46643: Exercise: Stored XSS with TinyMCE/Rich..., part ii

Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: alex40724

components/ILIAS/Exercise/Submission/class.ilExSubmissionTextGUI.php

@@ -202,7 +202,7 @@ public function updateAssignmentTextObject(
         // we are not using a purifier, so we have to set the valid RTE tags
         // :TODO:
         $rte = $form->getItemByPostVar("atxt");
-        $rte->setRteTags(ilObjAdvancedEditing::_getUsedHTMLTags("exc_ass"));
+        $rte->setRteTagSet("mini");
 
         if ($form->checkInput()) {
             $text = trim($form->getInput("atxt"));

components/ILIAS/Exercise/classes/class.ilExcTextSubmissionPurifier.php

@@ -36,7 +36,7 @@ protected function getPurifierConfigInstance(): HTMLPurifier_Config
         $config->set('Cache.SerializerPath', ilHtmlPurifierAbstractLibWrapper::_getCacheDirectory());
         $config->set('HTML.Doctype', 'XHTML 1.0 Strict');
 
-        $tags = ilObjAdvancedEditing::_getUsedHTMLTags("exc_ass");
+        $tags = self::TAGSET;
         $tags = $this->makeElementListTinyMceCompliant($tags);
         $config->set('HTML.AllowedElements', $this->removeUnsupportedElements($tags));
         $config->set('HTML.ForbiddenAttributes', 'div@style');