Low severityNVD Advisory· Published Jul 29, 2014· Updated May 6, 2026
CVE-2014-3551
CVE-2014-3551
Description
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 2.4.11 | 2.4.11 |
moodle/moodlePackagist | >= 2.5.0, < 2.5.7 | 2.5.7 |
moodle/moodlePackagist | >= 2.6.0, < 2.6.4 | 2.6.4 |
moodle/moodlePackagist | >= 2.7.0, < 2.7.1 | 2.7.1 |
Affected products
35cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.3.11
- cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
Patches
17b5dacb548800MDL-46223 Fix frequently used comments in the marking guide
1 file changed · +1 −1
grade/grading/form/guide/js/guide.js+1 −1 modified@@ -10,7 +10,7 @@ M.gradingform_guide.init = function(Y, options) { currentfocus = e.currentTarget; }); Y.all('.markingguidecomment').on('click', function(e) { - currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('innerHTML')); + currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('text')); currentfocus.focus(); });
7f4db6f4d901MDL-46223 Fix frequently used comments in the marking guide
1 file changed · +1 −1
grade/grading/form/guide/js/guide.js+1 −1 modified@@ -10,7 +10,7 @@ M.gradingform_guide.init = function(Y, options) { currentfocus = e.currentTarget; }); Y.all('.markingguidecomment').on('click', function(e) { - currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('innerHTML')); + currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('text')); currentfocus.focus(); });
8ecc049f7f02MDL-46223 Fix frequently used comments in the marking guide
1 file changed · +1 −1
grade/grading/form/guide/js/guide.js+1 −1 modified@@ -10,7 +10,7 @@ M.gradingform_guide.init = function(Y, options) { currentfocus = e.currentTarget; }); Y.all('.markingguidecomment').on('click', function(e) { - currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('innerHTML')); + currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('text')); currentfocus.focus(); });
db5a6e6560c9MDL-46223 Fix frequently used comments in the marking guide
1 file changed · +1 −1
grade/grading/form/guide/js/guide.js+1 −1 modified@@ -10,7 +10,7 @@ M.gradingform_guide.init = function(Y, options) { currentfocus = e.currentTarget; }); Y.all('.markingguidecomment').on('click', function(e) { - currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('innerHTML')); + currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('text')); currentfocus.focus(); });
e42b6e20bdd5MDL-46223 Fix frequently used comments in the marking guide
1 file changed · +1 −1
grade/grading/form/guide/js/guide.js+1 −1 modified@@ -10,7 +10,7 @@ M.gradingform_guide.init = function(Y, options) { currentfocus = e.currentTarget; }); Y.all('.markingguidecomment').on('click', function(e) { - currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('innerHTML')); + currentfocus.set('value', currentfocus.get('value') + '\n' + e.currentTarget.get('text')); currentfocus.focus(); });
68299e6154aeMDL-46223 Improve the display of marking guide validation message
1 file changed · +1 −1
grade/grading/form/guide/lib.php+1 −1 modified@@ -907,7 +907,7 @@ public function render_grading_element($page, $gradingformelement) { if (!empty($this->validationerrors)) { foreach ($this->validationerrors as $id => $err) { $a = new stdClass(); - $a->criterianame = $criteria[$id]['shortname']; + $a->criterianame = s($criteria[$id]['shortname']); $a->maxscore = $criteria[$id]['maxscore']; $html .= html_writer::tag('div', get_string('err_scoreinvalid', 'gradingform_guide', $a), array('class' => 'gradingform_guide-error'));
8380722bb11fMDL-46223 Improve the display of marking guide validation message
1 file changed · +1 −1
grade/grading/form/guide/lib.php+1 −1 modified@@ -845,7 +845,7 @@ public function render_grading_element($page, $gradingformelement) { if (!empty($this->validationerrors)) { foreach ($this->validationerrors as $id => $err) { $a = new stdClass(); - $a->criterianame = $criteria[$id]['shortname']; + $a->criterianame = s($criteria[$id]['shortname']); $a->maxscore = $criteria[$id]['maxscore']; $html .= html_writer::tag('div', get_string('err_scoreinvalid', 'gradingform_guide', $a), array('class' => 'gradingform_guide-error'));
72d1a3ab0b00MDL-46223 Improve the display of marking guide validation message
1 file changed · +1 −1
grade/grading/form/guide/lib.php+1 −1 modified@@ -882,7 +882,7 @@ public function render_grading_element($page, $gradingformelement) { if (!empty($this->validationerrors)) { foreach ($this->validationerrors as $id => $err) { $a = new stdClass(); - $a->criterianame = $criteria[$id]['shortname']; + $a->criterianame = s($criteria[$id]['shortname']); $a->maxscore = $criteria[$id]['maxscore']; $html .= html_writer::tag('div', get_string('err_scoreinvalid', 'gradingform_guide', $a), array('class' => 'gradingform_guide-error'));
4fc5861cbacdMDL-46223 Improve the display of marking guide validation message
1 file changed · +1 −1
grade/grading/form/guide/lib.php+1 −1 modified@@ -907,7 +907,7 @@ public function render_grading_element($page, $gradingformelement) { if (!empty($this->validationerrors)) { foreach ($this->validationerrors as $id => $err) { $a = new stdClass(); - $a->criterianame = $criteria[$id]['shortname']; + $a->criterianame = s($criteria[$id]['shortname']); $a->maxscore = $criteria[$id]['maxscore']; $html .= html_writer::tag('div', get_string('err_scoreinvalid', 'gradingform_guide', $a), array('class' => 'gradingform_guide-error'));
98d5566c2270MDL-46223 Improve the marking guide output
3 files changed · +18 −17
grade/grading/form/guide/guideeditor.php+1 −0 modified@@ -100,6 +100,7 @@ public function toHtml() { $mode = gradingform_guide_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_guideeditor', 'fullpath'=>'/grade/grading/form/guide/js/guideeditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array( array('confirmdeletecriterion', 'gradingform_guide'), array('clicktoedit', 'gradingform_guide'),
