manual grading: MDL-20581 Fix potential XSS problem.

Thanks to Penny for spotting this.
Merged from MOODLE_19_STABLE.

mod/quiz/db/access.php

@@ -65,7 +65,7 @@ $capabilities = array(
 
     // Manually grade and comment on student attempts at a question.
     'mod/quiz:grade' => array(
-        'riskbitmask' => RISK_SPAM | RISK_XSS,
+        'riskbitmask' => RISK_SPAM,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'legacy' => array(
@@ -77,7 +77,7 @@ $capabilities = array(
 
     // Regrade quizzes.
     'mod/quiz:regrade' => array(
-        'riskbitmask' => RISK_SPAM | RISK_XSS,
+        'riskbitmask' => RISK_SPAM,
         'captype' => 'write',
         'contextlevel' => CONTEXT_MODULE,
         'legacy' => array(

mod/quiz/version.php

@@ -5,7 +5,7 @@
 //  This fragment is called by moodle_needs_upgrading() and /admin/index.php
 ////////////////////////////////////////////////////////////////////////////////
 
-$module->version  = 2009042000;   // The (date) version of this module
+$module->version  = 2009111900;   // The (date) version of this module
 $module->requires = 2009041700;   // Requires this Moodle version
 $module->cron     = 0;            // How often should cron check this module (seconds)?
 

question/type/questiontype.php

@@ -946,7 +946,10 @@ class default_questiontype {
             $grade .= question_format_grade($cmoptions, $question->maxgrade);
         }
 
-        $comment = $state->manualcomment;
+        $formatoptions = new stdClass;
+        $formatoptions->para = false;
+        $comment = format_text($state->manualcomment, FORMAT_HTML,
+                $formatoptions, $cmoptions->course);
         $commentlink = '';
 
         if (!empty($options->questioncommentlink)) {