From 1dfd222b9850dccf90cebd8434a8f8ef95df1503 Mon Sep 17 00:00:00 2001
From: kimth <kimt@mit.edu>
Date: Sun, 16 Sep 2012 14:50:40 -0400
Subject: [PATCH] Escape quotations, lt/gt, ampersand

---
 common/lib/capa/capa/inputtypes.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/lib/capa/capa/inputtypes.py b/common/lib/capa/capa/inputtypes.py
index 187d2fd422..9ae63fb43a 100644
--- a/common/lib/capa/capa/inputtypes.py
+++ b/common/lib/capa/capa/inputtypes.py
@@ -333,6 +333,10 @@ def textline_dynamath(element, value, status, render_template, msg=''):
     if '' in preprocessor.values():
         preprocessor = None
 
+    # Escape characters in student input for safe XML parsing
+    escapedict = {'"': '&quot;'}
+    value = saxutils.escape(value, escapedict)
+
     context = {'id': eid, 'value': value, 'state': status, 'count': count, 'size': size,
                'msg': msg, 'hidden': hidden,
                'preprocessor': preprocessor,