From f94d9f6ed709ee93629f1c0654a2a17e2a3042a3 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Thu, 5 Aug 2021 09:30:16 +0200
Subject: [PATCH] Exercises: add remove_xss

---
 main/exercise/exercise.class.php             | 10 ++++++++++
 main/exercise/question_list_admin.inc.php    |  6 ++----
 main/inc/lib/exercise_show_functions.lib.php |  4 ++--
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/main/exercise/exercise.class.php b/main/exercise/exercise.class.php
index 693f951475..007fa7e97c 100755
--- a/main/exercise/exercise.class.php
+++ b/main/exercise/exercise.class.php
@@ -3879,8 +3879,18 @@ class Exercise
         $answerDestination = null;
         $userAnsweredQuestion = false;
         $correctAnswerId = [];
+
+        $userStatus = STUDENT;
+        // Allows to do a remove_XSS in question of exercise with user status COURSEMANAGER
+        // see BT#18242
+        if (api_get_configuration_value('question_exercise_html_strict_filtering')) {
+            $userStatus = COURSEMANAGERLOWSECURITY;
+        }
+
         for ($answerId = 1; $answerId <= $nbrAnswers; $answerId++) {
             $answer = $objAnswerTmp->selectAnswer($answerId);
+            $answer = Security::remove_XSS($answer, $userStatus);
+
             $answerComment = $objAnswerTmp->selectComment($answerId);
             $answerCorrect = $objAnswerTmp->isCorrect($answerId);
             $answerWeighting = (float) $objAnswerTmp->selectWeighting($answerId);
diff --git a/main/exercise/question_list_admin.inc.php b/main/exercise/question_list_admin.inc.php
index 6dbb54ade9..42199cfec5 100755
--- a/main/exercise/question_list_admin.inc.php
+++ b/main/exercise/question_list_admin.inc.php
@@ -337,8 +337,7 @@ if (!$inATest) {
                     [$edit_link, $clone_link, $addImageLink, $delete_link]
                 );
 
-                $title = Security::remove_XSS($objQuestionTmp->selectTitle());
-                $title = strip_tags($title);
+                $title = Security::remove_XSS(strip_tags($objQuestionTmp->selectTitle()));
                 $move = '&nbsp;';
                 if ($allowQuestionOrdering) {
                     $move = Display::returnFontAwesomeIcon('arrows moved', 1, true);
@@ -346,14 +345,13 @@ if (!$inATest) {
 
                 // Question name
                 $questionName =
-                    '<a href="#" title = "'.Security::remove_XSS($title).'">
+                    '<a href="#" title = "'.$title.'">
                         '.$move.' '.cut($title, 42).'
                     </a>';
 
                 // Question type
                 $typeImg = $objQuestionTmp->getTypePicture();
                 $typeExpl = $objQuestionTmp->getExplanation();
-
                 $questionType = Display::return_icon($typeImg, $typeExpl);
 
                 // Question category
diff --git a/main/inc/lib/exercise_show_functions.lib.php b/main/inc/lib/exercise_show_functions.lib.php
index 036de0be9f..2b672d5e43 100755
--- a/main/inc/lib/exercise_show_functions.lib.php
+++ b/main/inc/lib/exercise_show_functions.lib.php
@@ -282,7 +282,7 @@ class ExerciseShowFunctions
             if (EXERCISE_FEEDBACK_TYPE_EXAM != $feedback_type) {
                 $content .= '<td class="text-left" width="60%">';
                 if ($studentChoice) {
-                    $content .= '<span style="font-weight: bold; color: #008000;">'.nl2br($answerComment).'</span>';
+                    $content .= '<span style="font-weight: bold; color: #008000;">'.Security::remove_XSS(nl2br($answerComment)).'</span>';
                 } else {
                     $content .= '&nbsp;';
                 }
@@ -575,7 +575,7 @@ class ExerciseShowFunctions
                     if ($hide_expected_answer) {
                         $color = '';
                     }
-                    $content .= '<span style="font-weight: bold; color: '.$color.';">'.nl2br($answerComment).'</span>';
+                    $content .= '<span style="font-weight: bold; color: '.$color.';">'.Security::remove_XSS(nl2br($answerComment)).'</span>';
                 }
                 $content .= '</td>';
             }