Security: Exercise: remove XSS when showing feedback

AngelFQC · AngelFQC · commit 172e9fad41a3 · 2025-09-22T16:53:57.000-05:00
See advisory GHSA-59h4-34mx-m67m
diff --git a/main/inc/lib/exercise.lib.php b/main/inc/lib/exercise.lib.php
@@ -6258,6 +6258,8 @@ public static function getNotCorrectedYetText()
      */
     public static function getFeedbackText($message)
     {
+        $message = Security::remove_XSS($message);
+
         return Display::return_message($message, 'warning', false);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -6258,6 +6258,8 @@ public static function getNotCorrectedYetText()`
`6258`	`6258`	`*/`
`6259`	`6259`	`public static function getFeedbackText($message)`
`6260`	`6260`	`{`
	`6261`	`+ $message = Security::remove_XSS($message);`
	`6262`	`+`
`6261`	`6263`	`return Display::return_message($message, 'warning', false);`
`6262`	`6264`	`}`
`6263`	`6265`