From f1d62aa5aee3180942193c30d1dc829391126dc1 Mon Sep 17 00:00:00 2001
From: Nigel Cunningham <nigelc@catalyst-au.net>
Date: Mon, 2 May 2016 15:13:20 +1000
Subject: [PATCH] Fix lack of HTMLspecialchars escaping in role export.

Role name and description fields are currently not escaped when
exporting a role. This results in an unusable file. Fix this by
using htmlspecialchars on both fields.

Signed-off-by: Nigel Cunningham <nigelc@catalyst-au.net>
---
 admin/roles/classes/preset.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/admin/roles/classes/preset.php b/admin/roles/classes/preset.php
index 85904eb..45a68a7 100644
--- a/admin/roles/classes/preset.php
+++ b/admin/roles/classes/preset.php
@@ -71,8 +71,8 @@ class core_role_preset {
         $dom->appendChild($top);
 
         $top->appendChild($dom->createElement('shortname', $role->shortname));
-        $top->appendChild($dom->createElement('name', $role->name));
-        $top->appendChild($dom->createElement('description', $role->description));
+        $top->appendChild($dom->createElement('name', htmlspecialchars($role->name)));
+        $top->appendChild($dom->createElement('description', htmlspecialchars($role->description)));
         $top->appendChild($dom->createElement('archetype', $role->archetype));
 
         $contextlevels = $dom->createElement('contextlevels');
-- 
2.5.0