From a6f57fb2ef28cd8c8e5101548e2827d17d97262d Mon Sep 17 00:00:00 2001
From: tjhunt <tjhunt>
Date: Wed, 29 Jul 2009 08:52:49 +0000
Subject: [PATCH] MDL-19756 Try to bring some consistency to how we handle & is
 attribute values.

---
 lib/outputlib.php | 5 +++--
 lib/weblib.php    | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/lib/outputlib.php b/lib/outputlib.php
index 25c9f7b4a2..724af1b1d0 100644
--- a/lib/outputlib.php
+++ b/lib/outputlib.php
@@ -1314,7 +1314,7 @@ class moodle_renderer_base {
     /**
      * Outputs a HTML attribute and value
      * @param string $name The name of the attribute ('src', 'href', 'class' etc.)
-     * @param string $value The value of the attribute
+     * @param string $value The value of the attribute. The value will be escaped with {@link s()}
      * @return string HTML fragment
      */
     protected function output_attribute($name, $value) {
@@ -1322,13 +1322,14 @@ class moodle_renderer_base {
         if ($value == HTML_ATTR_EMPTY) {
             return ' ' . $name . '=""';
         } else if ($value || is_numeric($value)) { // We want 0 to be output.
-            return ' ' . $name . '="' . $value . '"';
+            return ' ' . $name . '="' . s($value) . '"';
         }
     }
 
     /**
      * Outputs a list of HTML attributes and values
      * @param array $attributes The tag attributes (array('src' => $url, 'class' => 'class1') etc.)
+     *       The values will be escaped with {@link s()}
      * @return string HTML fragment
      */
     protected function output_attributes($attributes) {
diff --git a/lib/weblib.php b/lib/weblib.php
index 23ce3ba2ec..5560cfe6eb 100644
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -489,7 +489,7 @@ class moodle_url {
  *
  * @param mixed $url The URL (moodle_url or string)
  * @param bool $stripformparams Whether or not to strip the query params from the URL
- * @return string
+ * @return string the URL. &s are unescaped. You must use s(...) to output this to XHTML. ($OUTPUT normally does this automatically.)
  */
 function prepare_url($url, $stripformparams=false) {
     global $CFG, $PAGE;
@@ -497,7 +497,7 @@ function prepare_url($url, $stripformparams=false) {
     $output = $url;
 
     if ($url instanceof moodle_url) {
-        $output = $url->out($stripformparams);
+        $output = $url->out($stripformparams, array(), false);
     }
 
     // Handle relative URLs
-- 
2.39.5