-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.1.10, 4.3.9, 4.4.5, 4.5.1, 5.0
-
Hhogs Merge Review Candidates
Hi all,
a recent update to the MathJax filter code linked to this security issue fix on stored XSS leads to disfunctioning JavaScript code placed in Moodle. JS is handy to enrich the possibilities in STACK quiz questions.
For example if you have this JS code and a MathJax formula on one page:
<script type="text/javascript"> |
function updateDynamicInputfields(ursprung, ziel) {
|
document.querySelector("#" + ziel + ">input").value = "[" + Array.from(document.querySelectorAll("input[id^=" + ursprung + "]")).map(elem => elem.value || '').filter(Boolean).toString() + "]"; |
};
|
</script>
|
|
\(G_{2}\) |
it will alter the JS code into:
function updateDynamicInputfields(ursprung, ziel) {
|
document.querySelector("#" + ziel + ">input").value = "[" + Array.from(document.querySelectorAll("input[id^=" + ursprung + "]")).map(elem => elem.value || '').filter(Boolean).toString() + "]"; |
};
|
by replacing all > sign with > This raises the error of an unexpected & sign in the developer console.
Loading the code via <script src="xy.js"></script> still works fine.
It will also effect HTML-tag between curly brackets like this:
<p>Some MathJax formula: \(G_{2}\)</p> |
<p>open curly bracket: {</p>
|
<p>close curly bracket: }<br></p>
|
It would be great if one can use small JS code snippets without trying to avoid > or < signs in {} curly brackets in future again and use the MathJax filter at the same time without opening the tackeld security issue again.
- is duplicated by
-
CONTRIB-9575 MathJax filter update effects java script code
-
- Closed
-