--- locallib.php	2013-08-12 20:16:27.000000000 +0800
+++ locallib.php	2013-08-12 21:08:51.000000000 +0800
@@ -331,6 +331,11 @@
                 $message->message = substr(trim($message->message), 4);
             }

+            // patch for xss vulnerability - matts@moodle.com
+            $messageescape=preg_replace('/\<(http|https):\/\/(.*)\>/','%%URL-\1://\2-URL%%',$message->message);
+            $messageescape=htmlspecialchars($messageescape);
+            $message->message=preg_replace('/%%URL-(http|https):\/\/(.*)-URL%%/','<\1://\2>',$messageescape);
+
             $messagecell->text.= format_text($message->message, FORMAT_MOODLE, array('para'=>false));

             $imagecell = new html_table_cell();