From 9c61fdd384b4d52632ae83f3a1f4959bad3e1c33 Mon Sep 17 00:00:00 2001
From: Ben Fesili <ben.fesili@totara.com>
Date: Thu, 1 Jun 2023 15:59:26 +1200
Subject: [PATCH] Fixed potential XSS issue

The index page doesn't sanitize the activity name upon retrieval from the database, allowing for potential XSS to take place
---
 index.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/index.php b/index.php
index 1c5c2ec..3dc4c7f 100644
--- a/index.php
+++ b/index.php
@@ -128,6 +128,7 @@ foreach ($h5ps as $h5p) {
 
     // Activity name.
     $attrs = ($h5p->visible ? '' : ' class="dimmed"');
+    $h5p->name = format_string($h5p->name);
     $row[] = "<a href=\"view.php?id={$h5p->coursemodule}\"{$attrs}>{$h5p->name}</a>";
 
     // Activity type.
-- 
GitLab