MDL-54010 roles: Fix missing HTMLspecialchars in role export code.

Role name and description fields are currently not escaped when exporting a role. This results in an unusable file when characters such as ampersands are used in a name or description. Fix this by using htmlspecialchars on both fields. Signed-off-by: Nigel Cunningham <[email protected]>
robjoyce · May 26, 2016 · d50a9a9 · d50a9a9
1 parent 6a74e76
commit d50a9a9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/admin/roles/classes/preset.php b/admin/roles/classes/preset.php
@@ -71,8 +71,8 @@ public static function get_export_xml($roleid) {
         $dom->appendChild($top);
 
         $top->appendChild($dom->createElement('shortname', $role->shortname));
-        $top->appendChild($dom->createElement('name', $role->name));
-        $top->appendChild($dom->createElement('description', $role->description));
+        $top->appendChild($dom->createElement('name', htmlspecialchars($role->name)));
+        $top->appendChild($dom->createElement('description', htmlspecialchars($role->description)));
         $top->appendChild($dom->createElement('archetype', $role->archetype));
 
         $contextlevels = $dom->createElement('contextlevels');