MDL-64651 comments: Do not send referrer

Damyon Wiese · Jenkins · commit 1fc481dd7b09 · 2019-03-05T04:16:40.000+01:00
Use blanktarget option on all comments to prevent malicious links.
diff --git a/comment/classes/external.php b/comment/classes/external.php
@@ -102,6 +102,7 @@ public static function get_comments($contextlevel, $instanceid, $component, $ite
         if ($comments === false) {
             throw new moodle_exception('nopermissions', 'error', '', 'view comments');
         }
+        $options = array('blanktarget' => true);
 
         foreach ($comments as $key => $comment) {
 
@@ -110,7 +111,8 @@ public static function get_comments($contextlevel, $instanceid, $component, $ite
                                                                                                  $context->id,
                                                                                                  $params['component'],
                                                                                                  '',
-                                                                                                 0);
+                                                                                                 0,
+                                                                                                 $options);
         }
 
         $results = array(
diff --git a/comment/lib.php b/comment/lib.php
@@ -570,7 +570,7 @@ public function get_comments($page = '') {
         $params['itemid'] = $this->itemid;
 
         $comments = array();
-        $formatoptions = array('overflowdiv' => true);
+        $formatoptions = array('overflowdiv' => true, 'blanktarget' => true);
         $rs = $DB->get_recordset_sql($sql, $params, $start, $perpage);
         foreach ($rs as $u) {
             $c = new stdClass();
@@ -717,7 +717,8 @@ public function add($content, $format = FORMAT_MOODLE) {
             $newcmt->fullname = fullname($USER);
             $url = new moodle_url('/user/view.php', array('id' => $USER->id, 'course' => $this->courseid));
             $newcmt->profileurl = $url->out();
-            $newcmt->content = format_text($newcmt->content, $newcmt->format, array('overflowdiv'=>true));
+            $formatoptions = array('overflowdiv' => true, 'blanktarget' => true);
+            $newcmt->content = format_text($newcmt->content, $newcmt->format, $formatoptions);
             $newcmt->avatar = $OUTPUT->user_picture($USER, array('size'=>16));
 
             $commentlist = array($newcmt);
diff --git a/comment/locallib.php b/comment/locallib.php
@@ -68,7 +68,7 @@ function get_comments($page) {
                        ON u.id=c.userid
               ORDER BY c.timecreated ASC";
         $rs = $DB->get_recordset_sql($sql, null, $start, $this->perpage);
-        $formatoptions = array('overflowdiv' => true);
+        $formatoptions = array('overflowdiv' => true, 'blanktarget' => true);
         foreach ($rs as $item) {
             // Set calculated fields
             $item->fullname = fullname($item);

Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,7 @@ public static function get_comments($contextlevel, $instanceid, $component, $ite`
`102`	`102`	`if ($comments === false) {`
`103`	`103`	`throw new moodle_exception('nopermissions', 'error', '', 'view comments');`
`104`	`104`	`}`
	`105`	`+ $options = array('blanktarget' => true);`
`105`	`106`
`106`	`107`	`foreach ($comments as $key => $comment) {`
`107`	`108`
`@@ -110,7 +111,8 @@ public static function get_comments($contextlevel, $instanceid, $component, $ite`
`110`	`111`	`$context->id,`
`111`	`112`	`$params['component'],`
`112`	`113`	`'',`
`113`		`- 0);`
	`114`	`+ 0,`
	`115`	`+ $options);`
`114`	`116`	`}`
`115`	`117`
`116`	`118`	`$results = array(`