Moodle

Javascript strings not correctly scaped causes failure on some components

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.6, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7, 1.7.1
  • Fix Version/s: 1.8.7, 1.9.3, 2.0
  • Component/s: SCORM
  • Labels:
    None
  • Affected Branches:
    MOODLE_16_STABLE, MOODLE_17_STABLE
  • Fixed Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE, MOODLE_20_STABLE

Description

Proof of concept: put \' character in errorlogs string from scorm. Then try to put a scorm activity (you'll get a "no manifest found" error). See mod.html in scorm directory and the line result.concat('<?php print_string('errorlogs','scorm',NULL,"'") ?>:\n'+errorlogs);

If errorlogs has a ' in it causes a problem because the string within concat is prematurely closed.

I don't think putting a
before the \' in the language file is the best solution. Perhaps this strings are reused in another context... i don't know really :-P So here comes this report

Thanks in advance

Issue Links

This issue has a non-specific relationship to:
MDL-8193 Incorrect handling of quotes in SetValue processing Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

Language packs are IMO ok, but we have to use our php function addslashes_js() in javascript code. Please not that addslashes() must not be used there because of sybase quotes.

Show
Petr Škoda (skodak) added a comment - Language packs are IMO ok, but we have to use our php function addslashes_js() in javascript code. Please not that addslashes() must not be used there because of sybase quotes.
Hide
Permalink
Juan Segarra Montesinos added a comment -

Thanks Petr for your quick response

I've made a mistake in the description. It was:

<?php print_string('errorlogs','scorm') ?>:\n'+errorlogs);

I'll patch my code now with your comments

Show
Juan Segarra Montesinos added a comment - Thanks Petr for your quick response I've made a mistake in the description. It was: <?php print_string('errorlogs','scorm') ?>:\n'+errorlogs); I'll patch my code now with your comments
Hide
Permalink
Martin Dougiamas added a comment -

Assigning to Sadiel for prioritising and fixing.

Show
Martin Dougiamas added a comment - Assigning to Sadiel for prioritising and fixing.
Hide
Permalink
Martin Dougiamas added a comment -

Assigning to Jesús Rincón to organise and start working on.

Show
Martin Dougiamas added a comment - Assigning to Jesús Rincón to organise and start working on.
Hide
Permalink
Martín Langhoff added a comment -

Indeed - looks like a case for addslashes_js() - Jonathan, when you have a minute, can you look into this?

Show
Martín Langhoff added a comment - Indeed - looks like a case for addslashes_js() - Jonathan, when you have a minute, can you look into this?
Hide
Permalink
Jesús Rincón added a comment -

I need the file weblib.php to be updated to have this bug completely fixed.

Show
Jesús Rincón added a comment - I need the file weblib.php to be updated to have this bug completely fixed.
Hide
Permalink
Jesús Rincón added a comment -

I need the file weblib.php to be updated to have this bug completely fixed.

Show
Jesús Rincón added a comment - I need the file weblib.php to be updated to have this bug completely fixed.
Hide
Permalink
Dan Marsden added a comment -

this should now be fixed as part of MDL-8193 - please upgrade to the latest 1.9stable or 1.8stable.

thanks,

Dan

Show
Dan Marsden added a comment - this should now be fixed as part of MDL-8193 - please upgrade to the latest 1.9stable or 1.8stable. thanks, Dan

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.5#665-sha1:422aead) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.