MDL-69911 core: Clean content passed through TeX filter
authorMichael Hawkins <michaelh@moodle.com>
Tue, 1 Dec 2020 10:59:03 +0000 (18:59 +0800)
committerJenkins <jenkins@worker02.test.in.moodle.com>
Tue, 12 Jan 2021 16:14:33 +0000 (17:14 +0100)
filter/tex/filter.php

index 395638d..66f9eb0 100644 (file)
@@ -189,6 +189,9 @@ class filter_tex extends moodle_text_filter {
                 continue;
             }
 
+            // Sanitize the decoded string, because filter_text_image() injects the final string between script tags.
+            $texexp = clean_param($texexp, PARAM_TEXT);
+
             $md5 = md5($texexp);
             if (!$DB->record_exists("cache_filters", array("filter"=>"tex", "md5key"=>$md5))) {
                 $texcache = new stdClass();