Merge pull request #702 from MITx/kimth/fix-dynamath

Escape quotations, lt/gt, ampersand
2012-09-16 12:30:22 -07:00
parent 9b6007fc13 1dfd222b98
commit b681e2bd94
1 changed files with 4 additions and 0 deletions
--- a/common/lib/capa/capa/inputtypes.py
+++ b/common/lib/capa/capa/inputtypes.py
@@ -333,6 +333,10 @@ def textline_dynamath(element, value, status, render_template, msg=''):
    if '' in preprocessor.values():
        preprocessor = None

+    # Escape characters in student input for safe XML parsing
+    escapedict = {'"': '&quot;'}
+    value = saxutils.escape(value, escapedict)
+
    context = {'id': eid, 'value': value, 'state': status, 'count': count, 'size': size,
               'msg': msg, 'hidden': hidden,
               'preprocessor': preprocessor,