grade/grading/form/guide/js/guideeditor.js+2 −2 modified@@ -111,9 +111,9 @@ M.gradingform_guideeditor.editmode = function(el, editmode) { value = M.str.gradingform_guide.clicktoedit taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)) if (tb) { - tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))) } // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement')
grade/grading/form/guide/renderer.php+15 −15 modified@@ -93,20 +93,20 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $shortname = html_writer::empty_tag('input', array('type'=> 'text', - 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => htmlspecialchars($criterion['shortname']), + 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => $criterion['shortname'], 'id ' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $shortname = html_writer::tag('div', $shortname, array('class'=>'criterionname')); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); - $descriptionmarkers = html_writer::tag('textarea', htmlspecialchars($criterion['descriptionmarkers']), + $descriptionmarkers = html_writer::tag('textarea', s($criterion['descriptionmarkers']), array('name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]', 'cols' => '65', 'rows' => '5')); $descriptionmarkers = html_writer::tag('div', $descriptionmarkers, array('class'=>'criteriondescmarkers')); $maxscore = html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]', 'size' => '3', - 'value' => htmlspecialchars($criterion['maxscore']), + 'value' => $criterion['maxscore'], 'id' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); $maxscore = html_writer::tag('div', $maxscore, array('class'=>'criterionmaxscore')); } else { @@ -125,7 +125,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $mode == gradingform_guide_controller::DISPLAY_VIEW) { $descriptionclass = 'descriptionreadonly'; } - $shortname = html_writer::tag('div', $criterion['shortname'], + $shortname = html_writer::tag('div', s($criterion['shortname']), array('class'=>'criterionshortname', 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $descmarkerclass = ''; $descstudentclass = ''; @@ -137,13 +137,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $descstudentclass = ' hide'; } } - $description = html_writer::tag('div', $criterion['description'], + $description = html_writer::tag('div', s($criterion['description']), array('class'=>'criteriondescription'.$descstudentclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $descriptionmarkers = html_writer::tag('div', $criterion['descriptionmarkers'], + $descriptionmarkers = html_writer::tag('div', s($criterion['descriptionmarkers']), array('class'=>'criteriondescriptionmarkers'.$descmarkerclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $maxscore = html_writer::tag('div', $criterion['maxscore'], + $maxscore = html_writer::tag('div', s($criterion['maxscore']), array('class'=>'criteriondescriptionscore', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); } @@ -193,7 +193,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $scoreclass = 'error'; $currentscore = $validationerrors[$criterion['id']]['score']; // Show invalid score in form. } - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '65', 'rows' => '5', 'class' => 'markingguideremark')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); @@ -202,7 +202,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $score .= html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][score]', 'class' => $scoreclass, 'id' => '{NAME}[criteria][{CRITERION-id}][score]', - 'size' => '3', 'value' => htmlspecialchars($currentscore))); + 'size' => '3', 'value' => $currentscore)); $score .= '/'.$maxscore; $criteriontemplate .= html_writer::tag('td', $score, array('class' => 'score')); @@ -211,9 +211,9 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); } else if ($mode == gradingform_guide_controller::DISPLAY_REVIEW || $mode == gradingform_guide_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); if (!empty($options['showmarkspercriterionstudents'])) { - $criteriontemplate .= html_writer::tag('td', htmlspecialchars($currentscore). ' / '.$maxscore, + $criteriontemplate .= html_writer::tag('td', s($currentscore). ' / '.$maxscore, array('class' => 'score')); } } @@ -272,7 +272,7 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null $criteriontemplate .= html_writer::end_tag('td'); // Controls. $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[comments][{COMMENT-id}][sortorder]', 'value' => $comment['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($comment['description']), + $description = html_writer::tag('textarea', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); } else { @@ -283,12 +283,12 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null 'name' => '{NAME}[comments][{COMMENT-id}][description]', 'value' => $comment['description'])); } if ($mode == gradingform_guide_controller::DISPLAY_EVAL) { - $description = html_writer::tag('span', htmlspecialchars($comment['description']), + $description = html_writer::tag('span', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'title' => get_string('clicktocopy', 'gradingform_guide'), 'id' => '{NAME}[comments][{COMMENT-id}]', 'class'=>'markingguidecomment')); } else { - $description = $comment['description']; + $description = s($comment['description']); } } $descriptionclass = 'description';
470a466d7f1eMDL-46223 Improve the marking guide output
3 files changed · +18 −17
