diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index b8489f5d39f56..d10f31d7a9742 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -3258,6 +3258,8 @@ function require_user_key_login($script, $instance = null, $keyvalue = null) {
         print_error('invaliduserid');
     }
 
+    core_user::require_active_user($user, true, true);
+
     // Emulate normal session.
     enrol_check_plugins($user);
     \core\session\manager::set_user($user);
diff --git a/tokenpluginfile.php b/tokenpluginfile.php
index 156d4126f8039..22449ad414d5f 100644
--- a/tokenpluginfile.php
+++ b/tokenpluginfile.php
@@ -37,6 +37,7 @@
     $relativepath = ltrim($relativepath, '/');
     $pathparts = explode('/', $relativepath, 2);
     $token = $pathparts[0];
+    $token = clean_param($token, PARAM_ALPHANUM);
     $relativepath = "/{$pathparts[1]}";
 }