Skip to content

Commit

Permalink
Properly escape 'character in lti variables (name, context, etc)
Browse files Browse the repository at this point in the history 
 - Full name of actor could not contain an ' character
  • Loading branch information
@torinfo
torinfo committed Apr 1, 2024
1 parent 880aa20 commit 56de93b
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 24 deletions.
20 changes: 13 additions & 7 deletions modules/site/play.php
View file
Expand Up @@ -77,6 +77,12 @@ function fix_filelocation_path($path, $replacement) {
return $path;
}

function escape_javascript($string)
{
return str_replace(array("\r", "\n"), array('\r', '\n'), addslashes($string));
}


function show_template($row, $xapi_enabled=false){
global $xerte_toolkits_site;
global $youtube_api_key;
Expand Down Expand Up @@ -191,7 +197,7 @@ function show_template($row, $xapi_enabled=false){
if (isset($lti_enabled) && $lti_enabled && $row["tsugi_published"] == 1) {
_debug("LTI User detected: " . print_r($xerte_toolkits_site->lti_user, true));
$tracking .= " var username = '" . $xerte_toolkits_site->lti_user->email . "';\n";
$tracking .= " var fullusername = '" . $xerte_toolkits_site->lti_user->displayname . "';\n";
$tracking .= " var fullusername = '" . escape_javascript($xerte_toolkits_site->lti_user->displayname) . "';\n";
$xapi_student_id_mode = $row['tsugi_xapi_student_id_mode'];
if (true_or_false($xerte_toolkits_site->xapi_force_anonymous_lrs)) {
if ($xapi_student_id_mode == 0 || $xapi_student_id_mode == 2)
Expand All @@ -212,7 +218,7 @@ function show_template($row, $xapi_enabled=false){
// actor is set
_debug("xAPI User detected: " . print_r($xerte_toolkits_site->xapi_user, true));
$tracking .= " var username = '" . $xerte_toolkits_site->xapi_user->email . "';\n";
$tracking .= " var fullusername = '" . $xerte_toolkits_site->xapi_user->displayname . "';\n";
$tracking .= " var fullusername = '" . escape_javascript($xerte_toolkits_site->xapi_user->displayname) . "';\n";
if (true_or_false($xerte_toolkits_site->xapi_force_anonymous_lrs))
{
$tracking .= " var mboxsha1 = '" . sha1("mailto:" . $xerte_toolkits_site->lti_user->email) . "';\n";
Expand All @@ -228,23 +234,23 @@ function show_template($row, $xapi_enabled=false){
}
if (isset($xerte_toolkits_site->group))
{
$tracking .= " var groupname = '" . str_replace("'", "\'", $xerte_toolkits_site->group) . "';\n";
$tracking .= " var groupname = '" . escape_javascript($xerte_toolkits_site->group) . "';\n";
}
if (isset($xerte_toolkits_site->course))
{
$tracking .= " var coursename = '" . str_replace("'", "\'", $xerte_toolkits_site->course) . "';\n";
$tracking .= " var coursename = '" . escape_javascript($xerte_toolkits_site->course) . "';\n";
}
if (isset($xerte_toolkits_site->module))
{
$tracking .= " var modulename = '" . str_replace("'", "\'", $xerte_toolkits_site->module) . "';\n";
$tracking .= " var modulename = '" . escape_javascript($xerte_toolkits_site->module) . "';\n";
}
if (isset($xerte_toolkits_site->lti_context_id))
{
$tracking .= " var lti_context_id = '" . str_replace("'", "\'", $xerte_toolkits_site->lti_context_id) . "';\n";
$tracking .= " var lti_context_id = '" . escape_javascript($xerte_toolkits_site->lti_context_id) . "';\n";
}
if (isset($xerte_toolkits_site->lti_context_name))
{
$tracking .= " var lti_context_name = '" . str_replace("'", "\'", $xerte_toolkits_site->lti_context_name) . "';\n";
$tracking .= " var lti_context_name = '" . escape_javascript($xerte_toolkits_site->lti_context_name) . "';\n";
}
}
$tracking .= "</script>\n";
Expand Down
37 changes: 20 additions & 17 deletions modules/xerte/play.php
View file
Expand Up @@ -32,6 +32,11 @@
// (pl)
// Set up the preview window for a xerte piece

function escape_javascript($string)
{
return str_replace(array("\r", "\n"), array('\r', '\n'), addslashes($string));
}

