Search moodle.org's
Developer Documentation
Developer Documentation
See Release Notes
Long Term Support Release
- Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
- Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
- PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
/mod/url/ -> locallib.php (source)
Differences Between: [Versions 310 and 401] [Versions 311 and 401] [Versions 39 and 401] [Versions 400 and 401] [Versions 401 and 402] [Versions 401 and 403]
1 <?php 2 3 // This file is part of Moodle - http://moodle.org/ 4 // 5 // Moodle is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // Moodle is distributed in the hope that it will be useful, 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU General Public License for more details. 14 // 15 // You should have received a copy of the GNU General Public License 16 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 17 18 /** 19 * Private url module utility functions 20 * 21 * @package mod_url 22 * @copyright 2009 Petr Skoda {@link http://skodak.org} 23 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 24 */ 25 26 defined('MOODLE_INTERNAL') || die; 27 28 require_once("$CFG->libdir/filelib.php"); 29 require_once("$CFG->libdir/resourcelib.php"); 30 require_once("$CFG->dirroot/mod/url/lib.php"); 31 32 /** 33 * This methods does weak url validation, we are looking for major problems only, 34 * no strict RFE validation. 35 * 36 * @param $url 37 * @return bool true is seems valid, false if definitely not valid URL 38 */ 39 function url_appears_valid_url($url) { 40 if (preg_match('/^(\/|https?:|ftp:)/i', $url)) { 41 // note: this is not exact validation, we look for severely malformed URLs only 42 return (bool) preg_match('/^[a-z]+:\/\/([^:@\s]+:[^@\s]+@)?[^ @]+(:[0-9]+)?(\/[^#]*)?(#.*)?$/i', $url); 43 } else { 44 return (bool)preg_match('/^[a-z]+:\/\/...*$/i', $url); 45 } 46 } 47 48 /** 49 * Fix common URL problems that we want teachers to see fixed 50 * the next time they edit the resource. 51 * 52 * This function does not include any XSS protection. 53 * 54 * @param string $url 55 * @return string 56 */ 57 function url_fix_submitted_url($url) { 58 // note: empty urls are prevented in form validation 59 $url = trim($url); 60 61 // remove encoded entities - we want the raw URI here 62 $url = html_entity_decode($url, ENT_QUOTES, 'UTF-8'); 63 64 if (!preg_match('|^[a-z]+:|i', $url) and !preg_match('|^/|', $url)) { 65 // invalid URI, try to fix it by making it normal URL, 66 // please note relative urls are not allowed, /xx/yy links are ok 67 $url = 'http://'.$url; 68 } 69 70 return $url; 71 } 72 73 /** 74 * Return full url with all extra parameters 75 * 76 * This function does not include any XSS protection. 77 * 78 * @param string $url 79 * @param object $cm 80 * @param object $course 81 * @param object $config 82 * @return string url with & encoded as & 83 */ 84 function url_get_full_url($url, $cm, $course, $config=null) { 85 86 $parameters = empty($url->parameters) ? [] : (array) unserialize_array($url->parameters); 87 88 // make sure there are no encoded entities, it is ok to do this twice 89 $fullurl = html_entity_decode($url->externalurl, ENT_QUOTES, 'UTF-8'); 90 91 $letters = '\pL'; 92 $latin = 'a-zA-Z'; 93 $digits = '0-9'; 94 $symbols = '\x{20E3}\x{00AE}\x{00A9}\x{203C}\x{2047}\x{2048}\x{2049}\x{3030}\x{303D}\x{2139}\x{2122}\x{3297}\x{3299}' . 95 '\x{2300}-\x{23FF}\x{2600}-\x{27BF}\x{2B00}-\x{2BF0}'; 96 $arabic = '\x{FE00}-\x{FEFF}'; 97 $math = '\x{2190}-\x{21FF}\x{2900}-\x{297F}'; 98 $othernumbers = '\x{2460}-\x{24FF}'; 99 $geometric = '\x{25A0}-\x{25FF}'; 100 $emojis = '\x{1F000}-\x{1F6FF}'; 101 102 if (preg_match('/^(\/|https?:|ftp:)/i', $fullurl) or preg_match('|^/|', $fullurl)) { 103 // encode extra chars in URLs - this does not make it always valid, but it helps with some UTF-8 problems 104 // Thanks to 💩.la emojis count as valid, too. 105 $allowed = "[" . $letters . $latin . $digits . $symbols . $arabic . $math . $othernumbers . $geometric . 