From 181e3a2ae91a6b62630afbfb97e6219c75e8ad35 Mon Sep 17 00:00:00 2001
From: Valentin Popov <info@valentineus.link>
Date: Sun, 10 Jun 2018 16:11:25 +0400
Subject: Standard use of variables

Signed-off-by: Valentin Popov <info@valentineus.link>
---
 auth.php | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/auth.php b/auth.php
index c51d618..5fd00c6 100644
--- a/auth.php
+++ b/auth.php
@@ -127,13 +127,11 @@ class auth_plugin_link extends auth_plugin_base {
     public function loginpage_hook() {
         global $DB;
 
-        if (!isloggedin()) {
-            if (isset($_REQUEST['username']) &&
-                isset($_REQUEST['password'])) {
-
-                $username = htmlspecialchars($_REQUEST['username']);
-                $password = htmlspecialchars($_REQUEST['password']);
+        $username = optional_param('username', '', PARAM_RAW);
+        $password = optional_param('password', '', PARAM_RAW);
 
+        if (!isloggedin()) {
+            if (!empty($username) && !empty($password)) {
                 // User existence check.
                 if ($user = $DB->get_record('user', array('username' => $username) )) {
                     // Verification of authorization data.
@@ -152,12 +150,13 @@ class auth_plugin_link extends auth_plugin_base {
     public function redirect_user() {
         global $CFG, $SESSION;
 
+        $wantsurl = optional_param('wantsurl', '', PARAM_URL);
         $redirect = new moodle_url($CFG->wwwroot, $_GET);
 
         if (isset($SESSION->wantsurl)) {
             $redirect = new moodle_url($SESSION->wantsurl, $_GET);
-        } else if (isset($_GET['wantsurl'])) {
-            $redirect = htmlspecialchars($_GET['wantsurl']);
+        } else if (!empty($wantsurl)) {
+            $redirect = new moodle_url($wantsurl);
         }
 
         redirect($redirect);
-- 
cgit v1.2.3