From 638c39c7e4921bd428dc4df21eaa3a6480b1108c Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Thu, 10 Nov 2016 11:52:36 +0100
Subject: [PATCH] OO-2356: escape the content of the value

---
 .../ims/qti21/ui/components/_content/textEntryInteraction.html  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html b/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html
index 40cd9f5128a..09f643c8bbc 100644
--- a/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html
+++ b/src/main/java/org/olat/ims/qti21/ui/components/_content/textEntryInteraction.html
@@ -8,7 +8,7 @@
 #set($checkJavaScript = $r.checkJavaScript($responseDeclaration,$interaction.patternmask))
 <input name="qtiworks_presented_${responseIdentifier}" type="hidden" value="1"/>
 <span class="$localName">
-	<input id="od_${responseIdentifier}" type="text" name="qtiworks_response_${responseIdentifier}" #if($responseInputString && !$responseInputString.isEmpty()) value="$responseInputString" #else value="" #end #if(!$r.isItemSessionEnded()) $r.placeholder($interaction) #end #if($r.isItemSessionEnded()) disabled #end #if($isBadResponse) class='badResponse' #end #if($interaction.expectedLength) size='$interaction.expectedLength' #end #if($checks && $checks.size() > 0) onchange='$checkJavaScript' #end autocomplete="off"/>
+	<input id="od_${responseIdentifier}" type="text" name="qtiworks_response_${responseIdentifier}" #if($responseInputString && !$responseInputString.isEmpty()) value="$r.escapeHtml($responseInputString)" #else value="" #end #if(!$r.isItemSessionEnded()) $r.placeholder($interaction) #end #if($r.isItemSessionEnded()) disabled #end #if($isBadResponse) class='badResponse' #end #if($interaction.expectedLength) size='$interaction.expectedLength' #end #if($checks && $checks.size() > 0) onchange='$checkJavaScript' #end autocomplete="off"/>
 	#if($isBadResponse)
         <span class="badResponse">
 		#if($responseDeclaration.cardinality.toQtiString() == "record")
-- 
GitLab