grade/grading/form/guide/guideeditor.php+1 −0 modified@@ -100,6 +100,7 @@ public function toHtml() { $mode = gradingform_guide_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_guideeditor', 'fullpath'=>'/grade/grading/form/guide/js/guideeditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array( array('confirmdeletecriterion', 'gradingform_guide'), array('clicktoedit', 'gradingform_guide'),
grade/grading/form/guide/js/guideeditor.js+2 −2 modified@@ -111,9 +111,9 @@ M.gradingform_guideeditor.editmode = function(el, editmode) { value = M.str.gradingform_guide.clicktoedit taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)) if (tb) { - tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))) } // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement')
grade/grading/form/guide/renderer.php+15 −15 modified@@ -93,20 +93,20 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $shortname = html_writer::empty_tag('input', array('type'=> 'text', - 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => htmlspecialchars($criterion['shortname']), + 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => $criterion['shortname'], 'id ' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $shortname = html_writer::tag('div', $shortname, array('class'=>'criterionname')); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); - $descriptionmarkers = html_writer::tag('textarea', htmlspecialchars($criterion['descriptionmarkers']), + $descriptionmarkers = html_writer::tag('textarea', s($criterion['descriptionmarkers']), array('name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]', 'cols' => '65', 'rows' => '5')); $descriptionmarkers = html_writer::tag('div', $descriptionmarkers, array('class'=>'criteriondescmarkers')); $maxscore = html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]', 'size' => '3', - 'value' => htmlspecialchars($criterion['maxscore']), + 'value' => $criterion['maxscore'], 'id' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); $maxscore = html_writer::tag('div', $maxscore, array('class'=>'criterionmaxscore')); } else { @@ -125,7 +125,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $mode == gradingform_guide_controller::DISPLAY_VIEW) { $descriptionclass = 'descriptionreadonly'; } - $shortname = html_writer::tag('div', $criterion['shortname'], + $shortname = html_writer::tag('div', s($criterion['shortname']), array('class'=>'criterionshortname', 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $descmarkerclass = ''; $descstudentclass = ''; @@ -137,13 +137,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $descstudentclass = ' hide'; } } - $description = html_writer::tag('div', $criterion['description'], + $description = html_writer::tag('div', s($criterion['description']), array('class'=>'criteriondescription'.$descstudentclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $descriptionmarkers = html_writer::tag('div', $criterion['descriptionmarkers'], + $descriptionmarkers = html_writer::tag('div', s($criterion['descriptionmarkers']), array('class'=>'criteriondescriptionmarkers'.$descmarkerclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $maxscore = html_writer::tag('div', $criterion['maxscore'], + $maxscore = html_writer::tag('div', s($criterion['maxscore']), array('class'=>'criteriondescriptionscore', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); } @@ -188,7 +188,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $scoreclass = 'error'; $currentscore = $validationerrors[$criterion['id']]['score']; // Show invalid score in form. } - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '65', 'rows' => '5', 'class' => 'markingguideremark')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); @@ -197,7 +197,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $score .= html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][score]', 'class' => $scoreclass, 'id' => '{NAME}[criteria][{CRITERION-id}][score]', - 'size' => '3', 'value' => htmlspecialchars($currentscore))); + 'size' => '3', 'value' => $currentscore)); $score .= '/'.$maxscore; $criteriontemplate .= html_writer::tag('td', $score, array('class' => 'score')); @@ -206,9 +206,9 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); } else if ($mode == gradingform_guide_controller::DISPLAY_REVIEW || $mode == gradingform_guide_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); if (!empty($options['showmarkspercriterionstudents'])) { - $criteriontemplate .= html_writer::tag('td', htmlspecialchars($currentscore). ' / '.$maxscore, + $criteriontemplate .= html_writer::tag('td', s($currentscore). ' / '.$maxscore, array('class' => 'score')); } } @@ -267,7 +267,7 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null $criteriontemplate .= html_writer::end_tag('td'); // Controls. $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[comments][{COMMENT-id}][sortorder]', 'value' => $comment['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($comment['description']), + $description = html_writer::tag('textarea', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); } else { @@ -278,12 +278,12 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null 'name' => '{NAME}[comments][{COMMENT-id}][description]', 'value' => $comment['description'])); } if ($mode == gradingform_guide_controller::DISPLAY_EVAL) { - $description = html_writer::tag('span', htmlspecialchars($comment['description']), + $description = html_writer::tag('span', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'title' => get_string('clicktocopy', 'gradingform_guide'), 'id' => '{NAME}[comments][{COMMENT-id}]', 'class'=>'markingguidecomment')); } else { - $description = $comment['description']; + $description = s($comment['description']); } } $descriptionclass = 'description';
666248c26464MDL-46223 Improve the marking guide output
3 files changed · +18 −17
