SAP Knowledge Base Article - Public

2354028 - Validation Error - The "eval()" expression is not allowed

Symptom

When assigning a learning item to a user or a user is attempting to provide an e-signature, a validation error that states "The 'eval()' expression is not allowed". There are other scenarios in the Learning Management System that might cause this validation error.

eval error.png

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SuccessFactors Learning Management System (LMS)

Reproducing the Issue

  1. Create an Item
  2. Set the title of the newly created item 'Retrieval (Testing)'
  3. Attempt to assign to a user this item
  4. Face validation error

Cause

By default the XSS filter prevents data such as "ItemEval (V)" because it contains the javascript trigger "eval()"; the use of which is considered dangerous in general.

Resolution

There is no direct steps that can be provided due to the unique nature of the data. The best course of action is to modify any related data that has 'eval()'. This can be Item Title, Item Type, Item ID, etc. Depending on this data, please change accordingly the field to something else. An example would be to change 'Retrieval (Testing)' to 'Retrievals (Testing)'. This is the recommended option to avoid any possible javascript security vulnerability.

If the preference is to not change any of the fields that have this "eval()" data, a setting can be changed.

  1. Navigate to LMS Admin
  2. Configuration
  3. System Configuration
  4. Edit the SECURITY property file
  5. Set secRules.eval.enabled=false

This is not the recommended choice but it is an option.

Keywords

XSS filter Validation error eval() javascript trigger secRules.eval.enabled item title security check checks sf lms successfactors , KBA , LOD-SF-LMS-ITE , Items , Problem

Product

SAP SuccessFactors Learning all versions