From dac958fc1bac696b4aaf939e3b9195703c5c3218 Mon Sep 17 00:00:00 2001 From: piers Date: Wed, 6 Aug 2008 21:11:35 +0000 Subject: [PATCH] MDL-8193 Incorrect handling of quotes in SetValue processing - recoded so that it escapes all values passed from tracks. --- mod/scorm/api.php | 14 ++++++++------ mod/scorm/datamodels/scorm_12.js.php | 2 +- mod/scorm/datamodels/scorm_13.js.php | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/mod/scorm/api.php b/mod/scorm/api.php index 0f59a67825..3d6c70b601 100644 --- a/mod/scorm/api.php +++ b/mod/scorm/api.php @@ -34,10 +34,12 @@ } require_login($course->id, false, $cm); - - if ($usertrack=scorm_get_tracks($scoid,$USER->id,$attempt)) { + + if ($usertrack = scorm_get_tracks($scoid,$USER->id,$attempt)) { if ((isset($usertrack->{'cmi.exit'}) && ($usertrack->{'cmi.exit'} != 'time-out')) || ($scorm->version != "SCORM_1.3")) { - $userdata = $usertrack; + foreach ($usertrack as $key => $value) { + $userdata->$key = addslashes_js($value); + } } else { $userdata->status = ''; $userdata->score_raw = ''; @@ -46,8 +48,8 @@ $userdata->status = ''; $userdata->score_raw = ''; } - $userdata->student_id = $USER->username; - $userdata->student_name = $USER->lastname .', '. $USER->firstname; + $userdata->student_id = addslashes_js($USER->username); + $userdata->student_name = addslashes_js($USER->lastname .', '. $USER->firstname); $userdata->mode = 'normal'; if (isset($mode)) { $userdata->mode = $mode; @@ -59,7 +61,7 @@ } if ($scodatas = scorm_get_sco($scoid, SCO_DATA)) { foreach ($scodatas as $key => $value) { - $userdata->$key = $value; + $userdata->$key = addslashes_js($value); } } else { print_error('cannotfindsco', 'scorm'); diff --git a/mod/scorm/datamodels/scorm_12.js.php b/mod/scorm/datamodels/scorm_12.js.php index fe0daf7653..da50697636 100644 --- a/mod/scorm/datamodels/scorm_12.js.php +++ b/mod/scorm/datamodels/scorm_12.js.php @@ -53,7 +53,7 @@ function SCORMapi1_2() { 'cmi._version':{'defaultvalue':'3.4', 'mod':'r', 'writeerror':'402'}, 'cmi.core._children':{'defaultvalue':core_children, 'mod':'r', 'writeerror':'402'}, 'cmi.core.student_id':{'defaultvalue':'student_id ?>', 'mod':'r', 'writeerror':'403'}, - 'cmi.core.student_name':{'defaultvalue':'student_name) ?>', 'mod':'r', 'writeerror':'403'}, + 'cmi.core.student_name':{'defaultvalue':'student_name ?>', 'mod':'r', 'writeerror':'403'}, 'cmi.core.lesson_location':{'defaultvalue':'{'cmi.core.lesson_location'})?$userdata->{'cmi.core.lesson_location'}:'' ?>', 'format':CMIString256, 'mod':'rw', 'writeerror':'405'}, 'cmi.core.credit':{'defaultvalue':'credit ?>', 'mod':'r', 'writeerror':'403'}, 'cmi.core.lesson_status':{'defaultvalue':'{'cmi.core.lesson_status'})?$userdata->{'cmi.core.lesson_status'}:'' ?>', 'format':CMIStatus, 'mod':'rw', 'writeerror':'405'}, diff --git a/mod/scorm/datamodels/scorm_13.js.php b/mod/scorm/datamodels/scorm_13.js.php index 957a8864a9..4545c24f05 100644 --- a/mod/scorm/datamodels/scorm_13.js.php +++ b/mod/scorm/datamodels/scorm_13.js.php @@ -138,7 +138,7 @@ function SCORMapi1_3() { 'cmi.interactions.n.description':{'pattern':CMIIndex, 'format':CMILangString250, 'mod':'rw'}, 'cmi.launch_data':{'defaultvalue':datafromlms)?'\''.$userdata->datafromlms.'\'':'null' ?>, 'mod':'r'}, 'cmi.learner_id':{'defaultvalue':'student_id ?>', 'mod':'r'}, - 'cmi.learner_name':{'defaultvalue':'student_name) ?>', 'mod':'r'}, + 'cmi.learner_name':{'defaultvalue':'student_name ?>', 'mod':'r'}, 'cmi.learner_preference._children':{'defaultvalue':student_preference_children, 'mod':'r'}, 'cmi.learner_preference.audio_level':{'defaultvalue':'1', 'format':CMIDecimal, 'range':audio_range, 'mod':'rw'}, 'cmi.learner_preference.language':{'defaultvalue':'', 'format':CMILang, 'mod':'rw'}, -- 2.39.5