mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-14 04:52:36 +02:00
Code Issues Projects Releases Wiki Activity

MDL-71981 user: escape identity fields if writer supports HTML.

Browse Source
This commit is contained in:
Paul Holden 2021-06-18 12:26:18 +01:00 committed by Adrian Greeve
parent f3b3684e5b
commit 526f5eccb9
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
admin/user/user_bulk_download.php
View File

@ -60,7 +60,9 @@ if ($dataformat) {
$downloadusers = new ArrayObject($SESSION->bulk_users);
$iterator = $downloadusers->getIterator();
\core\dataformat::download_data($filename, $dataformat, $fields, $iterator, function($userid) use ($extrafields, $fields) {
\core\dataformat::download_data($filename, $dataformat, $fields, $iterator, function($userid, $supportshtml)
use ($extrafields, $fields) {
global $DB;
if (!$user = $DB->get_record('user', array('id' => $userid))) {
@ -74,6 +76,8 @@ if ($dataformat) {
// We only take the text.
if (is_array($user->$field)) {
$userprofiledata[$field] = reset($user->$field);
} else if ($supportshtml) {
$userprofiledata[$field] = s($user->$field);
} else {
$userprofiledata[$field] = $user->$field;
}

18
user/action_redir.php
View File

@ -132,7 +132,23 @@ if ($formaction == 'bulkchange.php') {
ORDER BY {$userordersql}";
$rs = $DB->get_recordset_sql($sql, $params);
\core\dataformat::download_data('courseid_' . $course->id . '_participants', $dataformat, $columnnames, $rs);
// Provide callback to pre-process all records ensuring user identity fields are escaped if HTML supported.
\core\dataformat::download_data(
'courseid_' . $course->id . '_participants',
$dataformat,
$columnnames,
$rs,
function(stdClass $record, bool $supportshtml) use ($identityfields): stdClass {
if ($supportshtml) {
foreach ($identityfields as $identityfield) {
$record->{$identityfield} = s($record->{$identityfield});
}
}
return $record;
}
);
$rs->close();
}
}