MDL-47494 ddmarker: OU-2407 allow tags in markers

relaxed form validation and hardened js
moodle · Nov 29, 2011 · 5a34e0b · 5a34e0b
1 parent 7401a91
commit 5a34e0b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 5 deletions.
diff --git a/question/type/ddmarker/edit_ddmarker_form.php b/question/type/ddmarker/edit_ddmarker_form.php
@@ -17,6 +17,8 @@
 require_once($CFG->dirroot.'/question/type/ddimageortext/edit_ddtoimage_form_base.php');
 require_once($CFG->dirroot.'/question/type/ddmarker/shapes.php');
 
+define('QTYPE_DDMARKER_ALLOWED_TAGS_IN_MARKER', '<br><i><em><b><strong><sup><sub><u>');
+
 /**
  * Defines the editing form for the drag-and-drop images onto images question type.
  *
@@ -241,9 +243,10 @@ public function validation($data, $files) {
         }
         for ($dragindex=0; $dragindex < $data['noitems']; $dragindex++) {
             $label = $data['drags'][$dragindex]['label'];
-            if ($label != strip_tags($label)) {
+            if ($label != strip_tags($label, QTYPE_DDMARKER_ALLOWED_TAGS_IN_MARKER)) {
                 $errors["drags[{$dragindex}]"]
-                                        = get_string('formerror_notagsallowed', 'qtype_ddmarker');
+                    = get_string('formerror_onlysometagsallowed', 'qtype_ddmarker',
+                                  QTYPE_DDMARKER_ALLOWED_TAGS_IN_MARKER);
             }
         }
         return $errors;

diff --git a/question/type/ddmarker/lang/en/qtype_ddmarker.php b/question/type/ddmarker/lang/en/qtype_ddmarker.php
@@ -45,7 +45,7 @@
 $string['formerror_nobgimage'] = 'You need to select an image to use as the background for the drag and drop area.';
 $string['formerror_noitemselected'] = 'You have specified a drop zone but not chosen a marker that must be dragged to the zone';
 $string['formerror_nosemicolons'] = 'There are no semicolons in your coordinates string. Your coordinates for a {$a->shape} should be expressed as - {$a->coordsstring}.';
-$string['formerror_notagsallowed'] = 'No html tags are allowed in the label for a marker';
+$string['formerror_onlysometagsallowed'] = 'Only "{$a}" tags are allowed in the label for a marker';
 $string['formerror_onlyusewholepositivenumbers'] = 'Please use only whole positive numbers to specify x,y coords and/or width and height of shapes. Your coordinates for a {$a->shape} should be expressed as - {$a->coordsstring}.';
 $string['formerror_polygonmusthaveatleastthreepoints'] = 'For a polygon shape you need to specify at least 3 points. Your coordinates for a {$a->shape} should be expressed as - {$a->coordsstring}.';
 $string['formerror_shapeoutsideboundsofbgimage'] = 'The shape you have defined goes out of the bounds of the background image';

diff --git a/question/type/ddmarker/yui/form/form.js b/question/type/ddmarker/yui/form/form.js
@@ -100,7 +100,7 @@ YUI.add('moodle-qtype_ddmarker-form', function(Y) {
             for (var i=0; i < this.form.get_form_value('noitems', []); i++) {
                 var label = this.get_marker_text(i);
                 if (label !== "") {
-                    dragitemsoptions[i] = label;
+                    dragitemsoptions[i] = Y.Escape.html(label);
                 }
             }
             var selectedvalues = [];
@@ -234,5 +234,5 @@ YUI.add('moodle-qtype_ddmarker-form', function(Y) {
         return new DDMARKER_FORM(config);
     }
 }, '@VERSION@', {
-    requires:['moodle-qtype_ddmarker-dd', 'form_filepicker', 'graphics']
+    requires:['moodle-qtype_ddmarker-dd', 'form_filepicker', 'graphics', 'escape']
 });