Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71022

Double escaping of user identity fields in grade history report

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.9.6, 3.10.3
    • 3.9.4, 3.10.1
    • Gradebook
    • MOODLE_310_STABLE, MOODLE_39_STABLE
    • MOODLE_310_STABLE, MOODLE_39_STABLE
    • Hide
      1. Login as admin
      2. Navigate to Users > Permissions > User policies in site administration
      3. Select ID number for Show user identity and save changes
      4. Create a new user with ID number: 

        o'really<hi>

      5. Create a new course
      6. Enrol user on course as a student
      7. Add an assignment to the course
      8. Give a grade for the user in the assignment
      9. Press Grades in course navigation
      10. Select View > Grade history
      11. Press Select users
      12. Confirm the user is listed without double-escaped fields, like so: 

        User 01
        		 
        o'really<hi>, user1@example.com

      Show
      Login as admin Navigate to Users > Permissions > User policies in site administration Select ID number for Show user identity and save changes Create a new user with ID number: o'really<hi> Create a new course Enrol user on course as a student Add an assignment to the course Give a grade for the user in the assignment Press Grades in course navigation Select View > Grade history Press Select users Confirm the user is listed without double-escaped fields, like so: User 01 o'really<hi>, user1@example.com

      The user identity fields are already escaped when loading users: https://github.com/moodle/moodle/blob/95dd305cc6c84b5c6735df9e3506cebb79ac67f9/grade/report/history/users_ajax.php#L64-L66 doing so again client-side produces the following:

      Found while looking at MDL-65552

        1. image-2021-03-24-11-35-41-669.png
          image-2021-03-24-11-35-41-669.png
          10 kB
        2. MDL-71022.png
          MDL-71022.png
          20 kB

            pholden Paul Holden
            pholden Paul Holden
            Simey Lameze Simey Lameze
            Victor Déniz Falcón Victor Déniz Falcón
            Janelle Barcega Janelle Barcega
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 30 minutes
                3h 30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.