up smileys etc if the text has been edited at any stage using the
richtext editor.
I realise it's possible for students to really mess up forums display
etc if they wanted to include a huge picture ... I'm not sure if there
are any cross-site scripting attacks possible with images in there.
But there is also now the HTML format for most things, which is editable
using an ordinary form, so this problem is currently already exposed.
I think it's OK as long as can find a filter to strip all javascript
out of ANY format text in Moodle.
"pl" => "Polish",\r
"ps" => "Pushto",\r
"pt" => "Portuguese",\r
+"pt_br" => "Portuguese (Brazil)",\r
"qu" => "Quechua",\r
"rm" => "Raeto-Romance",\r
"rn" => "Rundi",\r
}
function print_heading($text, $align="CENTER", $size=3) {
- echo "<P ALIGN=\"$align\"><FONT SIZE=\"$size\"><B>$text</B></FONT></P>";
+ echo "<P ALIGN=\"$align\"><FONT SIZE=\"$size\"><B>".stripslashes($text)."</B></FONT></P>";
}
function print_continue($link) {
switch ($format) {
case FORMAT_MOODLE:
- return strip_tags($text, '<b><i><u><font><ol><ul><dl><li><dt><dd><h1><h2><h3><hr>');
+ return strip_tags($text, '<b><i><u><font><ol><ul><dl><li><dt><dd><h1><h2><h3><hr><img>');
break;
case FORMAT_HTML:
projects / moodle.git / commitdiff