MDL-59972 mod_feedback: escape subject when showing the contact form
authorMarina Glancy <marina@moodle.com>
Wed, 30 Aug 2017 03:37:27 +0000 (11:37 +0800)
committerDavid Monllao <davidm@moodle.com>
Thu, 7 Sep 2017 08:53:34 +0000 (10:53 +0200)
mod/feedback/show_nonrespondents.php

index 5339e9d..f31971f 100644 (file)
@@ -273,7 +273,7 @@ if (empty($students)) {
         echo '<legend class="ftoggler">'.get_string('send_message', 'feedback').'</legend>';
         echo '<div>';
         echo '<label for="feedback_subject">'.get_string('subject', 'feedback').'&nbsp;</label>';
-        echo '<input type="text" id="feedback_subject" size="50" maxlength="255" name="subject" value="'.$subject.'" />';
+        echo '<input type="text" id="feedback_subject" size="50" maxlength="255" name="subject" value="'.s($subject).'" />';
         echo '</div>';
         print_textarea(true, 15, 25, 30, 10, "message", $message);
         print_string('formathtml');