MDL-71981 user: escape identity fields if writer supports HTML.
authorPaul Holden <paulh@moodle.com>
Fri, 18 Jun 2021 11:26:18 +0000 (12:26 +0100)
committerAdrian Greeve <abgreeve@gmail.com>
Tue, 6 Jul 2021 01:27:15 +0000 (09:27 +0800)
admin/user/user_bulk_download.php
user/action_redir.php

index 79f3b34..a6e69d0 100644 (file)
@@ -60,7 +60,9 @@ if ($dataformat) {
     $downloadusers = new ArrayObject($SESSION->bulk_users);
     $iterator = $downloadusers->getIterator();
 
-    \core\dataformat::download_data($filename, $dataformat, $fields, $iterator, function($userid) use ($extrafields, $fields) {
+    \core\dataformat::download_data($filename, $dataformat, $fields, $iterator, function($userid, $supportshtml)
+            use ($extrafields, $fields) {
+
         global $DB;
 
         if (!$user = $DB->get_record('user', array('id' => $userid))) {
@@ -74,6 +76,8 @@ if ($dataformat) {
             // We only take the text.
             if (is_array($user->$field)) {
                 $userprofiledata[$field] = reset($user->$field);
+            } else if ($supportshtml) {
+                $userprofiledata[$field] = s($user->$field);
             } else {
                 $userprofiledata[$field] = $user->$field;
             }
index c304136..5769176 100644 (file)
@@ -132,7 +132,23 @@ if ($formaction == 'bulkchange.php') {
                           ORDER BY {$userordersql}";
 
                     $rs = $DB->get_recordset_sql($sql, $params);
-                    \core\dataformat::download_data('courseid_' . $course->id . '_participants', $dataformat, $columnnames, $rs);
+
+                    // Provide callback to pre-process all records ensuring user identity fields are escaped if HTML supported.
+                    \core\dataformat::download_data(
+                        'courseid_' . $course->id . '_participants',
+                        $dataformat,
+                        $columnnames,
+                        $rs,
+                        function(stdClass $record, bool $supportshtml) use ($identityfields): stdClass {
+                            if ($supportshtml) {
+                                foreach ($identityfields as $identityfield) {
+                                    $record->{$identityfield} = s($record->{$identityfield});
+                                }
+                            }
+
+                            return $record;
+                        }
+                    );
                     $rs->close();
                 }
             }