Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-12857

eval() quote escaping

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 1.8, 1.8.1, 1.8.2, 1.8.3
    • Fix Version/s: None
    • Component/s: SCORM
    • Labels:
      None
    • Environment:
      JavaScript 1.5
    • Database:
      MySQL
    • Affected Branches:
      MOODLE_18_STABLE

      Description

      With my SCORM 2004 content I get a missing semi-colon error for line 511 of /mod/scorm/api.php:

      eval(element+'="'value'";');

      Debugging shows that:

      element = "cmi.interactions.N10.description"
      value = "Which symbol in the schematic diagram represents the following component?<br/><br/><img src=\"Images/capture_03.jpg\" alt=\"Component.\" title=\"Component.\" width=\"247\" height=\"126\"/>"
      (internal quotes are escaped due to Script Editor)

      The field in question is a localized_string, which permits single and double quotes. So the value parameter should have been escaped prior to calling eval().

      Could this be done a better way? eval() is generally a bad thing.

      Note: This pattern occurs in more than one place within api.php

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                danmarsden Dan Marsden
                Reporter:
                pinkduck Peter Chamberlin
                Participants:
                Component watchers:
                Damyon Wiese, Dan Marsden, Matteo Scaramuccia, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: