Hi,
Can moodle escaped the unwanted data (special characters) which is entered on the URL by the third person?
To avoid user redirection to a malicious website or perform cross-site scripting attacks.
$id = optional_param('id', $USER->id, PARAM_INT); // User id; -1 if creating new user.
$course = optional_param('course', SITEID, PARAM_INT); // Course id (defaults to Site).
$returnto = optional_param('returnto', null, PARAM_ALPHA); // Code determining where to return to after save.
The full story is here - https://docs.moodle.org/dev/Security