mebis-lp · PhMemmel · Mar 4, 2024 · Feb 13, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/amd/build/card.min.js b/amd/build/card.min.js
diff --git a/amd/build/card.min.js.map b/amd/build/card.min.js.map
diff --git a/amd/build/column.min.js b/amd/build/column.min.js
diff --git a/amd/build/column.min.js.map b/amd/build/column.min.js.map
diff --git a/amd/src/card.js b/amd/src/card.js
@@ -388,7 +388,11 @@ export default class extends KanbanComponent {
         }
         // Update title (also in modals).
         if (element.title !== undefined) {
-            this.getElement(selectors.INPLACEEDITABLE).setAttribute('data-value', element.title);
+            // For Moodle inplace editing title is once needed plain and once with html entities encoded.
+            // This avoids double encoding of html entities as the value of "data-value" is exactly what is shown
+            // in the input field when clicking on the inplace editable.
+            let doc = new DOMParser().parseFromString(element.title, 'text/html');
+            this.getElement(selectors.INPLACEEDITABLE).setAttribute('data-value', doc.documentElement.textContent);
             this.getElement(selectors.INPLACEEDITABLE).querySelector('a').innerHTML = element.title;
             this.getElement(selectors.DESCRIPTIONMODALTITLE).innerHTML = element.title;
             this.getElement(selectors.DISCUSSIONMODALTITLE).innerHTML = element.title;

diff --git a/amd/src/column.js b/amd/src/column.js
@@ -290,7 +290,11 @@ export default class extends KanbanComponent {
         }
         // Update data for inplace editing if title was updated (this is important if title was modified by another user).
         if (element.title !== undefined) {
-            this.getElement(selectors.INPLACEEDITABLE).setAttribute('data-value', element.title);
+            // For Moodle inplace editing title is once needed plain and once with html entities encoded.
+            // This avoids double encoding of html entities as the value of "data-value" is exactly what is shown
+            // in the input field when clicking on the inplace editable.
+            let doc = new DOMParser().parseFromString(element.title, 'text/html');
+            this.getElement(selectors.INPLACEEDITABLE).setAttribute('data-value', doc.documentElement.textContent);
             this.getElement(selectors.INPLACEEDITABLE).querySelector('a').innerHTML = element.title;
         }
         // Only autohide option is relevant for the frontend for now. autoclose option is handled by the backend.

diff --git a/classes/boardmanager.php b/classes/boardmanager.php
@@ -816,7 +816,7 @@ public function update_card(int $cardid, array $data): void {
         ];
         // Do some extra sanitizing.
         if (isset($data['title'])) {
-            $data['title'] = clean_param($data['title'], PARAM_TEXT);
+            $data['title'] = s($data['title']);
         }
         if (isset($data['description'])) {
             $data['description'] = clean_param($data['description'], PARAM_CLEANHTML);
@@ -946,7 +946,7 @@ public function update_column(int $columnid, array $data): void {
             'autohide' => $data['autohide'],
         ];
         if (isset($data['title'])) {
-            $data['title'] = clean_param($data['title'], PARAM_TEXT);
+            $data['title'] = s($data['title']);
         }
         $columndata = [
             'id' => $columnid,

diff --git a/classes/form/edit_card_form.php b/classes/form/edit_card_form.php
@@ -165,6 +165,7 @@ public function set_data_for_dynamic_submission(): void {
         $id = $this->optional_param('id', null, PARAM_INT);
         $card = $DB->get_record('kanban_card', ['id' => $id]);
         $options = json_decode($card->options);
+        $card->title = html_entity_decode($card->title, ENT_COMPAT, 'UTF-8');
         $card->cmid = $this->optional_param('cmid', null, PARAM_INT);
         $card->boardid = $card->kanban_board;
         $card->assignees = $DB->get_fieldset_select('kanban_assignee', 'userid', 'kanban_card = :cardid', ['cardid' => $id]);

diff --git a/classes/form/edit_column_form.php b/classes/form/edit_column_form.php
@@ -119,6 +119,7 @@ public function set_data_for_dynamic_submission(): void {
         $id = $this->optional_param('id', null, PARAM_INT);
         $column = $DB->get_record('kanban_column', ['id' => $id]);
         $column->cmid = $this->optional_param('cmid', null, PARAM_INT);
+        $column->title = html_entity_decode($column->title, ENT_COMPAT, 'UTF-8');
         $column->boardid = $column->kanban_board;
         $options = json_decode($column->options);
         $column->autoclose = $options->autoclose;

diff --git a/lib.php b/lib.php
@@ -159,17 +159,15 @@ function kanban_inplace_editable($itemtype, $itemid, $newvalue) {
 
     \mod_kanban\helper::check_permissions_for_user_or_group($boardmanager->get_board(), $context, $boardmanager->get_cminfo());
 
-    $newtitle = clean_param($newvalue, PARAM_TEXT);
-
     if ($itemtype == 'card') {
-        $boardmanager->update_card($itemid, ['title' => $newtitle]);
+        $boardmanager->update_card($itemid, ['title' => $newvalue]);
     }
 
     if ($itemtype == 'column') {
-        $boardmanager->update_column($itemid, ['title' => $newtitle]);
+        $boardmanager->update_column($itemid, ['title' => $newvalue]);
     }
 
-    return new \core\output\inplace_editable('mod_kanban', $itemtype, $itemid, true, $newtitle, $newtitle, null, '');
+    return new \core\output\inplace_editable('mod_kanban', $itemtype, $itemid, true, s($newvalue), $newvalue, null, '');
 }
 
 /**

diff --git a/templates/card.mustache b/templates/card.mustache
@@ -34,9 +34,9 @@
     <div class="card-body">
         <div class="mod_kanban_card_title card-title">
             <span class="inplaceeditable inplaceeditable-text"{{#canedit}}{{^completed}} data-inplaceeditable="1" data-component="mod_kanban" data-itemtype="card" data-itemid="{{id}}"
-        data-value="{{title}}" data-type="text"{{/completed}}{{/canedit}}>
+        data-value="{{{title}}}" data-type="text"{{/completed}}{{/canedit}}>
                 <a href="#" class="quickeditlink aalink"{{#canedit}}{{^completed}} data-inplaceeditablelink="1"{{/completed}}{{/canedit}}>
-                {{title}}
+                {{{title}}}
                 </a>
             </span>
         </div>

diff --git a/templates/column.mustache b/templates/column.mustache
@@ -32,9 +32,9 @@
 <li class="mod_kanban_column col card{{#autohide}} mod_kanban_autohide{{/autohide}} {{#locked}}mod_kanban_locked_column{{/locked}}" id="mod_kanban_column-{{id}}" data-id="{{id}}">
     <h5 class="mod_kanban_column_title card-title">
     <span class="inplaceeditable inplaceeditable-text"{{#managecolumns}} {{^locked}}data-inplaceeditable="1" {{/locked}}data-component="mod_kanban" data-itemtype="column" data-itemid="{{id}}"
-    data-value="{{title}}" data-type="text"{{/managecolumns}}>
+    data-value="{{{title}}}" data-type="text"{{/managecolumns}}>
         <a href="#" class="quickeditlink aalink"{{#managecolumns}} data-inplaceeditablelink="1"{{/managecolumns}}>
-            {{title}}
+            {{{title}}}
         </a>
     </span>
     </h5>