From: Vincent Vanwaelscappel <vincent@cubedesigners.com>
Date: Thu, 15 Oct 2020 10:06:00 +0000 (+0200)
Subject: wait #3924 @0.5
X-Git-Url: http://git.cubedesigners.com/?a=commitdiff_plain;h=f7dcc0d174fe3523b2d68edb7dbe6f97f01c7ef4;p=fluidbook-toolbox.git

wait #3924 @0.5
---

diff --git a/app/Models/Quiz.php b/app/Models/Quiz.php
index 77947992e..cadee9359 100644
--- a/app/Models/Quiz.php
+++ b/app/Models/Quiz.php
@@ -265,19 +265,19 @@ class Quiz extends CubistMagicAbstractModel
             $xq->addAttribute('count', $question['count_for_score'] ? '1' : '0');
             $xq->addAttribute('type', $question['type']);
             $xq->addAttribute('min_score', $question['min_score']);
-            $xq->addChild('label', $question['question']);
+            $xq->addChild('label', htmlspecialchars($question['question']));
             if ($question['type'] === 'multiple') {
                 $xas = $xq->addChild('answers');
                 foreach ($question['answers'] as $answer) {
-                    $xa = $xas->addChild('answer', $answer['answer']);
+                    $xa = $xas->addChild('answer', htmlspecialchars($answer['answer']));
                     if ($answer['correct']) {
                         $xa->addAttribute('correct', '1');
                     }
                 }
             } else {
-                $xq->addAttribute('placeholder', $question['placeholder']);
+                $xq->addAttribute('placeholder', htmlspecialchars($question['placeholder']));
             }
-            $xq->addChild('correction', $question['explaination']);
+            $xq->addChild('correction', htmlspecialchars($question['explaination']));
         }
         file_put_contents($dest . '/data.xml', tidy_repair_string($xml->asXML(), ['input-xml' => 1, 'indent' => 1, 'wrap' => 0]));