MDL-62820 question import: properly escape output
authorTim Hunt <T.J.Hunt@open.ac.uk>
Mon, 2 Jul 2018 17:55:22 +0000 (18:55 +0100)
committerJun Pataleta <jun@moodle.com>
Wed, 4 Jul 2018 07:40:50 +0000 (15:40 +0800)
mod/lesson/format.php
question/format.php

index 02b58d6..d7c68d6 100644 (file)
@@ -726,8 +726,8 @@ class qformat_default {
         // @@PLUGINFILE@@ with a real URL, but it doesn't matter what.
         // We use http://example.com/.
         $text = str_replace('@@PLUGINFILE@@/', 'http://example.com/', $question->questiontext);
-        return html_to_text(format_text($text,
-                $question->questiontextformat, $formatoptions), 0, false);
+        return s(html_to_text(format_text($text,
+                $question->questiontextformat, $formatoptions), 0, false));
     }
 
     /**
index 2efb253..9677c19 100644 (file)
@@ -979,8 +979,8 @@ class qformat_default {
      * during import to let the user see roughly what is going on.
      */
     protected function format_question_text($question) {
-        return question_utils::to_plain_text($question->questiontext,
-                $question->questiontextformat);
+        return s(question_utils::to_plain_text($question->questiontext,
+                $question->questiontextformat));
     }
 }