MDL-62820 question import: properly escape output

author Tim Hunt <T.J.Hunt@open.ac.uk>

Mon, 2 Jul 2018 17:55:22 +0000 (18:55 +0100)

committer Jun Pataleta <jun@moodle.com>

Wed, 4 Jul 2018 07:40:50 +0000 (15:40 +0800)
author Tim Hunt <T.J.Hunt@open.ac.uk>
Mon, 2 Jul 2018 17:55:22 +0000 (18:55 +0100)
committer Jun Pataleta <jun@moodle.com>
Wed, 4 Jul 2018 07:40:50 +0000 (15:40 +0800)
diff --git a/mod/lesson/format.php b/mod/lesson/format.php

index 02b58d6..d7c68d6 100644 (file)
--- a/mod/lesson/format.php
+++ b/mod/lesson/format.php
@@ -726,8 +726,8 @@ class qformat_default {
          // @@PLUGINFILE@@ with a real URL, but it doesn't matter what.
          // We use http://example.com/.
          $text = str_replace('@@PLUGINFILE@@/', 'http://example.com/', $question->questiontext);
-        return html_to_text(format_text($text,
-                $question->questiontextformat, $formatoptions), 0, false);
+        return s(html_to_text(format_text($text,
+                $question->questiontextformat, $formatoptions), 0, false));
      }
  
      /**
diff --git a/question/format.php b/question/format.php

index 2efb253..9677c19 100644 (file)
--- a/question/format.php
+++ b/question/format.php
@@ -979,8 +979,8 @@ class qformat_default {
       * during import to let the user see roughly what is going on.
       */
      protected function format_question_text($question) {
-        return question_utils::to_plain_text($question->questiontext,
-                $question->questiontextformat);
+        return s(question_utils::to_plain_text($question->questiontext,
+                $question->questiontextformat));
      }
  }
author	Tim Hunt <T.J.Hunt@open.ac.uk>
	Mon, 2 Jul 2018 17:55:22 +0000 (18:55 +0100)
committer	Jun Pataleta <jun@moodle.com>
	Wed, 4 Jul 2018 07:40:50 +0000 (15:40 +0800)
mod/lesson/format.php		patch \| blob \| blame \| history
question/format.php		patch \| blob \| blame \| history