Skip to content

PARAM_RAW Security Risk #11

Description

@volodymyrdovhan

Hello,
Plugin uses PARAM_RAW for parameter validation. PARAM_RAW should only be used when there is no other option and when strict validation/cleaning is performed elsewhere. In most cases, use specific parameter types (for example: PARAM_INT for integers, PARAM_TEXT for plain text, PARAM_ALPHA/PARAM_ALPHANUM for constrained formats) to reduce XSS and injection risk.

Documentation:

Code excerpts:

  • File: manage.php
177: if ($action === 'import' && data_submitted() && confirm_sesskey()) {
178:     $importtext   = required_param('importdata', PARAM_RAW);
179:     $parsed_cards = \\mod_leitbox\\import_handler::parse_text($importtext);

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions