This "feature" was used to partially eliminate XSS attacks on vulnerable code. Developers MUST use clean_text() on HTML text fragments only, it can not be used on random html tag attributes.
This change may simplify a bit exploiting of vulnerable code, but every XSS cheat sheet contains information how to work around this outdated anti-XSS measure.
Please note this change fixes many problems with valid uses of language= or onXXXXX= such as in urls, tex, code samples, etc.
Theme images, css and JS are broken by PHP error messages which creates major problems for production sites with enabled displaying of errors because the files are cached indefinitely. It is better to send the errors and notices to logs only, in any case all developers must learn to use error logs.
The trouble is that dml driver methods (insert, update, select) are not guaranteed to return the same exception class for various db problems and coding style issues. The recommended practice is to catch dml_exception only.
- In rubric editor the line 'Current rubric status' is hidden if there is no status yet
- If present the style of the status is the same as on manage.php page
- For newly created rubric 'Add criterion' button is pre-pressed automatically
- Changed JavaScript to work for Mac browsers default settings and for IPad
- MDL-30269: added explanation message about score to grade mapping
- fixed bug with non-javascript 'Add criterion' behaviour
I ran the software through the certification and caught a few nits:
The error return is 'failure' not 'error'
The spec says that it needs to return 'failure' for out of range or non-numeric grades
The result score needs a language tag, hard-coded as 'en'
Setting a grade multiplied by 100 but reading the grade did not divide by 100
All those are now fixed with this patch as well as this bit of cruft:
I removed the "extension service url" as it is not implemented in service.php
Feel free to review and adjust - probably the one place you might want to refactor
is that I put code to catch out-of-range-and non-numeric in
lti_parse_grade_replace_message and threw an exception on error and then caught
it in service.php and sent back the 'failure' message. Feel free to refactor a
bit if you see this done in a cleaner manner.