106 $emojis . "]" . preg_quote(';/?:@=&$_.+!*(),-#%', '/'); 107 $fullurl = preg_replace_callback("/[^$allowed]/u", 'url_filter_callback', $fullurl); 108 } else { 109 // encode special chars only 110 $fullurl = str_replace('"', '%22', $fullurl); 111 $fullurl = str_replace('\'', '%27', $fullurl); 112 $fullurl = str_replace(' ', '%20', $fullurl); 113 $fullurl = str_replace('<', '%3C', $fullurl); 114 $fullurl = str_replace('>', '%3E', $fullurl); 115 } 116 117 // add variable url parameters 118 if (!empty($parameters)) { 119 if (!$config) { 120 $config = get_config('url'); 121 } 122 $paramvalues = url_get_variable_values($url, $cm, $course, $config); 123 124 foreach ($parameters as $parse=>$parameter) { 125 if (isset($paramvalues[$parameter])) { 126 $parameters[$parse] = rawurlencode($parse).'='.rawurlencode($paramvalues[$parameter]); 127 } else { 128 unset($parameters[$parse]); 129 } 130 } 131 132 if (!empty($parameters)) { 133 if (stripos($fullurl, 'teamspeak://') === 0) { 134 $fullurl = $fullurl.'?'.implode('?', $parameters); 135 } else { 136 $join = (strpos($fullurl, '?') === false) ? '?' : '&'; 137 $fullurl = $fullurl.$join.implode('&', $parameters); 138 } 139 } 140 } 141 142 // encode all & to & entity 143 $fullurl = str_replace('&', '&', $fullurl); 144 145 return $fullurl; 146 } 147 148 /** 149 * Unicode encoding helper callback 150 * @internal 151 * @param array $matches 152 * @return string 153 */ 154 function url_filter_callback($matches) { 155 return rawurlencode($matches[0]); 156 } 157 158 /** 159 * Print url header. 160 * @param object $url 161 * @param object $cm 162 * @param object $course 163 * @return void 164 */ 165 function url_print_header($url, $cm, $course) { 166 global $PAGE, $OUTPUT; 167 168 $PAGE->set_title($course->shortname.': '.$url->name); 169 $PAGE->set_heading($course->fullname); 170 $PAGE->set_activity_record($url); 171 echo $OUTPUT->header(); 172 } 173 174 /** 175 * Get url introduction. 176 * 177 * @param object $url 178 * @param object $cm 179 * @param bool $ignoresettings print even if not specified in modedit 180 * @return string 181 */ 182 function url_get_intro(object $url, object $cm, bool $ignoresettings = false): string { 183 $options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions); 184 if ($ignoresettings or !empty($options['printintro'])) { 185 if (trim(strip_tags($url->intro))) { 186 return format_module_intro('url', $url, $cm->id); 187 } 188 } 189 190 return ''; 191 } 192 193 /** 194 * Display url frames. 195 * @param object $url 196 * @param object $cm 197 * @param object $course 198 * @return does not return 199 */ 200 function url_display_frame($url, $cm, $course) { 201 global $PAGE, $OUTPUT, $CFG; 202 203 $frame = optional_param('frameset', 'main', PARAM_ALPHA); 204 205 if ($frame === 'top') { 206 $PAGE->set_pagelayout('frametop'); 207 $PAGE->activityheader->set_attrs([ 208 'description' => url_get_intro($url, $cm), 209 'title' => format_string($url->name) 210 ]); 211 url_print_header($url, $cm, $course); 212 echo $OUTPUT->footer(); 213 die; 214 215 } else { 216 $config = get_config('url'); 217 $context = context_module::instance($cm->id); 218 $exteurl = url_get_full_url($url, $cm, $course, $config); 219 $navurl = "$CFG->wwwroot/mod/url/view.php?id=$cm->id&frameset=top"; 220 $coursecontext = context_course::instance($course->id); 221 $courseshortname = format_string($course->shortname, true, array('context' => $coursecontext)); 222 $title = strip_tags($courseshortname.': '.format_string($url->name)); 223 $framesize = $config->framesize; 224 $modulename = s(get_string('modulename','url')); 225 $contentframetitle = s(format_string($url->name)); 226 $dir = get_string('thisdirection', 'langconfig'); 227 228 $extframe = <<<EOF 229 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> 230 <html dir="$dir"> 231 <head> 232 <meta