MDL-71981 user: escape identity fields if writer supports HTML.
[moodle.git] / user / action_redir.php
index c304136..5769176 100644 (file)
@@ -132,7 +132,23 @@ if ($formaction == 'bulkchange.php') {
                           ORDER BY {$userordersql}";
 
                     $rs = $DB->get_recordset_sql($sql, $params);
-                    \core\dataformat::download_data('courseid_' . $course->id . '_participants', $dataformat, $columnnames, $rs);
+
+                    // Provide callback to pre-process all records ensuring user identity fields are escaped if HTML supported.
+                    \core\dataformat::download_data(
+                        'courseid_' . $course->id . '_participants',
+                        $dataformat,
+                        $columnnames,
+                        $rs,
+                        function(stdClass $record, bool $supportshtml) use ($identityfields): stdClass {
+                            if ($supportshtml) {
+                                foreach ($identityfields as $identityfield) {
+                                    $record->{$identityfield} = s($record->{$identityfield});
+                                }
+                            }
+
+                            return $record;
+                        }
+                    );
                     $rs->close();
                 }
             }