MDL-16115 Password unmask form fields do not work with XHTML strict headers

lib/form/passwordunmask.php

@@ -22,11 +22,36 @@ class MoodleQuickForm_passwordunmask extends MoodleQuickForm_password {
             $unmask = get_string('unmaskpassword', 'form');
             $unmaskjs = '<script type="text/javascript">
 //<![CDATA[
-document.write(\'<div class="unmask"><input id="'.$id.'unmask" value="1" type="checkbox" onclick="unmaskPassword(\\\''.$id.'\\\')"/><label for="'.$id.'unmask">'.addslashes_js($unmask).'<\/label><\/div>\');
-document.getElementById("'.$this->getAttribute('id').'").setAttribute("autocomplete", "off");
+
+var is_ie = (navigator.userAgent.toLowerCase().indexOf("msie") != -1);
+
+document.getElementById("'.$id.'").setAttribute("autocomplete", "off");
+
+var unmaskdiv = document.getElementById("'.$id.'unmaskdiv");
+
+var unmaskchb = document.createElement("input");
+unmaskchb.setAttribute("type", "checkbox");
+unmaskchb.setAttribute("id", "'.$id.'unmask");
+unmaskchb.onchange = function() {unmaskPassword("'.$id.'");};
+unmaskdiv.appendChild(unmaskchb);
+
+var unmasklbl = document.createElement("label");
+unmasklbl.innerHTML = "'.addslashes_js($unmask).'";
+if (is_ie) {
+  unmasklbl.setAttribute("htmlFor", "'.$id.'unmask");
+} else {
+  unmasklbl.setAttribute("for", "'.$id.'unmask");
+}
+unmaskdiv.appendChild(unmasklbl);
+
+if (is_ie) {
+  // ugly hack to work around the famous onchange IE bug
+  unmaskchb.onclick = function() {this.blur();};
+  unmaskdiv.onclick = function() {this.blur();};
+}
 //]]>
 </script>';
-            return $this->_getTabs() . '<input' . $this->_getAttrString($this->_attributes) . ' />'.$unmaskjs;
+            return $this->_getTabs() . '<input' . $this->_getAttrString($this->_attributes) . ' /><div class="unmask" id="'.$id.'unmaskdiv"></div>'.$unmaskjs;
         }
     } //end func toHtml