Fixed issue #05696: Embedded JavaScript is fired when editing questions

Dev needed to call FlattenText for Question and Help text Dev upgraded FlattenText to Yii version that lets you flatten yet still show <span> (for syntax highlighting). git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_dev@12217 b72ed6b6-b9f8-46b5-92b4-906544132732
LimeSurvey · Jan 26, 2012 · 0232688 · 0232688
1 parent 586f693
commit 0232688
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 13 deletions.
diff --git a/admin/html.php b/admin/html.php
@@ -1194,7 +1194,7 @@
 //        $qrrow = array_map('FlattenText', $qrrow);
         //$qrrow = array_map('htmlspecialchars', $qrrow);
         $questionsummary .= "<div class='menubar-title ui-widget-header'>\n"
-        . "<strong>". $clang->gT("Question")."</strong> <span class='basic'>{$qrrow['question']} (".$clang->gT("ID").":$qid)</span>\n"
+        . "<strong>". $clang->gT("Question")."</strong> <span class='basic'>".FlattenText($qrrow['question'])." (".$clang->gT("ID").":$qid)</span>\n"
         . "</div>\n"
         . "<div class='menubar-main'>\n"
         . "<div class='menubar-left'>\n"
@@ -1408,15 +1408,15 @@
         // Color code the question, help, and relevance
 
         templatereplace($qrrow['question'],false,false,$qid);
-        $questionsummary .= LimeExpressionManager::GetLastPrettyPrintExpression();
+        $questionsummary .= FlattenText(LimeExpressionManager::GetLastPrettyPrintExpression(), false, 'UTF-8', true, true);
 
         $questionsummary .= "</td></tr>\n"
         . "<tr><td align='right' valign='top'><strong>"
         . $clang->gT("Help:")."</strong></td>\n<td align='left'>";
         if (trim($qrrow['help'])!='')
         {
             templatereplace($qrrow['help'],false,false,$qid);
-            $questionsummary .= LimeExpressionManager::GetLastPrettyPrintExpression();
+            $questionsummary .= FlattenText(LimeExpressionManager::GetLastPrettyPrintExpression(), false, 'UTF-8', true, true);
         }
         $questionsummary .= "</td></tr>\n";
         if ($qrrow['preg'])

diff --git a/admin/questionhandling.php b/admin/questionhandling.php
@@ -813,7 +813,7 @@
         $relevance = ($oqarray[$i]['relevance'] == '') ? 1 : $oqarray[$i]['relevance'];
         $showme = '[{' . $relevance . '}] ' . $oqarray[$i]['question'];
         LimeExpressionManager::ProcessString($showme, $oqarray[$i]['qid']);
-        $orderquestions.=LimeExpressionManager::GetLastPrettyPrintExpression();
+        $orderquestions.=FlattenText(LimeExpressionManager::GetLastPrettyPrintExpression(), false, 'UTF-8', true, true);
         $orderquestions.= "</li>\n" ;
     }
 

diff --git a/common_functions.php b/common_functions.php
@@ -4527,32 +4527,40 @@ function SendEmailMessage($mail, $body, $subject, $to, $from, $sitename, $ishtml
 
 
 /**
-*  This functions removes all HTML tags, Javascript, CRs, linefeeds  and other strange chars from a given text. CRs, linefeeds are not removed for .csv files
+*  This functions removes all HTML tags, Javascript, CRs, linefeeds and other strange chars from a given text
 *
 * @param string $sTextToFlatten  Text you want to clean
 * @param boolan $bDecodeHTMLEntities If set to true then all HTML entities will be decoded to the specified charset. Default: false
 * @param string $sCharset Charset to decode to if $decodeHTMLEntities is set to true
 *
 * @return string  Cleaned text
 */
-function FlattenText($sTextToFlatten, $bDecodeHTMLEntities=false, $sCharset='UTF-8', $bStripNewLines=true)
+function FlattenText($sTextToFlatten, $bDecodeHTMLEntities=false, $sCharset='UTF-8', $bStripNewLines=true, $keepSpan=false)
 {
     $sNicetext = strip_javascript($sTextToFlatten);
-    $sNicetext = strip_tags($sNicetext);
-
-    if ($bStripNewLines ){
-        $sNicetext = preg_replace('~\Ru~', '', $sNicetext);
+    // When stripping tags, add a space before closing tags so that strings with embedded HTML tables don't get concatenated
+    $sNicetext = str_replace('</',' </', $sNicetext);
+    if ($keepSpan) {
+        // Keep <span> so can show EM syntax-highlighting; add space before tags so that word-wrapping not destroyed when remove tags.
+        $sNicetext = strip_tags($sNicetext,'<span><table><tr><td><th>');
+    }
+    else {
+        $sNicetext = strip_tags($sNicetext);
+    }
+    if ($bStripNewLines ){  // strip new lines
+        $sNicetext = preg_replace(array('~\Ru~','/\s{2,}/'),array(' ',' '), $sNicetext);
     }
-    else // unify newlines
+    else // unify newlines to \r\n
     {
-        $sNicetext = preg_replace('~\Ru~', "\r\n", $sNicetext);
+        $sNicetext = preg_replace(array('~\Ru~'), array("\r\n"), $sNicetext);
     }
     if ($bDecodeHTMLEntities==true)
     {
         $sNicetext = str_replace('&nbsp;',' ', $sNicetext); // html_entity_decode does not convert &nbsp; to spaces
         $sNicetext = html_entity_decode($sNicetext, ENT_QUOTES, $sCharset);
     }
-    return trim($sNicetext); ;
+    $sNicetext = trim($sNicetext);
+    return  $sNicetext;
 }
 
 /**