show desired course ID in messages for when course does not exist#2943
Merged
somiaj merged 1 commit intoopenwebwork:WeBWorK-2.21from Apr 7, 2026
Merged
show desired course ID in messages for when course does not exist#2943somiaj merged 1 commit intoopenwebwork:WeBWorK-2.21from
somiaj merged 1 commit intoopenwebwork:WeBWorK-2.21from
Conversation
drgrice1
approved these changes
Apr 6, 2026
Member
drgrice1
left a comment
drgrice1
left a comment
There was a problem hiding this comment.
This looks fine.
Though at first I was concerned that this might be a potential XSS vulnerability, but it is not. If, for example, the URL contained something like https://server.edu/webwork2/badCourseId<script>alert('hello')<%2Fscript> the #courseID route capture does not get that because it only allows word characters and hyphens. In fact doesn't match any routes and gives a 404 not found due to the changes in #2691.
Member
|
Did you want to target this to the release candidate branch? |
Contributor
|
I am just going to approve and put in the release candidate branch. |
somiaj
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If you try to visit a course that does not exist (including the situation where a course has been archived and closed), you see one of these messages affected here. The change is to display the desired course ID in the message. Of course, you could see the desired course ID in the address bar. But Safari doesn't show the address bar unless you make extra effort.
This is frustrating when someone sends me a screenshot from Safari, and they are in this situation. It's often the case that they are using LTI, and did not update LTI links to a new WeBWorK course when they copied the LMS course. It would be easier to diagnose and convince people this is the issue if the messages here included the desired courseID.