diff --git a/backup/moodle2/restore_block_task.class.php b/backup/moodle2/restore_block_task.class.php
index eb5cd471788..d7082cf22c2 100644
--- a/backup/moodle2/restore_block_task.class.php
+++ b/backup/moodle2/restore_block_task.class.php
@@ -162,6 +162,16 @@ abstract class restore_block_task extends restore_task {
      */
     abstract public function get_configdata_encoded_attributes();
 
+    /**
+     * Helper method to safely unserialize block configuration during restore
+     *
+     * @param string $configdata The original base64 encoded block config, as retrieved from the block_instances table
+     * @return stdClass
+     */
+    protected function decode_configdata(string $configdata): stdClass {
+        return unserialize_object(base64_decode($configdata));
+    }
+
     /**
      * Define the contents in the activity that must be
      * processed by the link decoder
diff --git a/backup/moodle2/restore_stepslib.php b/backup/moodle2/restore_stepslib.php
index 5b6d3cde29c..8ebe133bd54 100644
--- a/backup/moodle2/restore_stepslib.php
+++ b/backup/moodle2/restore_stepslib.php
@@ -4305,7 +4305,7 @@ class restore_block_instance_structure_step extends restore_structure_step {
         // Let's look for anything within configdata neededing processing
         // (nulls and uses of legacy file.php)
         if ($attrstotransform = $this->task->get_configdata_encoded_attributes()) {
-            $configdata = (array)unserialize(base64_decode($data->configdata));
+            $configdata = (array) unserialize_object(base64_decode($data->configdata));
             foreach ($configdata as $attribute => $value) {
                 if (in_array($attribute, $attrstotransform)) {
                     $configdata[$attribute] = $this->contentprocessor->process_cdata($value);
diff --git a/blocks/activity_results/backup/moodle2/restore_activity_results_block_task.class.php b/blocks/activity_results/backup/moodle2/restore_activity_results_block_task.class.php
index 42be2923098..3bf04f823cd 100644
--- a/blocks/activity_results/backup/moodle2/restore_activity_results_block_task.class.php
+++ b/blocks/activity_results/backup/moodle2/restore_activity_results_block_task.class.php
@@ -73,7 +73,7 @@ class restore_activity_results_block_task extends restore_block_task {
         $blockid = $this->get_blockid();
 
         if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) {
-            $config = unserialize(base64_decode($configdata));
+            $config = $this->decode_configdata($configdata);
             if (!empty($config->activityparentid)) {
                 // Get the mapping and replace it in config.
                 if ($mapping = restore_dbops::get_backup_ids_record($this->get_restoreid(),
diff --git a/blocks/glossary_random/backup/moodle2/restore_glossary_random_block_task.class.php b/blocks/glossary_random/backup/moodle2/restore_glossary_random_block_task.class.php
index 236351cf33b..a313155fa48 100644
--- a/blocks/glossary_random/backup/moodle2/restore_glossary_random_block_task.class.php
+++ b/blocks/glossary_random/backup/moodle2/restore_glossary_random_block_task.class.php
@@ -58,7 +58,7 @@ class restore_glossary_random_block_task extends restore_block_task {
 
         // Extract block configdata and update it to point to the new glossary
         if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) {
-            $config = unserialize(base64_decode($configdata));
+            $config = $this->decode_configdata($configdata);
             if (!empty($config->glossary)) {
                 if ($glossarymap = restore_dbops::get_backup_ids_record($this->get_restoreid(), 'glossary', $config->glossary)) {
                     // Get glossary mapping and replace it in config
diff --git a/blocks/html/backup/moodle2/restore_html_block_task.class.php b/blocks/html/backup/moodle2/restore_html_block_task.class.php
index c3ce29b9f35..88d9e257b52 100644
--- a/blocks/html/backup/moodle2/restore_html_block_task.class.php
+++ b/blocks/html/backup/moodle2/restore_html_block_task.class.php
@@ -82,7 +82,7 @@ class restore_html_block_decode_content extends restore_decode_content {
     }
 