grade/grading/form/guide/guideeditor.php+1 −0 modified@@ -100,6 +100,7 @@ public function toHtml() { $mode = gradingform_guide_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_guideeditor', 'fullpath'=>'/grade/grading/form/guide/js/guideeditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array( array('confirmdeletecriterion', 'gradingform_guide'), array('clicktoedit', 'gradingform_guide'),
grade/grading/form/guide/js/guideeditor.js+2 −2 modified@@ -111,9 +111,9 @@ M.gradingform_guideeditor.editmode = function(el, editmode) { value = M.str.gradingform_guide.clicktoedit taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)) if (tb) { - tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))) } // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement')
grade/grading/form/guide/renderer.php+15 −15 modified@@ -93,20 +93,20 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $shortname = html_writer::empty_tag('input', array('type'=> 'text', - 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => htmlspecialchars($criterion['shortname']), + 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => $criterion['shortname'], 'id ' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $shortname = html_writer::tag('div', $shortname, array('class'=>'criterionname')); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); - $descriptionmarkers = html_writer::tag('textarea', htmlspecialchars($criterion['descriptionmarkers']), + $descriptionmarkers = html_writer::tag('textarea', s($criterion['descriptionmarkers']), array('name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]', 'cols' => '65', 'rows' => '5')); $descriptionmarkers = html_writer::tag('div', $descriptionmarkers, array('class'=>'criteriondescmarkers')); $maxscore = html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]', 'size' => '3', - 'value' => htmlspecialchars($criterion['maxscore']), + 'value' => $criterion['maxscore'], 'id' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); $maxscore = html_writer::tag('div', $maxscore, array('class'=>'criterionmaxscore')); } else { @@ -125,7 +125,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $mode == gradingform_guide_controller::DISPLAY_VIEW) { $descriptionclass = 'descriptionreadonly'; } - $shortname = html_writer::tag('div', $criterion['shortname'], + $shortname = html_writer::tag('div', s($criterion['shortname']), array('class'=>'criterionshortname', 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $descmarkerclass = ''; $descstudentclass = ''; @@ -137,13 +137,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $descstudentclass = ' hide'; } } - $description = html_writer::tag('div', $criterion['description'], + $description = html_writer::tag('div', s($criterion['description']), array('class'=>'criteriondescription'.$descstudentclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $descriptionmarkers = html_writer::tag('div', $criterion['descriptionmarkers'], + $descriptionmarkers = html_writer::tag('div', s($criterion['descriptionmarkers']), array('class'=>'criteriondescriptionmarkers'.$descmarkerclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $maxscore = html_writer::tag('div', $criterion['maxscore'], + $maxscore = html_writer::tag('div', s($criterion['maxscore']), array('class'=>'criteriondescriptionscore', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); } @@ -193,7 +193,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $scoreclass = 'error'; $currentscore = $validationerrors[$criterion['id']]['score']; // Show invalid score in form. } - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '65', 'rows' => '5', 'class' => 'markingguideremark')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); @@ -202,7 +202,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $score .= html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][score]', 'class' => $scoreclass, 'id' => '{NAME}[criteria][{CRITERION-id}][score]', - 'size' => '3', 'value' => htmlspecialchars($currentscore))); + 'size' => '3', 'value' => $currentscore)); $score .= '/'.$maxscore; $criteriontemplate .= html_writer::tag('td', $score, array('class' => 'score')); @@ -211,9 +211,9 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); } else if ($mode == gradingform_guide_controller::DISPLAY_REVIEW || $mode == gradingform_guide_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); if (!empty($options['showmarkspercriterionstudents'])) { - $criteriontemplate .= html_writer::tag('td', htmlspecialchars($currentscore). ' / '.$maxscore, + $criteriontemplate .= html_writer::tag('td', s($currentscore). ' / '.$maxscore, array('class' => 'score')); } } @@ -272,7 +272,7 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null $criteriontemplate .= html_writer::end_tag('td'); // Controls. $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[comments][{COMMENT-id}][sortorder]', 'value' => $comment['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($comment['description']), + $description = html_writer::tag('textarea', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); } else { @@ -283,12 +283,12 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null 'name' => '{NAME}[comments][{COMMENT-id}][description]', 'value' => $comment['description'])); } if ($mode == gradingform_guide_controller::DISPLAY_EVAL) { - $description = html_writer::tag('span', htmlspecialchars($comment['description']), + $description = html_writer::tag('span', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'title' => get_string('clicktocopy', 'gradingform_guide'), 'id' => '{NAME}[comments][{COMMENT-id}]', 'class'=>'markingguidecomment')); } else { - $description = $comment['description']; + $description = s($comment['description']); } } $descriptionclass = 'description';
2c0b608cda12MDL-46223 Improve the marking guide output
3 files changed · +18 −17
