Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: 2.3.4, 2.4.1
Affects Version/s: 2.2.4, 2.3.3
Component/s: Activity completion
Labels:
None

Affected Branches:
MOODLE_22_STABLE, MOODLE_23_STABLE
Fixed Branches:
MOODLE_23_STABLE, MOODLE_24_STABLE
Pull from Repository:
git://github.com/sammarshallou/moodle.git
Pull Main Branch:
~~MDL-36808~~-master
Pull Main Diff URL:
https://github.com/sammarshallou/moodle/compare/master...MDL-36808-master
Testing Instructions:
Hide

0. Ensure completion tracking is enabled in advanced features.
1. Create a new empty course with completion tracking enabled (leave other settings default).
2. Add a new label to the first week of the course. Set label name to: argh'"s label
3. Turn editing off.
4. View source. Search for all instances of the string "argh" so as to find the 'argh'"s label' strings regardless of how they are quoted.

Before fixing this issue, some of those instances are invalid HTML code because they contain a single quote inside an attribute that is single-quoted. Firefox displays these in red in its source view.

After fixing this issue, any instances that are in attributes should be escaped suitably for the surrounding quotes.

5. Click on the completion tickbox to verify that it correctly ticks.
6. Look at the title (mouse over the tickbox) to verify that it contains the correct module name without extra quoting. (This title is written by JS code which uses the modulename field in the form).
7. Click again to check it unticks.
8. Turn JavaScript off and reload the page, then click on the completion tickbox twice to verify that it correctly ticks and then unticks (to test the non-JS version).
Show
0. Ensure completion tracking is enabled in advanced features. 1. Create a new empty course with completion tracking enabled (leave other settings default). 2. Add a new label to the first week of the course. Set label name to: argh'"s label 3. Turn editing off. 4. View source. Search for all instances of the string "argh" so as to find the 'argh'"s label' strings regardless of how they are quoted. Before fixing this issue, some of those instances are invalid HTML code because they contain a single quote inside an attribute that is single-quoted. Firefox displays these in red in its source view. After fixing this issue, any instances that are in attributes should be escaped suitably for the surrounding quotes. 5. Click on the completion tickbox to verify that it correctly ticks. 6. Look at the title (mouse over the tickbox) to verify that it contains the correct module name without extra quoting. (This title is written by JS code which uses the modulename field in the form). 7. Click again to check it unticks. 8. Turn JavaScript off and reload the page, then click on the completion tickbox twice to verify that it correctly ticks and then unticks (to test the non-JS version).

The activity completion toggle source code (./course/lib.php ~ line 1713) uses hardcoded HTML markup and single quotes to wrap tag attribute values. This will produce invalid markup when the resource/activity title contains single quotes. This malformed HTML breaks the layout in IE7 and IE8/9 running in compatibility mode.

The HTML that get produced >>

<< As shown the ALT and TITLE attribute values contain single quotes while being wrapped in single quotes.

Steps to Reproduce:

Go to any course view page.
Edit settings of the course and enable completion tracking and save.
Turn editing on
Add a URL (resource) a section (though any resource or activity will have the same effect).
Give it the title > Google's Homepage
Give it the URL value > http://www.google.com
Click "Save and return to course"
View HTML source generated for this feature

Suggested Solution

Replace hardcode HTML markup with HTML generated by the html_writer:: functionality >>

echo html_writer::start_tag('form', array('class'=>'togglecompletion'.$extraclass, 'method'=>'post', 'action'=>$CFG->wwwroot.'/course/togglecompletion.php'));
echo html_writer::start_tag('div');
echo html_writer::empty_tag('input', array('type'=>'hidden', 'name'=>'id', 'value'=>$mod->id));
echo html_writer::empty_tag('input', array('type'=>'hidden', 'name'=>'modulename', 'value'=>s($mod->name)));
echo html_writer::empty_tag('input', array('type'=>'hidden', 'name'=>'sesskey', 'value'=>sesskey()));
echo html_writer::empty_tag('input', array('type'=>'hidden', 'name'=>'completionstate', 'value'=>$newstate));
echo html_writer::empty_tag('input', array('type'=>'image', 'src'=>$imgsrc, 'alt'=>$imgalt, 'title'=>$imgtitle));
echo html_writer::end_tag('div'); echo html_writer::end_tag('form');

has been marked as being related by

MDL-38824 Activity completion when Activities have apostrophes breaks alt text

Closed

is duplicated by

MDL-35345 Invalid HTML in completion images on course pages

Closed

Assignee:: Sam Marshall

Reporter:: Dan Danowski

Integrator:: Dan Poltawski

Tester:: Rajesh Taneja

Participants:: Dan Danowski, Dan Poltawski, Eloy Lafuente (stronk7), Rajesh Taneja, Sam Marshall

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 24/Nov/12 8:49 AM

Updated:: 02/Apr/13 1:44 PM

Resolved:: 15/Dec/12 8:29 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates

Clockify