From f53500a5911193068925e60e5bdb3595161c6d54 Mon Sep 17 00:00:00 2001 From: Glenn Rice Date: Thu, 3 Jul 2025 06:56:20 -0500 Subject: [PATCH] Fix a potential XSS vulnerability in the past answers table (the Answer Log). If MathQuill is enabled and a student types `"` and submits the answer, then that script is executed if an instructor views the answer on the past answers page. If MathQuill is not enabled, and a student simply enters `` the same thing happens. This is due to a change in #1899 to make the special character `޲` used to separate array answers (usually coming from checkbox answers) display correctly. To fix this better handling of answers with that character is needed. So this splits the student answers on that character, and now DOES html escape all other parts of the student answer again, but directly inserts the `⍮` characters without escaping. The effect is that answers will still be displayed the same as they were before other than scripts in the answer. Those will now actually appear as text. Note that is the same as it would have been before #1899. --- .../Instructor/ShowAnswers/past-answers-table.html.ep | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/ContentGenerator/Instructor/ShowAnswers/past-answers-table.html.ep b/templates/ContentGenerator/Instructor/ShowAnswers/past-answers-table.html.ep index b2a66d8109..c3d381e199 100644 --- a/templates/ContentGenerator/Instructor/ShowAnswers/past-answers-table.html.ep +++ b/templates/ContentGenerator/Instructor/ShowAnswers/past-answers-table.html.ep @@ -53,7 +53,11 @@ % if ($answer eq '') { <%= maketext('empty') %> % } else { - <%== $answer =%> + % my @parts = split("⍮", $answer); + % for (0 .. $#parts - 1) { + <%= $parts[$_] =%>⍮\ + % } + <%= $parts[-1] =%> % } % }