http-equiv="content-type" content="text/html; charset=utf-8" /> 233 <title>$title</title> 234 </head> 235 <frameset rows="$framesize,*"> 236 <frame src="$navurl" title="$modulename"/> 237 <frame src="$exteurl" title="$contentframetitle"/> 238 </frameset> 239 </html> 240 EOF; 241 242 @header('Content-Type: text/html; charset=utf-8'); 243 echo $extframe; 244 die; 245 } 246 } 247 248 /** 249 * Print url info and link. 250 * @param object $url 251 * @param object $cm 252 * @param object $course 253 */ 254 function url_print_workaround($url, $cm, $course) { 255 global $OUTPUT, $PAGE, $USER; 256 257 $PAGE->activityheader->set_description(url_get_intro($url, $cm, true)); 258 url_print_header($url, $cm, $course); 259 260 $fullurl = new moodle_url(url_get_full_url($url, $cm, $course)); 261 262 $display = url_get_final_display_type($url); 263 if ($display == RESOURCELIB_DISPLAY_POPUP) { 264 $jsfullurl = addslashes_js($fullurl->out(false)); 265 $options = empty($url->displayoptions) ? [] : (array) unserialize_array($url->displayoptions); 266 $width = empty($options['popupwidth']) ? 620 : $options['popupwidth']; 267 $height = empty($options['popupheight']) ? 450 : $options['popupheight']; 268 $wh = "width=$width,height=$height,toolbar=no,location=no,menubar=no,copyhistory=no,status=no,directories=no,scrollbars=yes,resizable=yes"; 269 $attributes = ['onclick' => "window.open('$jsfullurl', '', '$wh'); return false;"]; 270 271 } else if ($display == RESOURCELIB_DISPLAY_NEW) { 272 $attributes = ['onclick' => "this.target='_blank';"]; 273 274 } else { 275 $attributes = []; 276 } 277 278 echo '<div class="urlworkaround">'; 279 print_string('clicktoopen', 'url', html_writer::link($fullurl, format_string($cm->name), $attributes)); 280 echo '</div>'; 281 282 echo $OUTPUT->footer(); 283 die; 284 } 285 286 /** 287 * Display embedded url file. 288 * @param object $url 289 * @param object $cm 290 * @param object $course 291 */ 292 function url_display_embed($url, $cm, $course) { 293 global $PAGE, $OUTPUT; 294 295 $mimetype = resourcelib_guess_url_mimetype($url->externalurl); 296 $fullurl = url_get_full_url($url, $cm, $course); 297 $title = $url->name; 298 299 $moodleurl = new moodle_url($fullurl); 300 $link = html_writer::link($moodleurl, format_string($cm->name)); 301 $clicktoopen = get_string('clicktoopen', 'url', $link); 302 303 $extension = resourcelib_get_extension($url->externalurl); 304 305 $mediamanager = core_media_manager::instance($PAGE); 306 $embedoptions = array( 307 core_media_manager::OPTION_TRUSTED => true, 308 core_media_manager::OPTION_BLOCK => true 309 ); 310 311 if (in_array($mimetype, array('image/gif','image/jpeg','image/png'))) { // It's an image 312 $code = resourcelib_embed_image($fullurl, $title); 313 314 } else if ($mediamanager->can_embed_url($moodleurl, $embedoptions)) { 315 // Media (audio/video) file. 316 $code = $mediamanager->embed_url($moodleurl, $title, 0, 0, $embedoptions); 317 318 } else { 319 // anything else - just try object tag enlarged as much as possible 320 $code = resourcelib_embed_general($fullurl, $title, $clicktoopen, $mimetype); 321 } 322 323 $PAGE->activityheader->set_description(url_get_intro($url, $cm)); 324 url_print_header($url, $cm, $course); 325 326 echo $code; 327 328 echo $OUTPUT->footer(); 329 die; 330 } 331 332 /** 333 * Decide the best display format. 334 * @param object $url 335 * @return int display type constant 336 */ 337 function url_get_final_display_type($url) { 338 global $CFG; 339 340 if ($url->display != RESOURCELIB_DISPLAY_AUTO) { 341 return $url->display; 342 } 343 344 // detect links to local moodle pages 345 if (strpos($url->externalurl, $CFG->wwwroot) === 0) { 346 if (strpos($url->externalurl, 'file.php') === false and strpos($url->externalurl, '.php') !== false ) { 347 // most probably our moodle page with navigation 348 return RESOURCELIB_DISPLAY_OPEN; 349 } 350 } 351 352 // Binaries and other formats that are known to cause trouble for external links. 