--- loncom/interface/lonparmset.pm	2007/10/05 17:56:29	1.376.2.1
+++ loncom/interface/lonparmset.pm	2007/09/03 15:34:12	1.379
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set parameters for assessments
 #
-# $Id: lonparmset.pm,v 1.376.2.1 2007/10/05 17:56:29 albertel Exp $
+# $Id: lonparmset.pm,v 1.379 2007/09/03 15:34:12 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -577,6 +577,7 @@ sub valout {
 		&date_sanity_info($value);
         } else {
             $result = $value;
+	    $result = &HTML::Entities::encode($result,'"<>&');
         }
     }
     return $result;
@@ -613,10 +614,16 @@ sub plink {
     my ($parmname)=((split(/\&/,$marker))[1]=~/\_([^\_]+)$/);
     my ($hour,$min,$sec,$val)=&preset_defaults($parmname);
     unless (defined($winvalue)) { $winvalue=$val; }
+    my $valout = &valout($value,$type,1);
+    foreach my $item (\$type, \$dis, \$winvalue, \$marker, \$return, \$call,
+		      \$hour, \$min, \$sec) {
+	$$item = &HTML::Entities::encode($$item,'"<>&');
+	$$item =~ s/\'/\\\'/g;
+    }
     return '<table width="100%"><tr valign="top" align="right"><td><a name="'.$marker.'" /></td></tr><tr><td align="center">'.
 	'<a href="javascript:pjump('."'".$type."','".$dis."','".$winvalue."','"
 	    .$marker."','".$return."','".$call."','".$hour."','".$min."','".$sec."'".');">'.
-		&valout($value,$type,1).'</a></td></tr></table>';
+	    $valout.'</a></td></tr></table>';
 }
 
 sub page_js {
@@ -1594,7 +1601,8 @@ sub assessparms {
     foreach ('tolerance','date_default','date_start','date_end',
 	     'date_interval','int','float','string') {
 	$r->print('<input type="hidden" value="'.
-		  $env{'form.recent_'.$_}.'" name="recent_'.$_.'" />');
+		  &HTML::Entities::encode($env{'form.recent_'.$_},'"&<>').
+		  '" name="recent_'.$_.'" />');
     }
                         
     if (!$pssymb) {
@@ -2211,11 +2219,11 @@ Use * to allow unrestricted cloning in a
              'pageseparators'  => '<b>'.&mt('Visibly Separate Items on Pages').'</b><br />'.
                                  '('.&mt('"[_1]" for visible separation','<tt>yes</tt>').', '.
                                  &mt('changes will not show until next login').')',
-             'student_classlist_view' => '<b>'.&mt('Allow students to view classlist.').'</b>'.&mt('("all":students can view all sections,"section":students can only view their own section.blank or "disabled" prevents student view.'),
+             'student_classlist_view' => '<b>'.&mt('Allow students to view classlist.').'</b><br />'.&mt('("all":students can view all sections,"section":students can only view their own section.blank or "disabled" prevents student view.)'),
              'student_classlist_portfiles' => '<b>'.&mt('Include link to accessible portfolio files').'</b><br />'.&mt('"[_1]" for link to each a listing of each student\'s files.','<tt>yes</tt>'),
              'student_classlist_opt_in' => '<b>'.&mt("Student's agreement needed for listing in student-viewable roster").'</b><br />'.&mt('"[_1]" to require students to opt-in to listing in the roster (on the roster page).','<tt>yes</tt>'),
              'plc.roles.denied'=> '<b>'.&mt('Disallow live chatroom use for Roles').
-                                  '</b><br />"<tt>st</tt>": '.
+                                  '</b><br />("<tt>st</tt>": '.
                                   &mt('student').', "<tt>ta</tt>": '.
                                   'TA, "<tt>in</tt>": '.
                                   &mt('instructor').';<br /><tt>'.&mt('role,role,...').'</tt>) '.
@@ -2225,7 +2233,7 @@ Use * to allow unrestricted cloning in a
                                  '(<tt>user:domain,user:domain,...</tt>)',
 
              'pch.roles.denied'=> '<b>'.&mt('Disallow Resource Discussion for Roles').
-                                  '</b><br />"<tt>st</tt>": '.
+                                  '</b><br />("<tt>st</tt>": '.
                                   'student, "<tt>ta</tt>": '.
                                   'TA, "<tt>in</tt>": '.
                                   'instructor;<br /><tt>role,role,...</tt>) '.
@@ -3074,14 +3082,14 @@ where $action is add or drop, and $clone
 user for whom cloning ability is to be changed in course. 
 
 =cut
-
+                                                                                            
 ##################################################
 ##################################################
 
 sub extract_cloners {
     my ($clonelist,$allowclone) = @_;
     if ($clonelist =~ /,/) {
-        @{$allowclone} = split(/,/,$clonelist);
+        @{$allowclone} = split/,/,$clonelist;
     } else {
         $$allowclone[0] = $clonelist;
     }
@@ -3093,14 +3101,15 @@ sub check_cloners {
     my @allowclone = ();
     &extract_cloners($$clonelist,\@allowclone);
     foreach my $currclone (@allowclone) {
-        if (!grep(/^\Q$currclone\E$/,@$oldcloner)) {
+        if (!grep/^\Q$currclone\E$/,@$oldcloner) {
             if ($currclone eq '*') {
                 $clean_clonelist .= $currclone.',';
             } else {
                 my ($uname,$udom) = split(/:/,$currclone);
                 if ($uname eq '*') {
                     if ($udom =~ /^$match_domain$/) {
-                        if (!&Apache::lonnet::domain($udom)) {
+                        my @alldoms = &Apache::lonnet::all_domains();
+                        if (!grep(/^\Q$udom\E$/,@alldoms)) {
                             $disallowed{'domain'} .= $currclone.',';
                         } else {
                             $clean_clonelist .= $currclone.',';
@@ -3143,9 +3152,9 @@ sub change_clone {
         my @allowclone;
         &extract_cloners($clonelist,\@allowclone);
         foreach my $currclone (@allowclone) {
-            if (!grep(/^$currclone$/,@$oldcloner)) {
+            if (!grep/^$currclone$/,@$oldcloner) {
                 if ($currclone ne '*') {
-                    ($uname,$udom) = split(/:/,$currclone);
+                    ($uname,$udom) = split/:/,$currclone;
                     if ($uname && $udom && $uname ne '*') {
                         if (&Apache::lonnet::homeserver($uname,$udom) ne 'no_host') {
                             my %currclonecrs = &Apache::lonnet::dump('environment',$udom,$uname,'cloneable');
@@ -3163,9 +3172,9 @@ sub change_clone {
             }
         }
         foreach my $oldclone (@$oldcloner) {
-            if (!grep(/^\Q$oldclone\E$/,@allowclone)) {
+            if (!grep/^$oldclone$/,@allowclone) {
                 if ($oldclone ne '*') {
-                    ($uname,$udom) = split(/:/,$oldclone);
+                    ($uname,$udom) = split/:/,$oldclone;
                     if ($uname && $udom && $uname ne '*' ) {
                         if (&Apache::lonnet::homeserver($uname,$udom) ne 'no_host') {
                             my %currclonecrs = &Apache::lonnet::dump('environment',$udom,$uname,'cloneable');