grade/grading/form/guide/guideeditor.php+1 −0 modified@@ -100,6 +100,7 @@ public function toHtml() { $mode = gradingform_guide_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_guideeditor', 'fullpath'=>'/grade/grading/form/guide/js/guideeditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array( array('confirmdeletecriterion', 'gradingform_guide'), array('clicktoedit', 'gradingform_guide'),
grade/grading/form/guide/js/guideeditor.js+2 −2 modified@@ -111,9 +111,9 @@ M.gradingform_guideeditor.editmode = function(el, editmode) { value = M.str.gradingform_guide.clicktoedit taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)) if (tb) { - tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))) } // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement')
grade/grading/form/guide/renderer.php+15 −15 modified@@ -93,20 +93,20 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $shortname = html_writer::empty_tag('input', array('type'=> 'text', - 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => htmlspecialchars($criterion['shortname']), + 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]', 'value' => $criterion['shortname'], 'id ' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $shortname = html_writer::tag('div', $shortname, array('class'=>'criterionname')); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); - $descriptionmarkers = html_writer::tag('textarea', htmlspecialchars($criterion['descriptionmarkers']), + $descriptionmarkers = html_writer::tag('textarea', s($criterion['descriptionmarkers']), array('name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]', 'cols' => '65', 'rows' => '5')); $descriptionmarkers = html_writer::tag('div', $descriptionmarkers, array('class'=>'criteriondescmarkers')); $maxscore = html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]', 'size' => '3', - 'value' => htmlspecialchars($criterion['maxscore']), + 'value' => $criterion['maxscore'], 'id' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); $maxscore = html_writer::tag('div', $maxscore, array('class'=>'criterionmaxscore')); } else { @@ -125,7 +125,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $mode == gradingform_guide_controller::DISPLAY_VIEW) { $descriptionclass = 'descriptionreadonly'; } - $shortname = html_writer::tag('div', $criterion['shortname'], + $shortname = html_writer::tag('div', s($criterion['shortname']), array('class'=>'criterionshortname', 'name' => '{NAME}[criteria][{CRITERION-id}][shortname]')); $descmarkerclass = ''; $descstudentclass = ''; @@ -137,13 +137,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $descstudentclass = ' hide'; } } - $description = html_writer::tag('div', $criterion['description'], + $description = html_writer::tag('div', s($criterion['description']), array('class'=>'criteriondescription'.$descstudentclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $descriptionmarkers = html_writer::tag('div', $criterion['descriptionmarkers'], + $descriptionmarkers = html_writer::tag('div', s($criterion['descriptionmarkers']), array('class'=>'criteriondescriptionmarkers'.$descmarkerclass, 'name' => '{NAME}[criteria][{CRITERION-id}][descriptionmarkers]')); - $maxscore = html_writer::tag('div', $criterion['maxscore'], + $maxscore = html_writer::tag('div', s($criterion['maxscore']), array('class'=>'criteriondescriptionscore', 'name' => '{NAME}[criteria][{CRITERION-id}][maxscore]')); } @@ -193,7 +193,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $scoreclass = 'error'; $currentscore = $validationerrors[$criterion['id']]['score']; // Show invalid score in form. } - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '65', 'rows' => '5', 'class' => 'markingguideremark')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); @@ -202,7 +202,7 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $score .= html_writer::empty_tag('input', array('type'=> 'text', 'name' => '{NAME}[criteria][{CRITERION-id}][score]', 'class' => $scoreclass, 'id' => '{NAME}[criteria][{CRITERION-id}][score]', - 'size' => '3', 'value' => htmlspecialchars($currentscore))); + 'size' => '3', 'value' => $currentscore)); $score .= '/'.$maxscore; $criteriontemplate .= html_writer::tag('td', $score, array('class' => 'score')); @@ -211,9 +211,9 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); } else if ($mode == gradingform_guide_controller::DISPLAY_REVIEW || $mode == gradingform_guide_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); if (!empty($options['showmarkspercriterionstudents'])) { - $criteriontemplate .= html_writer::tag('td', htmlspecialchars($currentscore). ' / '.$maxscore, + $criteriontemplate .= html_writer::tag('td', s($currentscore). ' / '.$maxscore, array('class' => 'score')); } } @@ -272,7 +272,7 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null $criteriontemplate .= html_writer::end_tag('td'); // Controls. $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[comments][{COMMENT-id}][sortorder]', 'value' => $comment['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($comment['description']), + $description = html_writer::tag('textarea', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'cols' => '65', 'rows' => '5')); $description = html_writer::tag('div', $description, array('class'=>'criteriondesc')); } else { @@ -283,12 +283,12 @@ public function comment_template($mode, $elementname = '{NAME}', $comment = null 'name' => '{NAME}[comments][{COMMENT-id}][description]', 'value' => $comment['description'])); } if ($mode == gradingform_guide_controller::DISPLAY_EVAL) { - $description = html_writer::tag('span', htmlspecialchars($comment['description']), + $description = html_writer::tag('span', s($comment['description']), array('name' => '{NAME}[comments][{COMMENT-id}][description]', 'title' => get_string('clicktocopy', 'gradingform_guide'), 'id' => '{NAME}[comments][{COMMENT-id}]', 'class'=>'markingguidecomment')); } else { - $description = $comment['description']; + $description = s($comment['description']); } } $descriptionclass = 'description';
