--- loncom/homework/grades.pm	2014/02/05 15:09:30	1.719
+++ loncom/homework/grades.pm	2014/02/11 14:29:10	1.720
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # The LON-CAPA Grading handler
 #
-# $Id: grades.pm,v 1.719 2014/02/05 15:09:30 bisitz Exp $
+# $Id: grades.pm,v 1.720 2014/02/11 14:29:10 kruse Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -330,6 +330,8 @@ sub cleanRecord {
     my $grayFont = '<span class="LC_internal_info">';
     if ($response =~ /^(option|rank)$/) {
 	my %answer=&Apache::lonnet::str2hash($answer);
+        my @answer = %answer;
+        %answer = map {&HTML::Entities::encode($_, '"<>&')}  @answer;
 	my %grading=&Apache::lonnet::str2hash($record->{$version."resource.$partid.$respid.submissiongrading"});
 	my ($toprow,$bottomrow);
 	foreach my $foil (@$order) {
@@ -346,6 +348,8 @@ sub cleanRecord {
 	    $bottomrow.'</tr></table></blockquote>';
     } elsif ($response eq 'match') {
 	my %answer=&Apache::lonnet::str2hash($answer);
+        my @answer = %answer;
+        %answer = map {&HTML::Entities::encode($_, '"<>&')}  @answer;
 	my %grading=&Apache::lonnet::str2hash($record->{$version."resource.$partid.$respid.submissiongrading"});
 	my @items=&Apache::lonnet::str2array($record->{$version."resource.$partid.$respid.submissionitems"});
 	my ($toprow,$middlerow,$bottomrow);
@@ -368,6 +372,8 @@ sub cleanRecord {
 	    $bottomrow.'</tr></table></blockquote>';
     } elsif ($response eq 'radiobutton') {
 	my %answer=&Apache::lonnet::str2hash($answer);
+        my @answer = %answer;
+        %answer = map {&HTML::Entities::encode($_, '"<>&')}  @answer;
 	my ($toprow,$bottomrow);
 	my $correct = 
 	    &get_radiobutton_correct_foil($partid,$respid,$symb,$uname,$udom,$type,$trial,$rndseed);
@@ -401,9 +407,10 @@ sub cleanRecord {
 	    $env{'form.'.$symb} = 1; # so that we don't have to read it from disk for multiple sub of the same prob.
 	}
 	$answer =~ s-\n-<br />-g;
-	return '<br /><br /><blockquote><tt>'.&keywords_highlight($answer).'</tt></blockquote>';
+	return '<br /><br /><blockquote><tt>'.&keywords_highlight(&HTML::Entities::encode($answer, '"<>&')).'</tt></blockquote>';
+
     } elsif ( $response eq 'organic') {
-	my $result='Smile representation: "<tt>'.$answer.'</tt>"';
+	my $result='Smile representation: "<tt>'.HTML::Entities::encode($answer, '"<>&').'</tt>"';
 	my $jme=$record->{$version."resource.$partid.$respid.molecule"};
 	$result.=&Apache::chemresponse::jme_img($jme,$answer,400);
 	return $result;
@@ -442,8 +449,9 @@ sub cleanRecord {
 	$answer = 
 	    &Apache::loncommon::format_previous_attempt_value('submission',
 							      $answer);
+	return $answer;
     }
-    return $answer;
+    return &HTML::Entities::encode($answer, '"<>&');
 }
 
 #-- A couple of common js functions
@@ -2302,6 +2310,7 @@ sub submission {
     if ($env{'form.lastSub'} eq 'datesub') {
         my ($parts,$handgrade,$responseType) = &response_type($symb,\$res_error);
 	$request->print(&displaySubByDates($symb,\%record,$parts,$responseType,$checkIcon,$uname,$udom));
+  
     } 
     if ($env{'form.lastSub'} =~ /^(last|all)$/) {
         $request->print(&Apache::loncommon::get_previous_attempt($symb,$uname,$udom,