Moodle
  1. Moodle
  2. MDL-35343

JavaScript code visible in multichoice question response feedback

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.2.5, 2.3.2, 2.4
    • Fix Version/s: 2.2.6, 2.3.3
    • Component/s: Questions
    • Labels:
    • Testing Instructions:
      Hide

      1. Create a multiple-choice question with some JavaScript code in the specific feedback for one of the choices.

      2. Preview the question in Firefox, ensuring that all feedback is set to be displayed.

      3. Select the choice with the JS in the feedback, and submit.

      4. Verify that you cannot see the JS code. (You might think 'of course I can't see the JS code, but previously, it was showing up!)

      Show
      1. Create a multiple-choice question with some JavaScript code in the specific feedback for one of the choices. 2. Preview the question in Firefox, ensuring that all feedback is set to be displayed. 3. Select the choice with the JS in the feedback, and submit. 4. Verify that you cannot see the JS code. (You might think 'of course I can't see the JS code, but previously, it was showing up!)
    • Affected Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE, MOODLE_24_STABLE
    • Fixed Branches:
      MOODLE_22_STABLE, MOODLE_23_STABLE
    • Pull from Repository:
    • Pull Master Branch:
    • Rank:
      44017

      Description

      qtype_multichoice (and some others) contains the CSS

      .que.multichoice .answer .specificfeedback * {
          display: inline;
          background: #FFF3BF;
      }
      

      It seems that Firefox (at least) relies in a default rule

      script {
          display: none;
      }
      

      to hide the contents of the script tag, and we are overriding that.

      This also affects some other places in similar qtypes.

        Activity

        Hide
        Tim Hunt added a comment -

        This JS is getting worse and worse, but I think that, for now, this quick fix is the way to go.

        Show
        Tim Hunt added a comment - This JS is getting worse and worse, but I think that, for now, this quick fix is the way to go.
        Hide
        Tim Hunt added a comment -

        P.S. we found this at the OU, because we have a filter that outputs JS code as part of its output.

        Show
        Tim Hunt added a comment - P.S. we found this at the OU, because we have a filter that outputs JS code as part of its output.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Unbelievable and integrated (22, 23 & master), thanks!

        Show
        Eloy Lafuente (stronk7) added a comment - Unbelievable and integrated (22, 23 & master), thanks!
        Hide
        David Monllaó added a comment -

        It passes, tested in 22 and master with a "<p>asdf</p><script type="text/javascript">alert('asd');</script>", the Javascript is executed but not displayed.

        Show
        David Monllaó added a comment - It passes, tested in 22 and master with a "<p>asdf</p><script type="text/javascript">alert('asd');</script>", the Javascript is executed but not displayed.
        Hide
        Eloy Lafuente (stronk7) added a comment -

        Gutta cavat lapidem, non vi sed saepe cadendo - Ovidio

        This issue has been integrated upstream and is now available both via git and cvs (and in some hours, via mirrors and downloads).

        Thanks!

        Show
        Eloy Lafuente (stronk7) added a comment - Gutta cavat lapidem, non vi sed saepe cadendo - Ovidio This issue has been integrated upstream and is now available both via git and cvs (and in some hours, via mirrors and downloads). Thanks!

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: