Yes, apparently the core handling of the accepted types parameters changed at some point to the effect that it stopped working in the dataform. So it's now a dataform issue and you can open a tracker issue in the Set: Dataform tracker.
Itamar Tzadok
Posts made by Itamar Tzadok
To begin with, use either number field or text field for number inputs. Suppose then that topic_duration is a number field. You can use a formula such as the following to display the field's content number multiplied by 2:
%%F:=[[topic_duration] ]*2%%(Remove redundant spaces between brackets)
See if you can make this work and we'll take it from there.
Yes, apparently the standard modules' description (intro) section is hardcoded to no XSS prevention and users must be trusted. This may be worthy of a tracker issue. Afaict right now the only way to resolve your issue is to either hack the code or require that user to increase the security level in the browser.
Is the trusted user inducing the problem a site administrator?
Make sure 'Enable trusted content' in Site administration -> Security -> Site policies is disabled, or deny the moodle/site:trustcontent capability (Capabilities/moodle/site:trustcontent) from the relevant roles (e.g. teacher). hth