MDL-13088 - database presets weren't escaping bad chars, causing presets

to break with a rogue <
merged from MOODLE_19_STABLE

diff --git a/mod/data/lib.php b/mod/data/lib.php
index 7d449bd9cbcab6aef09fb6861cd006d4ce9537b1..daa023bd0dbc752e5092606a78e0a13b32fe4181 100755 (executable)
--- a/mod/data/lib.php
+++ b/mod/data/lib.php
@@ -1827,7 +1827,7 @@ function data_presets_export($course, $cm, $data) {
 
     $presetxml .= "<settings>\n";
     foreach ($settingssaved as $setting) {
-        $presetxml .= "<$setting>{$data->$setting}</$setting>\n";
+        $presetxml .= "<$setting>".htmlentities($data->$setting)."</$setting>\n";
     }
     $presetxml .= "</settings>\n\n";
 
@@ -1837,7 +1837,7 @@ function data_presets_export($course, $cm, $data) {
             $presetxml .= "<field>\n";
             foreach ($field as $key => $value) {
                 if ($value != '' && $key != 'id' && $key != 'dataid') {
-                    $presetxml .= "<$key>$value</$key>\n";
+                    $presetxml .= "<$key>".htmlentities($value)."</$key>\n";
                 }
             }
             $presetxml .= "</field>\n\n";