Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-11884

Line 511 of mod/scorm/API.PHP does not escape single quotes

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 1.8.2
    • Fix Version/s: None
    • Component/s: SCORM
    • Labels:
      None
    • Environment:
      Windows Professional XP using IE or Firefox browsers
    • Database:
      MySQL
    • Affected Branches:
      MOODLE_18_STABLE

      Description

      When we ran our SCORM course using Moodle, we found that the file "api.php" does this with the value we submit:

      eval(element+'="'value'";');

      This means that it is not escaping single quotes which results in an invalid snippet being sent to "eval"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                danmarsden Dan Marsden
                Reporter:
                dtalbott Doug Talbott
                Participants:
                Component watchers:
                Damyon Wiese, Dan Marsden, Matteo Scaramuccia, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: