We received some reports of a few areas where triple bracing (raw) is used instead of double bracing (escaped) in some Mustache templates. I've verified that XSS risk flagged capabilities are required to use these specific instances, so there is no additional security risk presented by them, however the cases seem like executing JS would be unexpected and unnecessary behaviour in these locations, so we should remove one set of braces to escape the content.

course\templates\bulkactivitycompletion.mustache

Line 67, the name param passed into checkallsection string for the aria-label should be escaped.

To test:

1. Go to course page and edit one section's name to:

   " autofocus onfocus="alert(1)

2. Go to More > Course completion.
3. Choose Bulk edit activity completion in the dropdown
4. Without being patched, an alert will be displayed.

group\templates\group_details.mustache

Line 45, the name parameter (referenced multiple times) in the grouppicture image.

To test:

1. Go to the Participant page under a course.
2. Choose Groups in the select.
3. Create a group and name it to:

   A" onload="alert(1)

4. Fill in description and picture.
5. Click Save change button.
6. Choose the group just created in the Group select, and click Add/remove users button.
7. Without being patched, an alert will be displayed.

blocks\recentlyaccesseditems\templates\view-cards.mustache

Line 45, the name parameter in the anchor tag (where the href is viewurl).

To test:

1. Ensure you have the recently accessed items block enabled on your dashboard.
2. Go to course page, enter edit mode and create an assignment with the name:

   A" onclick="alert(1)

3. Click the assignment to open it (so that it has been recently accessed).
4. Go to dashboard page.
5. Open the block drawer, and click the assignment on the right-side column.
6. Without being patched, an alert will be displayed.