MDL-49940 mod_survey: Fix XSS on survey module
authorSimey Lameze <simey@moodle.com>
Thu, 24 Sep 2015 00:42:38 +0000 (08:42 +0800)
committerMr. Jenkins (CiBoT) <cibot@moodle.org>
Wed, 4 Nov 2015 10:46:27 +0000 (18:46 +0800)
mod/survey/lib.php
mod/survey/report.php

index 934ed98..9d57fb3 100644 (file)
@@ -189,7 +189,7 @@ function survey_user_complete($course, $user, $mod, $survey) {
                 } else {
                     $answertext = "No answer";
                 }
-                $table->data[] = array("<b>$questiontext</b>", $answertext);
+                $table->data[] = array("<b>$questiontext</b>", s($answertext));
             }
             echo html_writer::table($table);
 
index 1271ce9..66d366d 100644 (file)
                        $OUTPUT->user_picture($a, array('courseid'=>$course->id)),
                        "<a href=\"report.php?id=$id&amp;action=student&amp;student=$a->userid\">".fullname($a)."</a>",
                        userdate($a->time),
-                       $answer1, $answer2);
+                       s($answer1), s($answer2));
 
             }
         }