Moodle

  html entity is printed litteraly in Javascript alert windows

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.9
  • Fix Version/s: 1.9.1
  • Component/s: Accessibility, Language
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE

Description

When a string containing a   entity is displayed by Javascript in an alert window, the entity is not interpreted, but written litteraly.

Example (occuring when taking a quiz attempt with a time limit, in french language):

$string['confirmstarttimelimit'] = 'Le temps pour effectuer ce test est limité. Voulez-vous vraiment le commencer ?' (quiz.php in french language pack)

  • function addslashes_js($strconfirmstartattempt) is called in /mod/quiz/accessrules.php (line 684)
  • var $strconfirmstartattempt is defined by calling print_start_attempt_button() (line 204)
  • function confirm_start_attempt_message () is called by print_start_attempt_button()
  • function getstring is called by confirm_start_attempt_message() (line 319)

This could maybe be fixed by calling html_entity_decode() on the string before addslashes_js().

Issue Links

This issue has a non-specific relationship to:
MDL-13975 p() and s() should not be used to print lang strings Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Nicolas Martignoni added a comment -

For PHP before 4.3.0, one could use (see http://ch2.php.net/manual/fr/function.html-entity-decode.php):

function html_entity_decode_php4 ($string)
{
// Replaces numerical entities
$string = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("
1"))', $string);
$string = preg_replace('~&#([0-9]+);~e', 'chr("
1")', $string);
// Replaces litteral entities
$trans_tbl = get_html_translation_table (HTML_ENTITIES);
$trans_tbl = array_flip ($trans_tbl);
return strtr ($string, $trans_tbl);
}

Show
Nicolas Martignoni added a comment - For PHP before 4.3.0, one could use (see http://ch2.php.net/manual/fr/function.html-entity-decode.php): function html_entity_decode_php4 ($string) { // Replaces numerical entities $string = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("
1"))', $string); $string = preg_replace('~&#([0-9]+);~e', 'chr("
1")', $string); // Replaces litteral entities $trans_tbl = get_html_translation_table (HTML_ENTITIES); $trans_tbl = array_flip ($trans_tbl); return strtr ($string, $trans_tbl); }
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

I think we could use safely the html_entity_decode() function, because PHP 4.3.0 is required for Moodle 1.9.

Just one comment, I'd make some tests with the 3rd parameter in the function (encoding), because perhaps it's necessary to specify the UTF-8 if the string contains UTF-8 chars (try it with some non-iso chars in the string, like Chinese or so) to avoid getting broken strings (haven't tested it here).

Assigning to Mathieu... TIA and ciao

Show
Eloy Lafuente (stronk7) added a comment - I think we could use safely the html_entity_decode() function, because PHP 4.3.0 is required for Moodle 1.9. Just one comment, I'd make some tests with the 3rd parameter in the function (encoding), because perhaps it's necessary to specify the UTF-8 if the string contains UTF-8 chars (try it with some non-iso chars in the string, like Chinese or so) to avoid getting broken strings (haven't tested it here). Assigning to Mathieu... TIA and ciao
Hide
Permalink
Mathieu Petit-Clair added a comment -

Ok, had a look ..

Note : function addslashes_js is called from mod/quiz/view.php, line 427. There is no mod/quiz/accessrules.php in 1.9 (there is one in head, though)

The problem happens because print_single_button (in lib/weblib.php) calls s() (line 4203), which calls htmlspecialchars, on the javascript confirm message. This makes the string get encoded twice. Any idea why this is necessary? Either the message is already encoded, or it's not : I don't think de-encoding it is the proper solution .. I would much rather prevent the call from happening twice.

Hmm.. after a bit more testing, I did in quick regexp-powered search through moodle core and found that this call to print_single_button is the only one using the javascript confirmation. And finally, removing the call to addslashes_js prevent the double-encoding, but it doesn't make the   show up as a space.

Show
Mathieu Petit-Clair added a comment - Ok, had a look .. Note : function addslashes_js is called from mod/quiz/view.php, line 427. There is no mod/quiz/accessrules.php in 1.9 (there is one in head, though) The problem happens because print_single_button (in lib/weblib.php) calls s() (line 4203), which calls htmlspecialchars, on the javascript confirm message. This makes the string get encoded twice. Any idea why this is necessary? Either the message is already encoded, or it's not : I don't think de-encoding it is the proper solution .. I would much rather prevent the call from happening twice. Hmm.. after a bit more testing, I did in quick regexp-powered search through moodle core and found that this call to print_single_button is the only one using the javascript confirmation. And finally, removing the call to addslashes_js prevent the double-encoding, but it doesn't make the   show up as a space.
Hide
Permalink
Mathieu Petit-Clair added a comment -

Ok, removing the call to s() fixes the problem.

Show
Mathieu Petit-Clair added a comment - Ok, removing the call to s() fixes the problem.
Hide
Permalink
Nicolas Martignoni added a comment -

So it's related to MDL-13975 (and maybe a dupe).

Thanks for the quick fix.

Show
Nicolas Martignoni added a comment - So it's related to MDL-13975 (and maybe a dupe). Thanks for the quick fix.
Hide
Permalink
Nicolas Martignoni added a comment -

Verified, closing.

Show
Nicolas Martignoni added a comment - Verified, closing.

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.