Symptom
When assigning a Learning item to a user, or a user is attempting to provide an e-signature, or while perfoming other actions with the item (as editing the content within a curriculum, for example), a validation error happens saying "The 'eval()' expression is not allowed". There are other scenarios in the Learning Management System that might cause this same validation error.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
Environment
SAP SuccessFactors Learning
Reproducing the Issue
- Create an Item >
- Set the title of the newly created item 'Retrieval (Testing)' >
- Attempt to assign this item to a user >
- Face the validation error
Cause
By default, the XSS filter prevents data such as "ItemEval (V)" because it contains the javascript trigger "eval()". The use of which is considered dangerous in general.
Resolution
There is no direct steps that can be provided due to the unique nature of the data. The best course of action is to modify any related data that has 'eval()'. This can be Item Title, Item Type, Item ID, etc. Depending on this data, please change accordingly the field to something else. An example would be to change 'Retrieval (Testing)' to 'Retrievals (Testing)'. This is the recommended option to avoid any possible javascript security vulnerability.
If the preference is to not change any of the fields that have this "eval()" data, a setting can be changed.
- Navigate to Learning Administration > System Administration > Configuration > System Configuration >
- Open the WEB_SECURITY configuration in the Edit mode >
- Set secRules.eval.enabled=false >
- Hit "Apply Changes"
This is not the recommended choice, but it is an option.
Keywords
XSS filter, Validation, error, eval(), javascript, trigger, secRules.eval.enabled, item, title, security, check, checks, sf, lms, successfactors, expression, allowed , KBA , LOD-SF-LMS-ITE , Items , LOD-SF-LMS-ADM , System Admin, Global Variables, References , Problem