Skip to content

Commit

Permalink
Fixed issue #07087: XSS security in statistics for admin
Browse files Browse the repository at this point in the history 
Dev: review #07085 : using included sanitize_helper function.
Dev: maybe move sanitize_helper to Yii CFormatter http://www.yiiframework.com/doc/api/1.1/CFormatter
  • Loading branch information
@Shnoulle
Shnoulle committed Dec 15, 2012
1 parent 15a59b1 commit 1b59e26
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion application/controllers/PrintanswersController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ function actionView($surveyid,$printableexport=FALSE)
}
else
{
$printoutput .= "\t<tr class='printanswersquestion'><td>{$fname[0]} {$fname[1]}</td><td class='printanswersanswertext'>".htmlspecialchars($fname[2])."</td></tr>";
$printoutput .= "\t<tr class='printanswersquestion'><td>{$fname[0]} {$fname[1]}</td><td class='printanswersanswertext'>".sanitize_html_string($fname[2])."</td></tr>";
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions application/views/admin/export/statistics_browse_view.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@
</a>
</div>
<div class='statisticscolumndata'>
<?php echo stripslashes($row['value']) ?>
<?php echo sanitize_html_string($row['value']) ?>
</div>
<div style='clear: both'></div>
<?php
}
?>
?>

1 comment on commit 1b59e26

@Shnoulle
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For PrintanswersController

This one need reviewing sanitize all string, even one entered by an admin (for example with img tag).

Please sign in to comment.