added a comment - All get_string functions that need to be single quote safe should call a single quote safe get_string function.
I've modified lib/ajax/ajaxlib.php as follows:
/**
- GT Mod 2009/01/13
- Return langauge string that is single quote safe
- Used to fix bug
MDL-12268
*/
function get_string_js($strname){
$str=get_string($strname);
$str=str_replace('\'', "\'", $strname);
return ($str);
}
/**
- Prints the JavaScript code needed to set up AJAX for the course.
*/
function print_javascript($courseid, $return=false) {
global $CFG, $USER;
$blocksoutput = $output = '';
for ($i=0; $i<count($this->blocks); $i++) {
$blocksoutput .= "['".$this->blocks
[$i][0]."',
'".$this->blocks
[$i][1]."',
'".$this->blocks
[$i][2]."']";
if ($i != (count($this->blocks) - 1)) {
$blocksoutput .= ',';
}
}
$output .= "<script type=\"text/javascript\">\n";
$output .= " main.portal.id = ".$courseid.";\n";
$output .= " main.portal.blocks = new Array(".$blocksoutput.");\n";
$output .= " main.portal.strings
['wwwroot']='".$CFG->wwwroot."';\n";
$output .= " main.portal.strings
['pixpath']='".$CFG->pixpath."';\n";
$output .= " main.portal.strings
['marker']='".$this->get_string_js('markthistopic', '', '
var')."';\n";
$output .= " main.portal.strings
['marked']='".$this->get_string_js('markedthistopic', '', '
var')."';\n";
$output .= " main.portal.strings
['hide']='".$this->get_string_js('hide')."';\n";
$output .= " main.portal.strings
['hidesection']='".$this->get_string_js('hidesection', '', '
var')."';\n";
$output .= " main.portal.strings
['show']='".$this->get_string_js('show')."';\n";
$output .= " main.portal.strings
['delete']='".$this->get_string_js('delete')."';\n";
$output .= " main.portal.strings
['move']='".$this->get_string_js('move')."';\n";
$output .= " main.portal.strings
['movesection']='".$this->get_string_js('movesection', '', '
var')."';\n";
$output .= " main.portal.strings
['moveleft']='".$this->get_string_js('moveleft')."';\n";
$output .= " main.portal.strings
['moveright']='".$this->get_string_js('moveright')."';\n";
$output .= " main.portal.strings
['update']='".$this->get_string_js('update')."';\n";
$output .= " main.portal.strings
['groupsnone']='".$this->get_string_js('groupsnone')."';\n";
$output .= " main.portal.strings
['groupsseparate']='".$this->get_string_js('groupsseparate')."';\n";
$output .= " main.portal.strings
['groupsvisible']='".$this->get_string_js('groupsvisible')."';\n";
$output .= " main.portal.strings
['clicktochange']='".$this->get_string_js('clicktochange')."';\n";
$output .= " main.portal.strings
['deletecheck']='".$this->get_string_js('deletecheck','','
var')."';\n";
$output .= " main.portal.strings
['resource']='".$this->get_string_js('resource')."';\n";
$output .= " main.portal.strings
['activity']='".$this->get_string_js('activity')."';\n";
$output .= " main.portal.strings
['sesskey']='".$USER->sesskey."';\n";
$output .= " onloadobj.load();\n";
$output .= " main.process_blocks();\n";
$output .= "</script>";
if ($return) {
return $output;
} else {
echo $output;
}
}
Bug
Closed
Major
I think this javascript code is added by function print_javascript in lib/ajax/ajaxlib.php, which calls get_string to obtain messages in the custom language:
$output .= " main.portal.strings['moveleft']='".get_string('moveleft')."';\n";
Maybe addslashes () should be applied here to get_string, in order to escape any quotes?