.
-     * PARAM_ALPHANUMEXT - expected numbers 0-9, letters (English ascii letters [a-zA-Z]) and _- only.
+     */
-     */
+    #[param_clientside_regex('^[a-zA-Z0-9_\-]*$')]
     case ALPHANUMEXT = 'alphanumext';
     /**
      * PARAM_LOCALISEDFLOAT - a localised real/floating point number.
      * This is preferred over PARAM_FLOAT for numbers typed in by the user.
      * Cleans localised numbers to computer readable numbers; false for invalid numbers.
      */
+    #[param_clientside_regex('^\d*([\.,])\d+$')]
     case LOCALISEDFLOAT = 'localisedfloat';
     /**
      * PARAM_HOST - expected fully qualified domain name (FQDN) or an IPv4 dotted quad (IP address)
     case RAW_TRIMMED = 'raw_trimmed';
     /**
      * PARAM_SAFEDIR - safe directory name, suitable for include() and require()
+     */
-     */
+    #[param_clientside_regex('^[a-zA-Z0-9_\-]*$')]
     case SAFEDIR = 'safedir';
     /**
      * PARAM_SAFEPATH - several PARAM_SAFEDIR joined by "/", suitable for include() and require(), plugin paths
      * and other references to Moodle code files.
+     *
+     * This is NOT intended to be used for absolute paths or any user uploaded files.
-     * This is NOT intended to be used for absolute paths or any user uploaded files.
+     */
-     */
+    #[param_clientside_regex('^[a-zA-Z0-9\/_\-]*$')]
     case SAFEPATH = 'safepath';
+    /**
-    /**
+     * PARAM_SEQUENCE - expects a sequence of numbers like 8 to 1,5,6,4,6,8,9.  Numbers and comma only.
-     * PARAM_SEQUENCE - expects a sequence of numbers like 8 to 1,5,6,4,6,8,9.  Numbers and comma only.
+     */
-     */
+    #[param_clientside_regex('^[0-9,]*$')]
     case SEQUENCE = 'sequence';
      * PARAM_COMPONENT is used for full component names (aka frankenstyle) such as 'mod_forum = 'core_rating', 'auth_ldap'.
      * Short legacy subsystem names and module names are accepted too ex: 'forum = 'rating', 'user'.
      * Only lowercase ascii letters, numbers and underscores are allowed, it has to start with a letter.
      * NOTE: numbers and underscores are strongly discouraged in plugin names!
      */
+    #[param_clientside_regex('^[a-z][a-z0-9]*(_(?:[a-z][a-z0-9_](?!__))*)?[a-z0-9]+$')]
     case COMPONENT = 'component';
     /**
      * PARAM_AREA is a name of area used when addressing files, comments, ratings, etc.
      * It is usually used together with context id and component.
      * Only lowercase ascii letters, numbers and underscores are allowed, it has to start with a letter.
+     */
-     */
+    #[param_clientside_regex('^[a-z](?:[a-z0-9_](?!__))*[a-z0-9]+$')]
     case AREA = 'area';
     /**
      * PARAM_PLUGIN is used for plugin names such as 'forum = 'glossary', 'ldap', 'paypal', 'completionstatus'.
      * Only lowercase ascii letters, numbers and underscores are allowed, it has to start with a letter.
+     * NOTE: numbers and underscores are strongly discouraged in plugin names! Underscores are forbidden in module names.
-     * NOTE: numbers and underscores are strongly discouraged in plugin names! Underscores are forbidden in module names.
+     */
-     */
+    #[param_clientside_regex('^[a-z](?:[a-z0-9_](?!__))*[a-z0-9]+$')]
     case PLUGIN = 'plugin';
         return $this->{$methodname}($value);
+    }
+    /**
+     * Get the clientside regular expression for this parameter.
+     *
+     * @return null|string
+     */
+    public function get_clientside_expression(): ?string {
+        $ref = new \ReflectionClassConstant(self::class, $this->name);
+        $attributes = $ref->getAttributes(param_clientside_regex::class);
+        if (count($attributes) === 0) {
+            return null;
+        }
+        return $attributes[0]->newInstance()->regex;
+    }
     /**
      * Returns a value for the named variable, taken from request arguments.
+     *
      * This function should be used to initialise all required values
                 // Root-relative, ok!
             } else if (preg_match('/^' . preg_quote($CFG->wwwroot . '/', '/') . '/i', $param)) {
                 // Absolute, and matches our wwwroot.
             } else {
                 // Relative - let's make sure there are no tricks.
-                if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?') && !preg_match('/javascript:/i', $param)) {
+                if (validateUrlSyntax('/' . $param, 's-u-P-a-p-f+q?r?') &&
+                        !preg_match('/javascript(?:.*\/{2,})?:/i', rawurldecode($param))) {
-                    // Looks ok.
+                    // Valid relative local URL.
                 } else {
                     $param = '';
+                }
+            }
+        }
+     *
      * @param mixed $param
      * @return string
      */
     protected function clean_param_value_capability(mixed $param): string {
-        if (get_capability_info($param)) {
+        if (!empty($param) && get_capability_info($param)) {
             return $param;
         } else {
             return '';
+        }
+    }

Proyectos de Subversion Moodle

(root)/lib/classes/param.php – Rev 1 → 1441