diff --git a/course/lib.php b/course/lib.php
index 297b11ed34247..9035bd11b1956 100644
--- a/course/lib.php
+++ b/course/lib.php
@@ -417,7 +417,7 @@ function print_log($course, $user=0, $date=0, $order="l.time ASC", $page=0, $per
$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = str_replace('&', '&', $log->url); /// XHTML compatibility
+ $log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!
echo '
';
if ($course->id == SITEID) {
@@ -509,7 +509,7 @@ function print_log_csv($course, $user, $date, $order='l.time DESC', $modname,
$log->url = strip_tags(urldecode($log->url)); // Some XSS protection
$log->info = strip_tags(urldecode($log->info)); // Some XSS protection
- $log->url = s($log->url); /// XSS protection and XHTML compatibility - should be in link_to_popup_window() instead!!
+ $log->url = str_replace('&', '&', $log->url); /// XHTML compatibility
$firstField = $courses[$log->course];
$fullname = fullname($log, has_capability('moodle/site:viewfullnames', get_context_instance(CONTEXT_COURSE, $course->id)));