353 static $download = ['application/zip', 'application/x-tar', 'application/g-zip', 354 'application/pdf', 'text/html', 'document/unknown']; 355 static $embed = array('image/gif', 'image/jpeg', 'image/png', 'image/svg+xml', // images 356 'application/x-shockwave-flash', 'video/x-flv', 'video/x-ms-wm', // video formats 357 'video/quicktime', 'video/mpeg', 'video/mp4', 358 'audio/mp3', 'audio/x-realaudio-plugin', 'x-realaudio-plugin', // audio formats, 359 ); 360 361 $mimetype = resourcelib_guess_url_mimetype($url->externalurl); 362 363 if (in_array($mimetype, $download)) { 364 return RESOURCELIB_DISPLAY_DOWNLOAD; 365 } 366 if (in_array($mimetype, $embed)) { 367 return RESOURCELIB_DISPLAY_EMBED; 368 } 369 370 // let the browser deal with it somehow 371 return RESOURCELIB_DISPLAY_OPEN; 372 } 373 374 /** 375 * Get the parameters that may be appended to URL 376 * @param object $config url module config options 377 * @return array array describing opt groups 378 */ 379 function url_get_variable_options($config) { 380 global $CFG; 381 382 $options = array(); 383 $options[''] = array('' => get_string('chooseavariable', 'url')); 384 385 $options[get_string('course')] = array( 386 'courseid' => 'id', 387 'coursefullname' => get_string('fullnamecourse'), 388 'courseshortname' => get_string('shortnamecourse'), 389 'courseidnumber' => get_string('idnumbercourse'), 390 'coursesummary' => get_string('summary'), 391 'courseformat' => get_string('format'), 392 ); 393 394 $options[get_string('modulename', 'url')] = array( 395 'urlinstance' => 'id', 396 'urlcmid' => 'cmid', 397 'urlname' => get_string('name'), 398 'urlidnumber' => get_string('idnumbermod'), 399 ); 400 401 $options[get_string('miscellaneous')] = array( 402 'sitename' => get_string('fullsitename'), 403 'serverurl' => get_string('serverurl', 'url'), 404 'currenttime' => get_string('time'), 405 'lang' => get_string('language'), 406 ); 407 if (!empty($config->secretphrase)) { 408 $options[get_string('miscellaneous')]['encryptedcode'] = get_string('encryptedcode'); 409 } 410 411 $options[get_string('user')] = array( 412 'userid' => 'id', 413 'userusername' => get_string('username'), 414 'useridnumber' => get_string('idnumber'), 415 'userfirstname' => get_string('firstname'), 416 'userlastname' => get_string('lastname'), 417 'userfullname' => get_string('fullnameuser'), 418 'useremail' => get_string('email'), 419 'userphone1' => get_string('phone1'), 420 'userphone2' => get_string('phone2'), 421 'userinstitution' => get_string('institution'), 422 'userdepartment' => get_string('department'), 423 'useraddress' => get_string('address'), 424 'usercity' => get_string('city'), 425 'usertimezone' => get_string('timezone'), 426 ); 427 428 if ($config->rolesinparams) { 429 $roles = role_fix_names(get_all_roles()); 430 $roleoptions = array(); 431 foreach ($roles as $role) { 432 $roleoptions['course'.$role->shortname] = get_string('yourwordforx', '', $role->localname); 433 } 434 $options[get_string('roles')] = $roleoptions; 435 } 436 437 return $options; 438 } 439 440 /** 441 * Get the parameter values that may be appended to URL 442 * @param object $url module instance 443 * @param object $cm 444 * @param object $course 445 * @param object $config module config options 446 * @return array of parameter values 447 */ 448 function url_get_variable_values($url, $cm, $course, $config) { 449 global $USER, $CFG; 450 451 $site = get_site(); 452 453 $coursecontext = context_course::instance($course->id); 454 455 $values = array ( 456 'courseid' => $course->id, 457 'coursefullname' => format_string($course->fullname, true, array('context' => $coursecontext)), 458 'courseshortname' => format_string($course->shortname, true, array('context' => $coursecontext)), 459 'courseidnumber' => $course->idnumber, 460 'coursesummary' => $course->summary, 461 'courseformat' => $course->format, 462 'lang' => current_language(), 