From 5ffd1421a57cb79e85bbb64bce41fb044d307543 Mon Sep 17 00:00:00 2001
From: Tim Hunt <T.J.Hunt@open.ac.uk>
Date: Thu, 19 Nov 2009 17:31:41 +0000
Subject: [PATCH] manual grading: MDL-20581 Fix potential XSS problem. Thanks
 to Penny for spotting this. Merged from MOODLE_19_STABLE.

---
 mod/quiz/db/access.php         | 4 ++--
 mod/quiz/version.php           | 2 +-
 question/type/questiontype.php | 5 ++++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/mod/quiz/db/access.php b/mod/quiz/db/access.php
index ff9fb90f12..ea55aff9b7 100644
--- a/mod/quiz/db/access.php
+++ b/mod/quiz/db/access.php
@@ -65,7 +65,7 @@ $capabilities = array(
 
     // Manually grade and comment on student attempts at a question.
     'mod/quiz:grade' => array(
-        'riskbitmask' => RISK_SPAM | RISK_XSS,
+        'riskbitmask' => RISK_SPAM,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'legacy' => array(
@@ -77,7 +77,7 @@ $capabilities = array(
 
     // Regrade quizzes.
     'mod/quiz:regrade' => array(
-        'riskbitmask' => RISK_SPAM | RISK_XSS,
+        'riskbitmask' => RISK_SPAM,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'legacy' => array(
diff --git a/mod/quiz/version.php b/mod/quiz/version.php
index 1503d351b8..0f229bd574 100644
--- a/mod/quiz/version.php
+++ b/mod/quiz/version.php
@@ -5,7 +5,7 @@
 //  This fragment is called by moodle_needs_upgrading() and /admin/index.php
 ////////////////////////////////////////////////////////////////////////////////
 
-$module->version  = 2009042000;   // The (date) version of this module
+$module->version  = 2009111900;   // The (date) version of this module
 $module->requires = 2009041700;   // Requires this Moodle version
 $module->cron     = 0;            // How often should cron check this module (seconds)?
 
diff --git a/question/type/questiontype.php b/question/type/questiontype.php
index e683167d59..d803a97e90 100644
--- a/question/type/questiontype.php
+++ b/question/type/questiontype.php
@@ -946,7 +946,10 @@ class default_questiontype {
             $grade .= question_format_grade($cmoptions, $question->maxgrade);
         }
 
-        $comment = $state->manualcomment;
+        $formatoptions = new stdClass;
+        $formatoptions->para = false;
+        $comment = format_text($state->manualcomment, FORMAT_HTML,
+                $formatoptions, $cmoptions->course);
         $commentlink = '';
 
         if (!empty($options->questioncommentlink)) {
-- 
2.39.5