MDL-8193 Incorrect handling of quotes in SetValue processing - recoded so that it escapes all values passed from tracks.

mod/scorm/api.php

@@ -34,10 +34,12 @@
     }
 
     require_login($course->id, false, $cm);
-    
-    if ($usertrack=scorm_get_tracks($scoid,$USER->id,$attempt)) {
+
+    if ($usertrack = scorm_get_tracks($scoid,$USER->id,$attempt)) {
         if ((isset($usertrack->{'cmi.exit'}) && ($usertrack->{'cmi.exit'} != 'time-out')) || ($scorm->version != "SCORM_1.3")) {
-            $userdata = $usertrack;
+            foreach ($usertrack as $key => $value) {
+                $userdata->$key = addslashes_js($value);
+            }
         } else {
             $userdata->status = '';
             $userdata->score_raw = '';
@@ -46,8 +48,8 @@
         $userdata->status = '';
         $userdata->score_raw = '';
     }
-    $userdata->student_id = $USER->username;
-    $userdata->student_name = $USER->lastname .', '. $USER->firstname;
+    $userdata->student_id = addslashes_js($USER->username);
+    $userdata->student_name = addslashes_js($USER->lastname .', '. $USER->firstname);
     $userdata->mode = 'normal';
     if (isset($mode)) {
         $userdata->mode = $mode;
@@ -59,7 +61,7 @@
     }    
     if ($scodatas = scorm_get_sco($scoid, SCO_DATA)) {
         foreach ($scodatas as $key => $value) {
-            $userdata->$key = $value;
+            $userdata->$key = addslashes_js($value);
         }
     } else {
         print_error('cannotfindsco', 'scorm');

mod/scorm/datamodels/scorm_12.js.php

@@ -53,7 +53,7 @@ function SCORMapi1_2() {
         'cmi._version':{'defaultvalue':'3.4', 'mod':'r', 'writeerror':'402'},
         'cmi.core._children':{'defaultvalue':core_children, 'mod':'r', 'writeerror':'402'},
         'cmi.core.student_id':{'defaultvalue':'<?php echo $userdata->student_id ?>', 'mod':'r', 'writeerror':'403'},
-        'cmi.core.student_name':{'defaultvalue':'<?php echo addslashes_js($userdata->student_name) ?>', 'mod':'r', 'writeerror':'403'},
+        'cmi.core.student_name':{'defaultvalue':'<?php echo $userdata->student_name ?>', 'mod':'r', 'writeerror':'403'},
         'cmi.core.lesson_location':{'defaultvalue':'<?php echo isset($userdata->{'cmi.core.lesson_location'})?$userdata->{'cmi.core.lesson_location'}:'' ?>', 'format':CMIString256, 'mod':'rw', 'writeerror':'405'},
         'cmi.core.credit':{'defaultvalue':'<?php echo $userdata->credit ?>', 'mod':'r', 'writeerror':'403'},
         'cmi.core.lesson_status':{'defaultvalue':'<?php echo isset($userdata->{'cmi.core.lesson_status'})?$userdata->{'cmi.core.lesson_status'}:'' ?>', 'format':CMIStatus, 'mod':'rw', 'writeerror':'405'},

mod/scorm/datamodels/scorm_13.js.php

@@ -138,7 +138,7 @@ function SCORMapi1_3() {
         'cmi.interactions.n.description':{'pattern':CMIIndex, 'format':CMILangString250, 'mod':'rw'},
         'cmi.launch_data':{'defaultvalue':<?php echo isset($userdata->datafromlms)?'\''.$userdata->datafromlms.'\'':'null' ?>, 'mod':'r'},
         'cmi.learner_id':{'defaultvalue':'<?php echo $userdata->student_id ?>', 'mod':'r'},
-        'cmi.learner_name':{'defaultvalue':'<?php echo addslashes_js($userdata->student_name) ?>', 'mod':'r'},
+        'cmi.learner_name':{'defaultvalue':'<?php echo $userdata->student_name ?>', 'mod':'r'},
         'cmi.learner_preference._children':{'defaultvalue':student_preference_children, 'mod':'r'},
         'cmi.learner_preference.audio_level':{'defaultvalue':'1', 'format':CMIDecimal, 'range':audio_range, 'mod':'rw'},
         'cmi.learner_preference.language':{'defaultvalue':'', 'format':CMILang, 'mod':'rw'},