From 78a492330db62e5d03907626db672742280f80b6 Mon Sep 17 00:00:00 2001
From: Tim Hunt <T.J.Hunt@open.ac.uk>
Date: Tue, 17 Sep 2013 18:26:53 +0100
Subject: [PATCH] MDL-41820 XSS in the quiz responses report.

Thanks to Michael Hess for finding this bug and reporting it to us.
---
 mod/quiz/report/responses/responses_table.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mod/quiz/report/responses/responses_table.php b/mod/quiz/report/responses/responses_table.php
index a5a0c094d83..3c9c7c9f458 100644
--- a/mod/quiz/report/responses/responses_table.php
+++ b/mod/quiz/report/responses/responses_table.php
@@ -97,6 +97,11 @@ class quiz_responses_table extends quiz_attempts_report_table {
             $summary = trim($stepdata->$field);
         }
 
+        if ($this->is_downloading() && $this->is_downloading() != 'xhtml') {
+            return $summary;
+        }
+        $summary = s($summary);
+
         if ($this->is_downloading() || $field != 'responsesummary') {
             return $summary;
         }