function show_template_page($row, $datafile="", $xapi_enabled = false)
{
global $xerte_toolkits_site;
Expand Down Expand Up @@ -175,7 +180,7 @@ function show_template_page($row, $datafile="", $xapi_enabled = false)
if (isset($lti_enabled) && $lti_enabled && $row["tsugi_published"] == 1) {
_debug("LTI User detected: " . print_r($xerte_toolkits_site->lti_user, true));
$tracking .= " var username = '" . $xerte_toolkits_site->lti_user->email . "';\n";
$tracking .= " var fullusername = '" . $xerte_toolkits_site->lti_user->displayname . "';\n";
$tracking .= " var fullusername = '" . escape_javascript($xerte_toolkits_site->lti_user->displayname) . "';\n";
$xapi_student_id_mode = $row['tsugi_xapi_student_id_mode'];
if (true_or_false($xerte_toolkits_site->xapi_force_anonymous_lrs)) {
if ($xapi_student_id_mode == 0 || $xapi_student_id_mode == 2)
Expand All @@ -196,7 +201,7 @@ function show_template_page($row, $datafile="", $xapi_enabled = false)
// actor is set
_debug("xAPI User detected: " . print_r($xerte_toolkits_site->xapi_user, true));
$tracking .= " var username = '" . $xerte_toolkits_site->xapi_user->email . "';\n";
$tracking .= " var fullusername = '" . $xerte_toolkits_site->xapi_user->displayname . "';\n";
$tracking .= " var fullusername = '" . escape_javascript($xerte_toolkits_site->xapi_user->displayname) . "';\n";
if (true_or_false($xerte_toolkits_site->xapi_force_anonymous_lrs))
{
$tracking .= " var mboxsha1 = '" . sha1("mailto:" . $xerte_toolkits_site->lti_user->email) . "';\n";
Expand All @@ -212,15 +217,15 @@ function show_template_page($row, $datafile="", $xapi_enabled = false)
}
if (isset($xerte_toolkits_site->group))
{
$tracking .= " var groupname = '" . $xerte_toolkits_site->group . "';\n";
$tracking .= " var groupname = '" . escape_javascript($xerte_toolkits_site->group) . "';\n";
}
if (isset($xerte_toolkits_site->course))
{
$tracking .= " var coursename = '" . $xerte_toolkits_site->course . "';\n";
$tracking .= " var coursename = '" . escape_javascript($xerte_toolkits_site->course) . "';\n";
}
if (isset($xerte_toolkits_site->module))
{
$tracking .= " var modulename = '" . $xerte_toolkits_site->module . "';\n";
$tracking .= " var modulename = '" . escape_javascript($xerte_toolkits_site->module) . "';\n";
}
}
$tracking .= "</script>\n";
Expand Down Expand Up @@ -350,12 +355,9 @@ function show_template_page($row, $datafile="", $xapi_enabled = false)
if (isset($lti_enabled) && $lti_enabled && $row["tsugi_published"] == 1) {
_debug("LTI User detected: " . print_r($xerte_toolkits_site->lti_user, true));
$tracking .= " var username = '" . $xerte_toolkits_site->lti_user->email . "';\n";
$tracking .= " var fullusername = '" . $xerte_toolkits_site->lti_user->displayname . "';\n";
$tracking .= " var fullusername = '" . escape_javascript($xerte_toolkits_site->lti_user->displayname) . "';\n";
$tracking .= " var studentidmode = '" . $row['tsugi_xapi_student_id_mode'] . "';\n";
if ($row['tsugi_xapi_student_id_mode'] == 1)
{
$tracking .= " var mboxsha1 = '" . sha1("mailto:" . $xerte_toolkits_site->lti_user->email) . "';\n";
}
$tracking .= " var mboxsha1 = '" . sha1("mailto:" . $xerte_toolkits_site->lti_user->email) . "';\n";
}
else
{
Expand All @@ -365,36 +367,37 @@ function show_template_page($row, $datafile="", $xapi_enabled = false)
// actor is set
_debug("xAPI User detected: " . print_r($xerte_toolkits_site->xapi_user, true));
$tracking .= " var username = '" . $xerte_toolkits_site->xapi_user->email . "';\n";
$tracking .= " var fullusername = '" . $xerte_toolkits_site->xapi_user->displayname . "';\n";
$tracking .= " var fullusername = '" . escape_javascript($xerte_toolkits_site->xapi_user->displayname) . "';\n";
$tracking .= " var studentidmode = " . $xerte_toolkits_site->xapi_user->studentidmode . ";\n";
$tracking .= " var mboxsha1 = '" . sha1("mailto:" . $xerte_toolkits_site->lti_user->email) . "';\n";
}
else {
$tracking .= " var studentidmode = 3;\n";
}
}
if (isset($xerte_toolkits_site->group))
{
$tracking .= " var groupname = '" . str_replace("'", "\'", $xerte_toolkits_site->group) . "';\n";
$tracking .= " var groupname = '" . escape_javascript($xerte_toolkits_site->group) . "';\n";
}
if (isset($xerte_toolkits_site->course))
{
$tracking .= " var coursename = '" . str_replace("'", "\'", $xerte_toolkits_site->course) . "';\n";
$tracking .= " var coursename = '" . escape_javascript($xerte_toolkits_site->course) . "';\n";
}
if (isset($xerte_toolkits_site->module))
{
$tracking .= " var modulename = '" . str_replace("'", "\'", $xerte_toolkits_site->module) . "';\n";
$tracking .= " var modulename = '" . escape_javascript($xerte_toolkits_site->module) . "';\n";
}
if (isset($xerte_toolkits_site->lti_context_id))
{
$tracking .= " var lti_context_id = '" . str_replace("'", "\'", $xerte_toolkits_site->lti_context_id) . "';\n";
$tracking .= " var lti_context_id = '" . escape_javascript($xerte_toolkits_site->lti_context_id) . "';\n";
}
if (isset($xerte_toolkits_site->lti_context_name))
{
$tracking .= " var lti_context_name = '" . str_replace("'", "\'", $xerte_toolkits_site->lti_context_name) . "';\n";
$tracking .= " var lti_context_name = '" . escape_javascript($xerte_toolkits_site->lti_context_name) . "';\n";
}
if (isset($xerte_toolkits_site->lti_users))
{
$tracking .= " var lti_users = '" . str_replace("'", "\'", implode(",",$xerte_toolkits_site->lti_users)) . "';\n";
$tracking .= " var lti_users = '" . escape_javascript(implode(",",$xerte_toolkits_site->lti_users)) . "';\n";
} else {
$tracking .= " var lti_users = '';\n";
}
Expand Down

0 comments on commit 56de93b

Please sign in to comment.