555ee08b17dfMDL-46223 Improve the rubric output
3 files changed · +9 −8
grade/grading/form/rubric/js/rubriceditor.js+2 −2 modified@@ -93,8 +93,8 @@ M.gradingform_rubriceditor.editmode = function(el, editmode, focustb) { value = (el.hasClass('level')) ? M.str.gradingform_rubric.levelempty : M.str.gradingform_rubric.criterionempty taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) - if (tb) tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)); + if (tb) tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))); // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement') ta.addClass('hiddenelement')
grade/grading/form/rubric/renderer.php+6 −6 modified@@ -79,13 +79,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr } $criteriontemplate .= html_writer::end_tag('td'); // .controls $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][description]', 'value' => $criterion['description'])); } - $description = $criterion['description']; + $description = s($criterion['description']); } $descriptionclass = 'description'; if (isset($criterion['error_description'])) { @@ -111,12 +111,12 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $currentremark = $value['remark']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) { - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); } else if ($mode == gradingform_rubric_controller::DISPLAY_EVAL_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); }else if ($mode == gradingform_rubric_controller::DISPLAY_REVIEW || $mode == gradingform_rubric_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); } } $criteriontemplate .= html_writer::end_tag('tr'); // .criterion @@ -169,15 +169,15 @@ public function level_template($mode, $options, $elementname = '{NAME}', $criter $leveltemplate = html_writer::start_tag('td', $tdattributes); $leveltemplate .= html_writer::start_tag('div', array('class' => 'level-wrapper')); if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FULL) { - $definition = html_writer::tag('textarea', htmlspecialchars($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); + $definition = html_writer::tag('textarea', s($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); $score = html_writer::label(get_string('criterionempty', 'gradingform_rubric'), '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', false, array('class' => 'accesshide')); $score .= html_writer::empty_tag('input', array('type' => 'text','id' => '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'size' => '3', 'value' => $level['score'])); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'value' => $level['definition'])); $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'value' => $level['score'])); } - $definition = $level['definition']; + $definition = s($level['definition']); $score = $level['score']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) {
grade/grading/form/rubric/rubriceditor.php+1 −0 modified@@ -106,6 +106,7 @@ public function toHtml() { if (!$this->_flagFrozen) { $mode = gradingform_rubric_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_rubriceditor', 'fullpath'=>'/grade/grading/form/rubric/js/rubriceditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array(array('confirmdeletecriterion', 'gradingform_rubric'), array('confirmdeletelevel', 'gradingform_rubric'), array('criterionempty', 'gradingform_rubric'), array('levelempty', 'gradingform_rubric') ));
1f8eb0842835MDL-46223 Improve the rubric output
3 files changed · +9 −8
grade/grading/form/rubric/js/rubriceditor.js+2 −2 modified@@ -93,8 +93,8 @@ M.gradingform_rubriceditor.editmode = function(el, editmode, focustb) { value = (el.hasClass('level')) ? M.str.gradingform_rubric.levelempty : M.str.gradingform_rubric.criterionempty taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) - if (tb) tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)); + if (tb) tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))); // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement') ta.addClass('hiddenelement')
grade/grading/form/rubric/renderer.php+6 −6 modified@@ -79,13 +79,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr } $criteriontemplate .= html_writer::end_tag('td'); // .controls $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][description]', 'value' => $criterion['description'])); } - $description = $criterion['description']; + $description = s($criterion['description']); } $descriptionclass = 'description'; if (isset($criterion['error_description'])) { @@ -111,12 +111,12 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $currentremark = $value['remark']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) { - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); } else if ($mode == gradingform_rubric_controller::DISPLAY_EVAL_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); }else if ($mode == gradingform_rubric_controller::DISPLAY_REVIEW || $mode == gradingform_rubric_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); } } $criteriontemplate .= html_writer::end_tag('tr'); // .criterion @@ -169,15 +169,15 @@ public function level_template($mode, $options, $elementname = '{NAME}', $criter $leveltemplate = html_writer::start_tag('td', $tdattributes); $leveltemplate .= html_writer::start_tag('div', array('class' => 'level-wrapper')); if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FULL) { - $definition = html_writer::tag('textarea', htmlspecialchars($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); + $definition = html_writer::tag('textarea', s($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); $score = html_writer::label(get_string('criterionempty', 'gradingform_rubric'), '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', false, array('class' => 'accesshide')); $score .= html_writer::empty_tag('input', array('type' => 'text','id' => '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'size' => '3', 'value' => $level['score'])); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'value' => $level['definition'])); $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'value' => $level['score'])); } - $definition = $level['definition']; + $definition = s($level['definition']); $score = $level['score']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) {
