#133 Prevent XSS in response rendering

CHANGELOG.md

@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org).
 
 ## [Unreleased]
+## [1.3.2] - 2024-05-03
+- Prevent XSS through responses in question types such as shortanswer
+
+## [1.3.1] - 2024-05-03
+- Fix problem adding questions to quiz after interacting with question bank form
+
+## [1.3.0] - 2024-04-28
+- Support Moodle 4.3 (question bank changes)
+- Remove some custom styling in favor of theme style
 
 ## [1.2.1] - 2023-08-21
 

ajax.php

@@ -367,7 +367,7 @@ function get_results(jazzquiz_session $session): array {
     $session->load_attempts();
     $slot = count($session->questions);
     $qtype = $session->get_question_type_by_slot($slot);
-    $results = $session->get_question_results_list($slot);
+    $results = $session->get_question_results_list($slot, true);
     list($results['responses'], $mergecount) = $session->get_merged_responses($slot, $results['responses']);
 
     // Check if this has been voted on before.

classes/exporter.php

@@ -129,7 +129,7 @@ public function export_session_question(jazzquiz_session $session, jazzquiz_atte
         $qattempt = $attempt->quba->get_question_attempt($slot);
         $question = $qattempt->get_question();
         $session->load_attempts();
-        $responses = $session->get_question_results_list($slot);
+        $responses = $session->get_question_results_list($slot, false);
         $responses = $responses['responses'];
         $name = 'session_ ' . $session->data->id . '_' . $session->data->name . '_' . $question->name;
         return [$name, $question->questiontext, $responses];

classes/jazzquiz_session.php

@@ -468,16 +468,20 @@ public function get_question_right_response(): string {
      * Gets the results of the current question as an array.
      *
      * @param int $slot
+     * @param bool $sanitized
      * @return array
      */
-    public function get_question_results_list(int $slot): array {
+    public function get_question_results_list(int $slot, bool $sanitized): array {
         $responses = [];
         $responded = 0;
         foreach ($this->attempts as $attempt) {
             if ($attempt->responded != 1) {
                 continue;
             }
             $attemptresponses = $attempt->get_response_data($slot);
+            if ($sanitized) {
+                $attemptresponses = array_map(fn($attemptresponse) => s($attemptresponse), $attemptresponses);
+            }
             $responses = array_merge($responses, $attemptresponses);
             $responded++;
         }

classes/output/renderer.php

@@ -290,7 +290,7 @@ public function view_session_report(jazzquiz_session $session, moodle_url $url):
         foreach ($attempt->quba->get_slots() as $qubaslot) {
             $qattempt = $attempt->quba->get_question_attempt($qubaslot);
             $question = $qattempt->get_question();
-            $results = $session->get_question_results_list($qubaslot);
+            $results = $session->get_question_results_list($qubaslot, true);
             list($results['responses'], $mergecount) = $session->get_merged_responses($qubaslot, $results['responses']);
             $slots[] = [
                 'num' => $qubaslot,

version.php

@@ -27,9 +27,9 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2024032201; // The current module version (Date: YYYYMMDDXX).
+$plugin->version = 2024032202; // The current module version (Date: YYYYMMDDXX).
 $plugin->requires = 2023100900; // Moodle 4.3 (or above).
 $plugin->cron = 0; // Period in seconds for cron to run.
 $plugin->component = 'mod_jazzquiz';
 $plugin->maturity = MATURITY_STABLE;
-$plugin->release = '1.3.1 (Build: 2024032201)';
+$plugin->release = '1.3.2 (Build: 2024032202)';