MDL-66762 user: escape extra/email user fields.

2025-08-08 10:26:40 +02:00 · 2019-10-07 17:33:48 +01:00 · 2019-10-07 17:33:48 +01:00 · 7455b741c9
commit 7455b741c9
parent eb9f830604
11 changed files with 14 additions and 17 deletions
--- a/admin/tool/dataprivacy/classes/external.php
+++ b/admin/tool/dataprivacy/classes/external.php
@ -724,7 +724,7 @@ class external extends external_api {
            foreach ($extrafields as $extrafield) {
                $useroption->extrafields[] = (object)[
                    'name' => $extrafield,
-                    'value' => $user->$extrafield
+                    'value' => $user->{$extrafield}
                ];
            }
            $useroptions[$user->id] = $useroption;
@ -748,7 +748,7 @@ class external extends external_api {
                'extrafields' => new external_multiple_structure(
                    new external_single_structure([
                            'name' => new external_value(PARAM_TEXT, 'Name of the extrafield.'),
-                            'value' => new external_value(PARAM_TEXT, 'Value of the extrafield.')
+                            'value' => new external_value(PARAM_RAW_TRIMMED, 'Value of the extrafield.')
                        ]
                    ), 'List of extra fields', VALUE_OPTIONAL
                )