grade/grading/form/rubric/rubriceditor.php+1 −0 modified@@ -106,6 +106,7 @@ public function toHtml() { if (!$this->_flagFrozen) { $mode = gradingform_rubric_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_rubriceditor', 'fullpath'=>'/grade/grading/form/rubric/js/rubriceditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array(array('confirmdeletecriterion', 'gradingform_rubric'), array('confirmdeletelevel', 'gradingform_rubric'), array('criterionempty', 'gradingform_rubric'), array('levelempty', 'gradingform_rubric') ));
eb1381de1dbcMDL-46223 Improve the rubric output
3 files changed · +9 −8
grade/grading/form/rubric/js/rubriceditor.js+2 −2 modified@@ -93,8 +93,8 @@ M.gradingform_rubriceditor.editmode = function(el, editmode, focustb) { value = (el.hasClass('level')) ? M.str.gradingform_rubric.levelempty : M.str.gradingform_rubric.criterionempty taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) - if (tb) tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)); + if (tb) tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))); // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement') ta.addClass('hiddenelement')
grade/grading/form/rubric/renderer.php+6 −6 modified@@ -79,13 +79,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr } $criteriontemplate .= html_writer::end_tag('td'); // .controls $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][description]', 'value' => $criterion['description'])); } - $description = $criterion['description']; + $description = s($criterion['description']); } $descriptionclass = 'description'; if (isset($criterion['error_description'])) { @@ -111,12 +111,12 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $currentremark = $value['remark']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) { - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); } else if ($mode == gradingform_rubric_controller::DISPLAY_EVAL_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); }else if ($mode == gradingform_rubric_controller::DISPLAY_REVIEW || $mode == gradingform_rubric_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); } } $criteriontemplate .= html_writer::end_tag('tr'); // .criterion @@ -169,15 +169,15 @@ public function level_template($mode, $options, $elementname = '{NAME}', $criter $leveltemplate = html_writer::start_tag('td', $tdattributes); $leveltemplate .= html_writer::start_tag('div', array('class' => 'level-wrapper')); if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FULL) { - $definition = html_writer::tag('textarea', htmlspecialchars($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); + $definition = html_writer::tag('textarea', s($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); $score = html_writer::label(get_string('criterionempty', 'gradingform_rubric'), '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', false, array('class' => 'accesshide')); $score .= html_writer::empty_tag('input', array('type' => 'text','id' => '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'size' => '3', 'value' => $level['score'])); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'value' => $level['definition'])); $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'value' => $level['score'])); } - $definition = $level['definition']; + $definition = s($level['definition']); $score = $level['score']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) {
grade/grading/form/rubric/rubriceditor.php+1 −0 modified@@ -106,6 +106,7 @@ public function toHtml() { if (!$this->_flagFrozen) { $mode = gradingform_rubric_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_rubriceditor', 'fullpath'=>'/grade/grading/form/rubric/js/rubriceditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array(array('confirmdeletecriterion', 'gradingform_rubric'), array('confirmdeletelevel', 'gradingform_rubric'), array('criterionempty', 'gradingform_rubric'), array('levelempty', 'gradingform_rubric') ));
f25f472be425MDL-46223 Improve the rubric output
3 files changed · +9 −8
grade/grading/form/rubric/js/rubriceditor.js+2 −2 modified@@ -93,8 +93,8 @@ M.gradingform_rubriceditor.editmode = function(el, editmode, focustb) { value = (el.hasClass('level')) ? M.str.gradingform_rubric.levelempty : M.str.gradingform_rubric.criterionempty taplain.addClass('empty') } - taplain.one('.textvalue').set('innerHTML', value) - if (tb) tbplain.one('.textvalue').set('innerHTML', tb.get('value')) + taplain.one('.textvalue').set('innerHTML', Y.Escape.html(value)); + if (tb) tbplain.one('.textvalue').set('innerHTML', Y.Escape.html(tb.get('value'))); // hide/display textarea, textbox and plaintexts taplain.removeClass('hiddenelement') ta.addClass('hiddenelement')
