From fe44b53815d37c63e751032205b692ccd5737620 Mon Sep 17 00:00:00 2001
From: Joey Wildman <josephwildman88@gmail.com>
Date: Wed, 27 Nov 2024 12:27:13 -0800
Subject: [PATCH] Merge commit from fork

---
 Gemfile                               |  3 +++
 Gemfile.lock                          |  4 ++++
 app/controllers/courses_controller.rb | 17 +++++++++--------
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/Gemfile b/Gemfile
index 08327ebbf..45367d901 100644
--- a/Gemfile
+++ b/Gemfile
@@ -177,3 +177,6 @@ gem 'uri', '0.10.3'
 
 # To generate slugged urls
 gem 'friendly_id', '~> 5.5.0'
+
+# to sanitize CSV files
+gem 'csv-safe'
\ No newline at end of file
diff --git a/Gemfile.lock b/Gemfile.lock
index 9a0155bed..57eb6cdf5 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -115,6 +115,9 @@ GEM
     crack (0.4.5)
       rexml
     crass (1.0.6)
+    csv (3.3.0)
+    csv-safe (3.3.1)
+      csv (~> 3.0)
     daemons (1.4.1)
     database_cleaner (2.0.2)
       database_cleaner-active_record (>= 2, < 3)
@@ -482,6 +485,7 @@ DEPENDENCIES
   capybara
   codeclimate-test-reporter
   coffee-rails (>= 4.0.0)
+  csv-safe
   database_cleaner
   devise (>= 4.5.0)
   diffy
diff --git a/app/controllers/courses_controller.rb b/app/controllers/courses_controller.rb
index fb5a0371d..2b4473397 100755
--- a/app/controllers/courses_controller.rb
+++ b/app/controllers/courses_controller.rb
@@ -570,15 +570,16 @@ def download_roster
     @cuds = @course.course_user_data.where(instructor: false,
                                            course_assistant: false,
                                            dropped: false)
-    output = ""
-    @cuds.each do |cud|
-      user = cud.user
-      # to_csv avoids issues with commas
-      output += [@course.semester, cud.user.email, user.last_name, user.first_name,
-                 cud.school, cud.major, cud.year, cud.grade_policy,
-                 cud.course_number, cud.lecture, cud.section].to_csv
+    csv_content = CSVSafe.generate do |csv|
+      @cuds.each do |cud|
+        user = cud.user
+        # to_csv avoids issues with commas
+        csv << [@course.semester, cud.user.email, user.last_name, user.first_name,
+                cud.school, cud.major, cud.year, cud.grade_policy,
+                cud.course_number, cud.lecture, cud.section]
+      end
     end
-    send_data output, filename: "roster.csv", type: "text/csv", disposition: "inline"
+    send_data csv_content, filename: "roster.csv", type: "text/csv", disposition: "inline"
   end
 
   # email - The email action allows instructors to email the entire course, or