     protected function preprocess_field($field) {
-        $this->configdata = unserialize(base64_decode($field));
+        $this->configdata = unserialize_object(base64_decode($field));
         return isset($this->configdata->text) ? $this->configdata->text : '';
     }
 
diff --git a/blocks/html/classes/search/content.php b/blocks/html/classes/search/content.php
index 32b20b9ee92..c04a9236a13 100644
--- a/blocks/html/classes/search/content.php
+++ b/blocks/html/classes/search/content.php
@@ -43,7 +43,7 @@ class content extends \core_search\base_block {
                 $this->componentname, $this->areaname);
 
         // Get stdclass object with data from DB.
-        $data = unserialize(base64_decode($record->configdata));
+        $data = unserialize_object(base64_decode($record->configdata));
 
         // Get content.
         $content = content_to_text($data->text, $data->format);
diff --git a/blocks/html/edit_form.php b/blocks/html/edit_form.php
index 1f04ea71a58..c92c8c5b50b 100644
--- a/blocks/html/edit_form.php
+++ b/blocks/html/edit_form.php
@@ -51,7 +51,7 @@ class block_html_edit_form extends block_edit_form {
     }
 
     function set_data($defaults) {
-        if (!empty($this->block->config) && is_object($this->block->config)) {
+        if (!empty($this->block->config) && !empty($this->block->config->text)) {
             $text = $this->block->config->text;
             $draftid_editor = file_get_submitted_draft_itemid('config_text');
             if (empty($text)) {
@@ -61,7 +61,7 @@ class block_html_edit_form extends block_edit_form {
             }
             $defaults->config_text['text'] = file_prepare_draft_area($draftid_editor, $this->block->context->id, 'block_html', 'content', 0, array('subdirs'=>true), $currenttext);
             $defaults->config_text['itemid'] = $draftid_editor;
-            $defaults->config_text['format'] = $this->block->config->format;
+            $defaults->config_text['format'] = $this->block->config->format ?? FORMAT_MOODLE;
         } else {
             $text = '';
         }
diff --git a/blocks/html/lib.php b/blocks/html/lib.php
index 89f5ec1894b..a9891638fea 100644
--- a/blocks/html/lib.php
+++ b/blocks/html/lib.php
@@ -100,7 +100,7 @@ function block_html_global_db_replace($search, $replace) {
     $instances = $DB->get_recordset('block_instances', array('blockname' => 'html'));
     foreach ($instances as $instance) {
         // TODO: intentionally hardcoded until MDL-26800 is fixed
-        $config = unserialize(base64_decode($instance->configdata));
+        $config = unserialize_object(base64_decode($instance->configdata));
         if (isset($config->text) and is_string($config->text)) {
             $config->text = str_replace($search, $replace, $config->text);
             $DB->update_record('block_instances', ['id' => $instance->id,
diff --git a/blocks/moodleblock.class.php b/blocks/moodleblock.class.php
index 873434b9b37..76de67eef6a 100644
--- a/blocks/moodleblock.class.php
+++ b/blocks/moodleblock.class.php
@@ -470,7 +470,7 @@ class block_base {
      */
     function _load_instance($instance, $page) {
         if (!empty($instance->configdata)) {
-            $this->config = unserialize(base64_decode($instance->configdata));
+            $this->config = unserialize_object(base64_decode($instance->configdata));
         }
         $this->instance = $instance;
         $this->context = context_block::instance($instance->id);
diff --git a/blocks/quiz_results/backup/moodle2/restore_quiz_results_block_task.class.php b/blocks/quiz_results/backup/moodle2/restore_quiz_results_block_task.class.php
index 9aff8395b19..27a88013a18 100644
--- a/blocks/quiz_results/backup/moodle2/restore_quiz_results_block_task.class.php
+++ b/blocks/quiz_results/backup/moodle2/restore_quiz_results_block_task.class.php
@@ -66,8 +66,7 @@ class restore_quiz_results_block_task extends restore_block_task {
 
