Harden plugin security: fix XSS, sanitize emails, secure state file

allanhaggett · allanhaggett · commit 8b5779e8ff42 · 2026-03-06T23:02:44.000-08:00
- Move API test state file to $CFG-&gt;dataroot (not web-accessible)
- Remove raw API payload and response body from error notification
  emails (HTTP code and curl error are retained for debugging)
- Escape all user-supplied output in log_table.php with s()
- Escape JSON embedded in JS context with JSON_HEX_* flags
- Replace var_export of raw API response in mtrace with safe message
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,3 @@
 .test_enrolments_state.json
-.apitest_state.json
 /vendor/
 composer.lock
diff --git a/api-test.php b/api-test.php
@@ -45,8 +45,8 @@
 $apitesturl = get_config('local_psaelmsync', 'apiurl');
 $apitesttoken = get_config('local_psaelmsync', 'apitoken');
 
-// State file for tracking enrolled users across runs.
-define('APITEST_STATE_FILE', __DIR__ . '/.apitest_state.json');
+// State file stored in Moodle's data directory (not web-accessible).
+define('APITEST_STATE_FILE', $CFG->dataroot . '/psaelmsync_apitest_state.json');
 
 // Name pools for generating fake users.
 define('APITEST_FIRST_NAMES', [
diff --git a/classes/log_table.php b/classes/log_table.php
@@ -102,7 +102,7 @@ public function col_action($values) {
      * @return string The HTML link to the user profile.
      */
     public function col_user_lastname($values) {
-        $name = $values->user_firstname . ' ' . $values->user_lastname;
+        $name = s($values->user_firstname . ' ' . $values->user_lastname);
         $userurl = new \moodle_url('/user/view.php', ['id' => $values->user_id]);
         return \html_writer::link($userurl, $name);
     }
@@ -114,7 +114,7 @@ public function col_user_lastname($values) {
      * @return string The user email address.
      */
     public function col_user_email($values) {
-        return $values->user_email;
+        return s($values->user_email);
     }
 
     /**
@@ -124,7 +124,7 @@ public function col_user_email($values) {
      * @return string The user GUID.
      */
     public function col_user_guid($values) {
-        return $values->user_guid;
+        return s($values->user_guid);
     }
 
     /**
@@ -135,7 +135,7 @@ public function col_user_guid($values) {
      */
     public function col_course_name($values) {
         $courseurl = new \moodle_url('/user/index.php', ['id' => $values->course_id]);
-        return \html_writer::link($courseurl, $values->course_name);
+        return \html_writer::link($courseurl, s($values->course_name));
     }
 
     /**
@@ -146,9 +146,9 @@ public function col_course_name($values) {
      */
     public function col_user_details($values) {
         $userurl = new \moodle_url('/user/profile.php', ['id' => $values->user_id]);
-        $userdetails = "{$values->user_firstname} {$values->user_lastname}"
-            . "<br>GUID: {$values->user_guid}"
-            . "<br>Email: {$values->user_email}";
+        $userdetails = s($values->user_firstname . ' ' . $values->user_lastname)
+            . "<br>GUID: " . s($values->user_guid)
+            . "<br>Email: " . s($values->user_email);
         return \html_writer::link($userurl, $userdetails);
     }
 
diff --git a/classes/observer.php b/classes/observer.php
@@ -311,8 +311,6 @@ private static function send_api_failure_notification(
         $message .= "API URL: " . $apiurl . "\n";
         $message .= "HTTP Code: " . $httpcode . "\n";
         $message .= "Error: " . $curlerror . "\n";
-        $message .= "Payload: " . $jsondata . "\n";
-        $message .= "Response Body: " . $responsebody . "\n";
 
         $dummyuser = new \stdClass();
         $dummyuser->email = 'noreply-psalssync@learning.gww.gov.bc.ca';
diff --git a/dashboard-intake.php b/dashboard-intake.php
@@ -116,16 +116,14 @@
     $chartdata['errors'][] = $run->errorcount;
 }
 
-// Encode the data for use in JavaScript.
-$chartdatajson = json_encode($chartdata);
 ?>
 
 <!-- Include Chart.js -->
 <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
 <script>
 document.addEventListener('DOMContentLoaded', function () {
     var ctx = document.getElementById('runsChart').getContext('2d');
-    var chartData = <?php echo $chartdatajson; ?>;
+    var chartData = <?php echo json_encode($chartdata, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT); ?>;
 
     new Chart(ctx, {
         type: 'line',
diff --git a/lib.php b/lib.php
@@ -103,8 +103,7 @@ function local_psaelmsync_sync() {
     $data = json_decode($response, true);
 
     if (empty($data)) {
-        mtrace('PSA Enrol Sync: No data received from API: '
-            . var_export($response, true));
+        mtrace('PSA Enrol Sync: No data received from API (empty or invalid JSON response).');
         return;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -103,8 +103,7 @@ function local_psaelmsync_sync() {`
`103`	`103`	`$data = json_decode($response, true);`
`104`	`104`
`105`	`105`	`if (empty($data)) {`
`106`		`- mtrace('PSA Enrol Sync: No data received from API: '`
`107`		`- . var_export($response, true));`
	`106`	`+ mtrace('PSA Enrol Sync: No data received from API (empty or invalid JSON response).');`
`108`	`107`	`return;`
`109`	`108`	`}`
`110`	`109`