Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-81925

MathJax filter update effects java script code

    • Hhogs Merge Review Candidates

      Hi all,

      a recent update to the MathJax filter code linked to this security issue fix on stored XSS leads to disfunctioning JavaScript code placed in Moodle. JS is handy to enrich the possibilities in STACK quiz questions.

      For example if you have this JS code and a MathJax formula on one page:

      <script type="text/javascript">
        function updateDynamicInputfields(ursprung, ziel) {
          document.querySelector("#" + ziel + ">input").value = "[" + Array.from(document.querySelectorAll("input[id^=" + ursprung + "]")).map(elem => elem.value || '').filter(Boolean).toString() + "]";
        }; 
      </script>
       
      \(G_{2}\)  

      it will alter the JS code into:

      function updateDynamicInputfields(ursprung, ziel) {
        document.querySelector("#" + ziel + "&gt;input").value = "[" + Array.from(document.querySelectorAll("input[id^=" + ursprung + "]")).map(elem =&gt; elem.value || '').filter(Boolean).toString() + "]";
      }; 

      by replacing all > sign with > This raises the error of an unexpected & sign in the developer console.

      Loading the code via <script src="xy.js"></script> still works fine.

      It will also effect HTML-tag between curly brackets like this:

      <p>Some MathJax formula: \(G_{2}\)</p>
      <p>open curly bracket: {</p>
      <p>close curly bracket: }<br></p> 

      It would be great if one can use small JS code snippets without trying to avoid > or < signs in {} curly brackets in future again and use the MathJax filter at the same time without opening the tackeld security issue again.

            Votes:
            16 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 23 minutes
                23m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.