Index: moodle/admin/uploaduser.php --- moodle/admin/uploaduser.php Base (1.103) +++ moodle/admin/uploaduser.php Locally Modified (Based On 1.103) @@ -267,9 +267,8 @@ // normalize username $user->username = $textlib->strtolower($user->username); - if (empty($CFG->extendedusernamechars)) { - $user->username = preg_replace('/[^(-\.[:alnum:])]/i', '', $user->username); - } + $user->username = clean_param($user->username, PARAM_USERNAME); + if (empty($user->username)) { $upt->track('status', get_string('missingfield', 'error', 'username'), 'error'); $upt->track('username', $errorstr, 'error'); Index: moodle/lib/moodlelib.php --- moodle/lib/moodlelib.php Base (1.1261) +++ moodle/lib/moodlelib.php Locally Modified (Based On 1.1261) @@ -463,6 +463,7 @@ * @uses PARAM_BASE64 * @uses PARAM_TAG * @uses PARAM_SEQUENCE + * @uses PARAM_USERNAME * @param mixed $param the variable we are cleaning * @param int $type expected format of param after cleaning. * @return mixed @@ -720,6 +721,20 @@ return ''; // Specified theme is not installed } + case PARAM_USERNAME: + $patterns = array(); + array_push($patterns, '/[*()+]/'); + array_push($patterns, '/[^(-\.[:alnum:])_]/i'); + + if ($CFG->extendedusernamechars) { + $param = preg_replace($patterns, '',trim($param)); + return $param; + } else { + array_push($patterns, '/_/i'); //truncate underscore + $param = preg_replace($patterns, '',trim($param)); + return $param; + } + default: // throw error, switched parameters in optional_param or another serious problem print_error("unknownparamtype", '', '', $type); } Index: moodle/login/index.php --- moodle/login/index.php Base (1.166) +++ moodle/login/index.php Locally Modified (Based On 1.166) @@ -114,7 +114,7 @@ $frm->username = trim(moodle_strtolower($frm->username)); if (is_enabled_auth('none') && empty($CFG->extendedusernamechars)) { - $string = preg_replace("~[^(-\.[:alnum:])]~i", "", $frm->username); + $string = clean_param($frm->username, PARAM_USERNAME); if (strcmp($frm->username, $string)) { $errormsg = get_string('username').': '.get_string("alphanumerical"); $errorcode = 2; Index: moodle/login/signup_form.php --- moodle/login/signup_form.php Base (1.44) +++ moodle/login/signup_form.php Locally Modified (Based On 1.44) @@ -99,7 +99,7 @@ $errors['username'] = get_string('usernameexists'); } else { if (empty($CFG->extendedusernamechars)) { - $string = preg_replace("~[^(-\.[:alnum:])]~i", '', $data['username']); + $string = clean_param($data['username'], PARAM_USERNAME); if (strcmp($data['username'], $string)) { $errors['username'] = get_string('alphanumerical'); } Index: moodle/user/editadvanced.php --- moodle/user/editadvanced.php Base (1.63) +++ moodle/user/editadvanced.php Locally Modified (Based On 1.63) @@ -136,7 +136,7 @@ $authplugin = get_auth_plugin($usernew->auth); } - $usernew->username = trim($usernew->username); + $usernew->username = clean_param($usernew->username, PARAM_USERNAME); $usernew->timemodified = time(); if ($usernew->id == -1) { Index: moodle/user/editadvanced_form.php --- moodle/user/editadvanced_form.php Base (1.35) +++ moodle/user/editadvanced_form.php Locally Modified (Based On 1.35) @@ -145,7 +145,7 @@ $err['username'] = get_string('usernamelowercase'); } else { if (empty($CFG->extendedusernamechars)) { - $string = preg_replace("/[^(-\.[:alnum:])]/i", '', $usernew->username); + $string = clean_param($usernew->username, PARAM_USERNAME); if ($usernew->username !== $string) { $err['username'] = get_string('alphanumerical'); }