463 'sitename' => format_string($site->fullname, true, array('context' => $coursecontext)), 464 'serverurl' => $CFG->wwwroot, 465 'currenttime' => time(), 466 'urlinstance' => $url->id, 467 'urlcmid' => $cm->id, 468 'urlname' => format_string($url->name, true, array('context' => $coursecontext)), 469 'urlidnumber' => $cm->idnumber, 470 ); 471 472 if (isloggedin()) { 473 $values['userid'] = $USER->id; 474 $values['userusername'] = $USER->username; 475 $values['useridnumber'] = $USER->idnumber; 476 $values['userfirstname'] = $USER->firstname; 477 $values['userlastname'] = $USER->lastname; 478 $values['userfullname'] = fullname($USER); 479 $values['useremail'] = $USER->email; 480 $values['userphone1'] = $USER->phone1; 481 $values['userphone2'] = $USER->phone2; 482 $values['userinstitution'] = $USER->institution; 483 $values['userdepartment'] = $USER->department; 484 $values['useraddress'] = $USER->address; 485 $values['usercity'] = $USER->city; 486 $now = new DateTime('now', core_date::get_user_timezone_object()); 487 $values['usertimezone'] = $now->getOffset() / 3600.0; // Value in hours for BC. 488 } 489 490 // weak imitation of Single-Sign-On, for backwards compatibility only 491 // NOTE: login hack is not included in 2.0 any more, new contrib auth plugin 492 // needs to be createed if somebody needs the old functionality! 493 if (!empty($config->secretphrase)) { 494 $values['encryptedcode'] = url_get_encrypted_parameter($url, $config); 495 } 496 497 //hmm, this is pretty fragile and slow, why do we need it here?? 498 if ($config->rolesinparams) { 499 $coursecontext = context_course::instance($course->id); 500 $roles = role_fix_names(get_all_roles($coursecontext), $coursecontext, ROLENAME_ALIAS); 501 foreach ($roles as $role) { 502 $values['course'.$role->shortname] = $role->localname; 503 } 504 } 505 506 return $values; 507 } 508 509 /** 510 * BC internal function 511 * @param object $url 512 * @param object $config 513 * @return string 514 */ 515 function url_get_encrypted_parameter($url, $config) { 516 global $CFG; 517 518 if (file_exists("$CFG->dirroot/local/externserverfile.php")) { 519 require_once("$CFG->dirroot/local/externserverfile.php"); 520 if (function_exists('extern_server_file')) { 521 return extern_server_file($url, $config); 522 } 523 } 524 return md5(getremoteaddr().$config->secretphrase); 525 } 526 527 /** 528 * Optimised mimetype detection from general URL 529 * @param $fullurl 530 * @param int $size of the icon. 531 * @return string|null mimetype or null when the filetype is not relevant. 532 */ 533 function url_guess_icon($fullurl, $size = null) { 534 global $CFG; 535 require_once("$CFG->libdir/filelib.php"); 536 537 if (substr_count($fullurl, '/') < 3 or substr($fullurl, -1) === '/') { 538 // Most probably default directory - index.php, index.html, etc. Return null because 539 // we want to use the default module icon instead of the HTML file icon. 540 return null; 541 } 542 543 try { 544 // There can be some cases where the url is invalid making parse_url() to return false. 545 // That will make moodle_url class to throw an exception, so we need to catch the exception to prevent errors. 546 $moodleurl = new moodle_url($fullurl); 547 $fullurl = $moodleurl->out_omit_querystring(); 548 } catch (\moodle_exception $e) { 549 // If an exception is thrown, means the url is invalid. No need to log exception. 550 return null; 551 } 552 553 $icon = file_extension_icon($fullurl, $size); 554 $htmlicon = file_extension_icon('.htm', $size); 555 $unknownicon = file_extension_icon('', $size); 556 $phpicon = file_extension_icon('.php', $size); // Exception for php files. 557 558 // We do not want to return those icon types, the module icon is more appropriate. 559 if ($icon === $unknownicon || $icon === $htmlicon || $icon === $phpicon) { 560 return null; 561 } 562 563 return $icon; 564 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
