From 526f5eccb9a55ca765dafa7b2e0a04c47c8b85e5 Mon Sep 17 00:00:00 2001
From: Paul Holden <paulh@moodle.com>
Date: Fri, 18 Jun 2021 12:26:18 +0100
Subject: [PATCH] MDL-71981 user: escape identity fields if writer supports
 HTML.

---
 admin/user/user_bulk_download.php |  6 +++++-
 user/action_redir.php             | 18 +++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/admin/user/user_bulk_download.php b/admin/user/user_bulk_download.php
index 79f3b34c4ca..a6e69d08a5d 100644
--- a/admin/user/user_bulk_download.php
+++ b/admin/user/user_bulk_download.php
@@ -60,7 +60,9 @@ if ($dataformat) {
     $downloadusers = new ArrayObject($SESSION->bulk_users);
     $iterator = $downloadusers->getIterator();
 
-    \core\dataformat::download_data($filename, $dataformat, $fields, $iterator, function($userid) use ($extrafields, $fields) {
+    \core\dataformat::download_data($filename, $dataformat, $fields, $iterator, function($userid, $supportshtml)
+            use ($extrafields, $fields) {
+
         global $DB;
 
         if (!$user = $DB->get_record('user', array('id' => $userid))) {
@@ -74,6 +76,8 @@ if ($dataformat) {
             // We only take the text.
             if (is_array($user->$field)) {
                 $userprofiledata[$field] = reset($user->$field);
+            } else if ($supportshtml) {
+                $userprofiledata[$field] = s($user->$field);
             } else {
                 $userprofiledata[$field] = $user->$field;
             }
diff --git a/user/action_redir.php b/user/action_redir.php
index c3041365e53..576917689cd 100644
--- a/user/action_redir.php
+++ b/user/action_redir.php
@@ -132,7 +132,23 @@ if ($formaction == 'bulkchange.php') {
                           ORDER BY {$userordersql}";
 
                     $rs = $DB->get_recordset_sql($sql, $params);
-                    \core\dataformat::download_data('courseid_' . $course->id . '_participants', $dataformat, $columnnames, $rs);
+
+                    // Provide callback to pre-process all records ensuring user identity fields are escaped if HTML supported.
+                    \core\dataformat::download_data(
+                        'courseid_' . $course->id . '_participants',
+                        $dataformat,
+                        $columnnames,
+                        $rs,
+                        function(stdClass $record, bool $supportshtml) use ($identityfields): stdClass {
+                            if ($supportshtml) {
+                                foreach ($identityfields as $identityfield) {
+                                    $record->{$identityfield} = s($record->{$identityfield});
+                                }
+                            }
+
+                            return $record;
+                        }
+                    );
                     $rs->close();
                 }
             }
-- 
2.17.1