Exercises: add remove_xss

main/exercise/exercise.class.php

@@ -3879,8 +3879,18 @@ class Exercise
         $answerDestination = null;
         $userAnsweredQuestion = false;
         $correctAnswerId = [];
+
+        $userStatus = STUDENT;
+        // Allows to do a remove_XSS in question of exercise with user status COURSEMANAGER
+        // see BT#18242
+        if (api_get_configuration_value('question_exercise_html_strict_filtering')) {
+            $userStatus = COURSEMANAGERLOWSECURITY;
+        }
+
         for ($answerId = 1; $answerId <= $nbrAnswers; $answerId++) {
             $answer = $objAnswerTmp->selectAnswer($answerId);
+            $answer = Security::remove_XSS($answer, $userStatus);
+
             $answerComment = $objAnswerTmp->selectComment($answerId);
             $answerCorrect = $objAnswerTmp->isCorrect($answerId);
             $answerWeighting = (float) $objAnswerTmp->selectWeighting($answerId);

main/exercise/question_list_admin.inc.php

@@ -337,8 +337,7 @@ if (!$inATest) {
                     [$edit_link, $clone_link, $addImageLink, $delete_link]
                 );
 
-                $title = Security::remove_XSS($objQuestionTmp->selectTitle());
-                $title = strip_tags($title);
+                $title = Security::remove_XSS(strip_tags($objQuestionTmp->selectTitle()));
                 $move = ' ';
                 if ($allowQuestionOrdering) {
                     $move = Display::returnFontAwesomeIcon('arrows moved', 1, true);
@@ -346,14 +345,13 @@ if (!$inATest) {
 
                 // Question name
                 $questionName =
-                    '<a href="#" title = "'.Security::remove_XSS($title).'">
+                    '<a href="#" title = "'.$title.'">
                         '.$move.' '.cut($title, 42).'
                     </a>';
 
                 // Question type
                 $typeImg = $objQuestionTmp->getTypePicture();
                 $typeExpl = $objQuestionTmp->getExplanation();
-
                 $questionType = Display::return_icon($typeImg, $typeExpl);
 
                 // Question category

main/inc/lib/exercise_show_functions.lib.php

@@ -282,7 +282,7 @@ class ExerciseShowFunctions
             if (EXERCISE_FEEDBACK_TYPE_EXAM != $feedback_type) {
                 $content .= '<td class="text-left" width="60%">';
                 if ($studentChoice) {
-                    $content .= '<span style="font-weight: bold; color: #008000;">'.nl2br($answerComment).'</span>';
+                    $content .= '<span style="font-weight: bold; color: #008000;">'.Security::remove_XSS(nl2br($answerComment)).'</span>';
                 } else {
                     $content .= '&nbsp;';
                 }
@@ -575,7 +575,7 @@ class ExerciseShowFunctions
                     if ($hide_expected_answer) {
                         $color = '';
                     }
-                    $content .= '<span style="font-weight: bold; color: '.$color.';">'.nl2br($answerComment).'</span>';
+                    $content .= '<span style="font-weight: bold; color: '.$color.';">'.Security::remove_XSS(nl2br($answerComment)).'</span>';
                 }
                 $content .= '</td>';
             }