From c8422c4000c29cd36e53e17b791ba12f175eb889 Mon Sep 17 00:00:00 2001
From: Stefan Hanauska <stefan.hanauska@csg-in.de>
Date: Tue, 13 Feb 2024 10:31:52 +0100
Subject: [PATCH] MBS-8802: Fix handling of title strings

---
 classes/boardmanager.php  | 4 ++--
 lib.php                   | 8 +++-----
 templates/card.mustache   | 2 +-
 templates/column.mustache | 2 +-
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/classes/boardmanager.php b/classes/boardmanager.php
index 5e2d73b0..20635f51 100644
--- a/classes/boardmanager.php
+++ b/classes/boardmanager.php
@@ -816,7 +816,7 @@ public function update_card(int $cardid, array $data): void {
         ];
         // Do some extra sanitizing.
         if (isset($data['title'])) {
-            $data['title'] = clean_param($data['title'], PARAM_TEXT);
+            $data['title'] = s($data['title']);
         }
         if (isset($data['description'])) {
             $data['description'] = clean_param($data['description'], PARAM_CLEANHTML);
@@ -946,7 +946,7 @@ public function update_column(int $columnid, array $data): void {
             'autohide' => $data['autohide'],
         ];
         if (isset($data['title'])) {
-            $data['title'] = clean_param($data['title'], PARAM_TEXT);
+            $data['title'] = s($data['title']);
         }
         $columndata = [
             'id' => $columnid,
diff --git a/lib.php b/lib.php
index 8d40b5f2..64b92ff5 100644
--- a/lib.php
+++ b/lib.php
@@ -159,17 +159,15 @@ function kanban_inplace_editable($itemtype, $itemid, $newvalue) {
 
     \mod_kanban\helper::check_permissions_for_user_or_group($boardmanager->get_board(), $context, $boardmanager->get_cminfo());
 
-    $newtitle = clean_param($newvalue, PARAM_TEXT);
-
     if ($itemtype == 'card') {
-        $boardmanager->update_card($itemid, ['title' => $newtitle]);
+        $boardmanager->update_card($itemid, ['title' => $newvalue]);
     }
 
     if ($itemtype == 'column') {
-        $boardmanager->update_column($itemid, ['title' => $newtitle]);
+        $boardmanager->update_column($itemid, ['title' => $newvalue]);
     }
 
-    return new \core\output\inplace_editable('mod_kanban', $itemtype, $itemid, true, $newtitle, $newtitle, null, '');
+    return new \core\output\inplace_editable('mod_kanban', $itemtype, $itemid, true, $newvalue, $newvalue, null, '');
 }
 
 /**
diff --git a/templates/card.mustache b/templates/card.mustache
index ac7f8607..d9b6468c 100644
--- a/templates/card.mustache
+++ b/templates/card.mustache
@@ -36,7 +36,7 @@
             <span class="inplaceeditable inplaceeditable-text"{{#canedit}}{{^completed}} data-inplaceeditable="1" data-component="mod_kanban" data-itemtype="card" data-itemid="{{id}}"
         data-value="{{title}}" data-type="text"{{/completed}}{{/canedit}}>
                 <a href="#" class="quickeditlink aalink"{{#canedit}}{{^completed}} data-inplaceeditablelink="1"{{/completed}}{{/canedit}}>
-                {{title}}
+                {{{title}}}
                 </a>
             </span>
         </div>
diff --git a/templates/column.mustache b/templates/column.mustache
index 0f9886b5..183955a7 100644
--- a/templates/column.mustache
+++ b/templates/column.mustache
@@ -34,7 +34,7 @@
     <span class="inplaceeditable inplaceeditable-text"{{#managecolumns}} {{^locked}}data-inplaceeditable="1" {{/locked}}data-component="mod_kanban" data-itemtype="column" data-itemid="{{id}}"
     data-value="{{title}}" data-type="text"{{/managecolumns}}>
         <a href="#" class="quickeditlink aalink"{{#managecolumns}} data-inplaceeditablelink="1"{{/managecolumns}}>
-            {{title}}
+            {{{title}}}
         </a>
     </span>
     </h5>