grade/grading/form/rubric/renderer.php+6 −6 modified@@ -74,13 +74,13 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr } $criteriontemplate .= html_writer::end_tag('td'); // .controls $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); - $description = html_writer::tag('textarea', htmlspecialchars($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); + $description = html_writer::tag('textarea', s($criterion['description']), array('name' => '{NAME}[criteria][{CRITERION-id}][description]', 'cols' => '10', 'rows' => '5')); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][sortorder]', 'value' => $criterion['sortorder'])); $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][description]', 'value' => $criterion['description'])); } - $description = $criterion['description']; + $description = s($criterion['description']); } $descriptionclass = 'description'; if (isset($criterion['error_description'])) { @@ -106,12 +106,12 @@ public function criterion_template($mode, $options, $elementname = '{NAME}', $cr $currentremark = $value['remark']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) { - $input = html_writer::tag('textarea', htmlspecialchars($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); + $input = html_writer::tag('textarea', s($currentremark), array('name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'cols' => '10', 'rows' => '5')); $criteriontemplate .= html_writer::tag('td', $input, array('class' => 'remark')); } else if ($mode == gradingform_rubric_controller::DISPLAY_EVAL_FROZEN) { $criteriontemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][remark]', 'value' => $currentremark)); }else if ($mode == gradingform_rubric_controller::DISPLAY_REVIEW || $mode == gradingform_rubric_controller::DISPLAY_VIEW) { - $criteriontemplate .= html_writer::tag('td', $currentremark, array('class' => 'remark')); // TODO maybe some prefix here like 'Teacher remark:' + $criteriontemplate .= html_writer::tag('td', s($currentremark), array('class' => 'remark')); } } $criteriontemplate .= html_writer::end_tag('tr'); // .criterion @@ -163,15 +163,15 @@ public function level_template($mode, $options, $elementname = '{NAME}', $criter $leveltemplate = html_writer::start_tag('td', $tdattributes); $leveltemplate .= html_writer::start_tag('div', array('class' => 'level-wrapper')); if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FULL) { - $definition = html_writer::tag('textarea', htmlspecialchars($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); + $definition = html_writer::tag('textarea', s($level['definition']), array('name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'cols' => '10', 'rows' => '4')); $score = html_writer::label(get_string('criterionempty', 'gradingform_rubric'), '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', false, array('class' => 'accesshide')); $score .= html_writer::empty_tag('input', array('type' => 'text','id' => '{NAME}criteria{CRITERION-id}levels{LEVEL-id}', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'size' => '3', 'value' => $level['score'])); } else { if ($mode == gradingform_rubric_controller::DISPLAY_EDIT_FROZEN) { $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][definition]', 'value' => $level['definition'])); $leveltemplate .= html_writer::empty_tag('input', array('type' => 'hidden', 'name' => '{NAME}[criteria][{CRITERION-id}][levels][{LEVEL-id}][score]', 'value' => $level['score'])); } - $definition = $level['definition']; + $definition = s($level['definition']); $score = $level['score']; } if ($mode == gradingform_rubric_controller::DISPLAY_EVAL) {
grade/grading/form/rubric/rubriceditor.php+1 −0 modified@@ -85,6 +85,7 @@ public function toHtml() { if (!$this->_flagFrozen) { $mode = gradingform_rubric_controller::DISPLAY_EDIT_FULL; $module = array('name'=>'gradingform_rubriceditor', 'fullpath'=>'/grade/grading/form/rubric/js/rubriceditor.js', + 'requires' => array('base', 'dom', 'event', 'event-touch', 'escape'), 'strings' => array(array('confirmdeletecriterion', 'gradingform_rubric'), array('confirmdeletelevel', 'gradingform_rubric'), array('criterionempty', 'gradingform_rubric'), array('levelempty', 'gradingform_rubric') ));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
23- github.com/advisories/GHSA-m8f5-9wg8-2c3hghsaADVISORY
- moodle.org/mod/forum/discuss.phpnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2014-3551ghsaADVISORY
- openwall.com/lists/oss-security/2014/07/21/1nvdWEB
- github.com/moodle/moodle/commit/1f8eb0842835bcd1ea72b2d2982e0b5c8bc133bbghsaWEB
- github.com/moodle/moodle/commit/2c0b608cda12540de79aac0ee6952dda2c8ed947ghsaWEB
- github.com/moodle/moodle/commit/470a466d7f1e0aef030ad2178bbef5a81765c42eghsaWEB
- github.com/moodle/moodle/commit/4fc5861cbacdc2f4197faebd3d207d2811e0f09fghsaWEB
- github.com/moodle/moodle/commit/555ee08b17dfe09e02391be137f60fe38c0a7865ghsaWEB
- github.com/moodle/moodle/commit/666248c264642e5ca27601b347fc6913517e2853ghsaWEB
- github.com/moodle/moodle/commit/68299e6154ae41b7e586904fd1b860cad7f65654ghsaWEB
- github.com/moodle/moodle/commit/72d1a3ab0b002a9a5f32f3c2b61ffc9fa7f7b789ghsaWEB
- github.com/moodle/moodle/commit/7f4db6f4d9014370df0265ab846ad76235af0caeghsaWEB
- github.com/moodle/moodle/commit/8380722bb11f36d33308580aee169e161d3f2c14ghsaWEB
- github.com/moodle/moodle/commit/8ecc049f7f020086c1881bdf573af16cf2d9f9c9ghsaWEB
- github.com/moodle/moodle/commit/98d5566c2270e21cbfaf1f4e8d61039f05d6aae2ghsaWEB
- github.com/moodle/moodle/commit/b5dacb548800ee10d4940c8ebeca48c3c2ae0512ghsaWEB
- github.com/moodle/moodle/commit/db5a6e6560c963849f8807184ca32efee6779264ghsaWEB
- github.com/moodle/moodle/commit/e42b6e20bdd5d6f09bc09be22fd7f20736e27085ghsaWEB
- github.com/moodle/moodle/commit/eb1381de1dbcce0215dcdd62cfac4fe287beed4eghsaWEB
- github.com/moodle/moodle/commit/f25f472be425d6ef8aa587648dafda1bd4d1c5d8ghsaWEB
- web.archive.org/web/20200228170658/http://www.securityfocus.com/bid/68763ghsaWEB
- www.securityfocus.com/bid/68763nvd
News mentions
0No linked articles in our index yet.