MDL-71016 gradeexport_xml: ensure user/grade idnumbers are encoded.
[moodle.git] / grade / export / xml / grade_export_xml.php
1 <?php
3 // This file is part of Moodle - http://moodle.org/
4 //
5 // Moodle is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // Moodle is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 // GNU General Public License for more details.
14 //
15 // You should have received a copy of the GNU General Public License
16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
18 require_once($CFG->dirroot.'/grade/export/lib.php');
19 require_once($CFG->libdir.'/filelib.php');
21 class grade_export_xml extends grade_export {
23     public $plugin = 'xml';
24     public $updatedgradesonly = false; // default to export ALL grades
26     /**
27      * Ensure we produce correctly formed XML content by encoding idnumbers appropriately
28      *
29      * @param string $idnumber
30      * @return string
31      */
32     private static function xml_export_idnumber(string $idnumber): string {
33         return htmlspecialchars($idnumber, ENT_QUOTES | ENT_XML1);
34     }
36     /**
37      * To be implemented by child classes
38      * @param boolean $feedback
39      * @param boolean $publish Whether to output directly, or send as a file
40      * @return string
41      */
42     public function print_grades($feedback = false) {
43         global $CFG;
44         require_once($CFG->libdir.'/filelib.php');
46         $export_tracking = $this->track_exports();
48         $strgrades = get_string('grades');
50         /// Calculate file name
51         $shortname = format_string($this->course->shortname, true, array('context' => context_course::instance($this->course->id)));
52         $downloadfilename = clean_filename("$shortname $strgrades.xml");
54         make_temp_directory('gradeexport');
55         $tempfilename = $CFG->tempdir .'/gradeexport/'. md5(sesskey().microtime().$downloadfilename);
56         if (!$handle = fopen($tempfilename, 'w+b')) {
57             print_error('cannotcreatetempdir');
58         }
60         /// time stamp to ensure uniqueness of batch export
61         fwrite($handle,  '<results batch="xml_export_'.time().'">'."\n");
63         $export_buffer = array();
65         $geub = new grade_export_update_buffer();
66         $gui = new graded_users_iterator($this->course, $this->columns, $this->groupid);
67         $gui->require_active_enrolment($this->onlyactive);
68         $gui->init();
69         while ($userdata = $gui->next_user()) {
70             $user = $userdata->user;
72             if (empty($user->idnumber)) {
73                 //id number must exist otherwise we cant match up students when importing
74                 continue;
75             }
77             // studentgrades[] index should match with corresponding $index
78             foreach ($userdata->grades as $itemid => $grade) {
79                 $grade_item = $this->grade_items[$itemid];
80                 $grade->grade_item =& $grade_item;
82                 // MDL-11669, skip exported grades or bad grades (if setting says so)
83                 if ($export_tracking) {
84                     $status = $geub->track($grade);
85                     if ($this->updatedgradesonly && ($status == 'nochange' || $status == 'unknown')) {
86                         continue;
87                     }
88                 }
90                 fwrite($handle,  "\t<result>\n");
92                 if ($export_tracking) {
93                     fwrite($handle,  "\t\t<state>$status</state>\n");
94                 }
96                 // only need id number
97                 $gradeitemidnumber = self::xml_export_idnumber($grade_item->idnumber);
98                 fwrite($handle, "\t\t<assignment>{$gradeitemidnumber}</assignment>\n");
99                 // this column should be customizable to use either student id, idnumber, uesrname or email.
100                 $useridnumber = self::xml_export_idnumber($user->idnumber);
101                 fwrite($handle, "\t\t<student>{$useridnumber}</student>\n");
102                 // Format and display the grade in the selected display type (real, letter, percentage).
103                 if (is_array($this->displaytype)) {
104                     // Grades display type came from the return of export_bulk_export_data() on grade publishing.
105                     foreach ($this->displaytype as $gradedisplayconst) {
106                         $gradestr = $this->format_grade($grade, $gradedisplayconst);
107                         fwrite($handle,  "\t\t<score>$gradestr</score>\n");
108                     }
109                 } else {
110                     // Grade display type submitted directly from the grade export form.
111                     $gradestr = $this->format_grade($grade, $this->displaytype);
112                     fwrite($handle,  "\t\t<score>$gradestr</score>\n");
113                 }
115                 if ($this->export_feedback) {
116                     $feedbackstr = $this->format_feedback($userdata->feedbacks[$itemid], $grade);
117                     fwrite($handle,  "\t\t<feedback>$feedbackstr</feedback>\n");
118                 }
119                 fwrite($handle,  "\t</result>\n");
120             }
121         }
122         fwrite($handle,  "</results>");
123         fclose($handle);
124         $gui->close();
125         $geub->close();
127         if (defined('BEHAT_SITE_RUNNING')) {
128             // If behat is running, we cannot test the output if we force a file download.
129             include($tempfilename);
130         } else {
131             @header("Content-type: text/xml; charset=UTF-8");
132             send_temp_file($tempfilename, $downloadfilename, false);
133         }
134     }