JavaScript code visible in multichoice question response feedback

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.2.5, 2.3.2, 2.4
Fix Version/s: 2.2.6, 2.3.3
Component/s: Questions
Labels:
- triaged

Testing Instructions:

Hide

1. Create a multiple-choice question with some JavaScript code in the specific feedback for one of the choices.

2. Preview the question in Firefox, ensuring that all feedback is set to be displayed.

3. Select the choice with the JS in the feedback, and submit.

4. Verify that you cannot see the JS code. (You might think 'of course I can't see the JS code, but previously, it was showing up!)

Show
1. Create a multiple-choice question with some JavaScript code in the specific feedback for one of the choices. 2. Preview the question in Firefox, ensuring that all feedback is set to be displayed. 3. Select the choice with the JS in the feedback, and submit. 4. Verify that you cannot see the JS code. (You might think 'of course I can't see the JS code, but previously, it was showing up!)
Affected Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
Fixed Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE
Pull from Repository:
git://github.com/timhunt/moodle.git
Pull Master Branch:
~~MDL-35343~~
Pull Master Diff URL:
https://github.com/timhunt/moodle/compare/master...MDL-35343

Description

qtype_multichoice (and some others) contains the CSS

.que.multichoice .answer .specificfeedback * {
    display: inline;
    background: #FFF3BF;
}

It seems that Firefox (at least) relies in a default rule

script {
    display: none;
}

to hide the contents of the script tag, and we are overriding that.

This also affects some other places in similar qtypes.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Tim Hunt added a comment - 10/Sep/12 8:11 PM

This JS is getting worse and worse, but I think that, for now, this quick fix is the way to go.

Show

Tim Hunt added a comment - 10/Sep/12 8:11 PM This JS is getting worse and worse, but I think that, for now, this quick fix is the way to go.

Hide

Permalink

Tim Hunt added a comment - 10/Sep/12 8:12 PM

P.S. we found this at the OU, because we have a filter that outputs JS code as part of its output.

Show

Tim Hunt added a comment - 10/Sep/12 8:12 PM P.S. we found this at the OU, because we have a filter that outputs JS code as part of its output.

Hide

Permalink

Eloy Lafuente (stronk7) added a comment - 10/Sep/12 10:44 PM

Unbelievable and integrated (22, 23 & master), thanks!

Show

Eloy Lafuente (stronk7) added a comment - 10/Sep/12 10:44 PM Unbelievable and integrated (22, 23 & master), thanks!

Hide

Permalink

David Monllaó added a comment - 12/Sep/12 10:28 AM

It passes, tested in 22 and master with a "<p>asdf</p><script type="text/javascript">alert('asd');</script>", the Javascript is executed but not displayed.

Show

David Monllaó added a comment - 12/Sep/12 10:28 AM It passes, tested in 22 and master with a "<p>asdf</p><script type="text/javascript">alert('asd');</script>", the Javascript is executed but not displayed.

Hide

Permalink

Eloy Lafuente (stronk7) added a comment - 15/Sep/12 2:38 AM

Gutta cavat lapidem, non vi sed saepe cadendo - Ovidio

This issue has been integrated upstream and is now available both via git and cvs (and in some hours, via mirrors and downloads).

Thanks!

Show

Eloy Lafuente (stronk7) added a comment - 15/Sep/12 2:38 AM Gutta cavat lapidem, non vi sed saepe cadendo - Ovidio This issue has been integrated upstream and is now available both via git and cvs (and in some hours, via mirrors and downloads). Thanks!

People

Assignee:

Tim Hunt

Reporter:

Tim Hunt

Integrator:

Eloy Lafuente (stronk7)

Tester:

David Monllaó

Participants:

David Monllaó, Eloy Lafuente (stronk7), Tim Hunt

Vote (0)

Watch (1)

Dates

Created:

10/Sep/12 8:02 PM

Updated:

15/Sep/12 2:38 AM

Resolved:

15/Sep/12 2:38 AM

Agile

View on Board