         // The block was configured.
         if (!empty($configdata)) {
-
-            $config = unserialize(base64_decode($configdata));
+            $config = $this->decode_configdata($configdata);
             $config->activityparent = 'quiz';
             $config->activityparentid = 0;
             $config->gradeformat = isset($config->gradeformat) ? $config->gradeformat : 1;
diff --git a/blocks/rss_client/backup/moodle2/backup_rss_client_stepslib.php b/blocks/rss_client/backup/moodle2/backup_rss_client_stepslib.php
index 437d7089d93..956dc3ba396 100644
--- a/blocks/rss_client/backup/moodle2/backup_rss_client_stepslib.php
+++ b/blocks/rss_client/backup/moodle2/backup_rss_client_stepslib.php
@@ -36,7 +36,7 @@ class backup_rss_client_block_structure_step extends backup_block_structure_step
         // Get the block
         $block = $DB->get_record('block_instances', array('id' => $this->task->get_blockid()));
         // Extract configdata
-        $config = unserialize(base64_decode($block->configdata));
+        $config = unserialize_object(base64_decode($block->configdata));
         // Get array of used rss feeds
         if (!empty($config->rssid)) {
             $feedids = $config->rssid;
diff --git a/blocks/rss_client/backup/moodle2/restore_rss_client_stepslib.php b/blocks/rss_client/backup/moodle2/restore_rss_client_stepslib.php
index cdd978349b1..7db296f42e4 100644
--- a/blocks/rss_client/backup/moodle2/restore_rss_client_stepslib.php
+++ b/blocks/rss_client/backup/moodle2/restore_rss_client_stepslib.php
@@ -76,10 +76,7 @@ class restore_rss_client_block_structure_step extends restore_structure_step {
         // Get the configdata
         $configdata = $DB->get_field('block_instances', 'configdata', array('id' => $this->task->get_blockid()));
         // Extract configdata
-        $config = unserialize(base64_decode($configdata));
-        if (empty($config)) {
-            $config = new stdClass();
-        }
+        $config = unserialize_object(base64_decode($configdata));
         // Set array of used rss feeds
         $config->rssid = $feedsarr;
         // Serialize back the configdata
diff --git a/blocks/rss_client/edit_form.php b/blocks/rss_client/edit_form.php
index 0c700605383..f232bcd4049 100644
--- a/blocks/rss_client/edit_form.php
+++ b/blocks/rss_client/edit_form.php
@@ -49,9 +49,8 @@ class block_rss_client_edit_form extends block_edit_form {
 
         $insql = '';
         $params = array('userid' => $USER->id);
-        $rssconfig = unserialize(base64_decode($this->block->instance->configdata));
-        if ($rssconfig && !empty($rssconfig->rssid)) {
-            list($insql, $inparams) = $DB->get_in_or_equal($rssconfig->rssid, SQL_PARAMS_NAMED);
+        if (!empty($this->block->config) && !empty($this->block->config->rssid)) {
+            list($insql, $inparams) = $DB->get_in_or_equal($this->block->config->rssid, SQL_PARAMS_NAMED);
             $insql = "OR id $insql ";
             $params += $inparams;
         }
diff --git a/blocks/tags/backup/moodle2/restore_tags_block_task.class.php b/blocks/tags/backup/moodle2/restore_tags_block_task.class.php
index 11d2087b919..a82e5b23795 100644
--- a/blocks/tags/backup/moodle2/restore_tags_block_task.class.php
+++ b/blocks/tags/backup/moodle2/restore_tags_block_task.class.php
@@ -57,7 +57,7 @@ class restore_tags_block_task extends restore_block_task {
 
         // Extract block configdata and remove tag collection reference if this is another site. Also map contextid.
         if ($configdata = $DB->get_field('block_instances', 'configdata', array('id' => $blockid))) {
-            $config = unserialize(base64_decode($configdata));
+            $config = $this->decode_configdata($configdata);
             $changed = false;
             if (!empty($config->tagcoll) && $config->tagcoll > 1 && !$this->is_samesite()) {
                 $config->tagcoll = 0;