scormdriver.js is needed if using AICC?

Report · Feb 20, 2014

My organization uses a security product to scan all of our code before it goes to production. It does not like some of the code in the scormdriver.js file (says it has a cross site scripting issue).

Do I even need this file if I am using AICC to report to our LMS?

If I need it, does anyone know of a patch?

Thanks!

Here is an example of the issue:

Abstract: The method WriteToDebug() in scormdriver.js sends unvalidated data to a web

browser on line 1032, which can result in the browser executing malicious code.

Source:

1032 function WriteToDebug(strInfo){if(blnDebug){var dtm=new Date();var

strLine;strLine=aryDebug.length+":"+dtm.toString()+" -

"+strInfo;aryDebug[aryDebug.length]=strLine;if(winDebug&&!winDebug.closed){winDebug.do

cument.write(strLine+"<br>\n");}}

Report · Feb 20, 2014

In my opinion you don't really need that. It opens a popup when you are not running the course in an LMS. If any of the info in the popup actually happend to a student they wouldn't know what to do with it anyway. The problem may be that a call is made to that function 1224 times in the file.

Report · Feb 20, 2014

I have seen that pop up when we test before going to LMS. Are you saying if I do not include that file, that I won't get that pop up?

Also, please clarify what you mean in your last sentence "The problem may be that a call is made to that function 1224 times in the file." Are you saying that if I delete the scormdriver.js file, I could get calls to it 1224 times that will go unanswered? Or are you saying that my security software has a problem with the current state which is 1224 calls?

Thanks for the info.

Report · Feb 20, 2014

I haven't looked at the file enough to know whether you would need that file for AICC, I would imagine if they include it you do need it.

In that file there are 1224 javascript calls made to that function. If the calls are never made while running in an LMS it wouldn't matter if you commented out that function otherwise you'd get JavaScript errors.

All you can do is try it, it not irreversable since every time you publish it would write the file anew.

Report · Mar 12, 2014

Captivate indeed does need this file. The content will not display without it.

Also, I had some indication on another forum that I could comment out the "WriteToDebug" entries that are giving the specific errors, but that also caused the content to not display.

Does anyone have any idea how to modify the scormdriver.js file so it passes the Cross Site Scripting Errors found by my organizations code scanning software?

Thanks!

Report · Mar 12, 2014

You can comment out the WriteToDebug which will cause one error on line 6042 because it breaks the function referenced in your original post. So if you find "WriteToDebug" and replace it with "//WriteToDebug", then find the function on line 6042, and apply a block comment to the whole function you should be OK. THe block comment syntax is /* some text */