Fixed issue: possible cross-site scripting issue in update view.

LimeSurvey · Dec 13, 2016 · 1bfaffc · 1bfaffc
1 parent ecc649e
commit 1bfaffc
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/application/views/admin/update/_ajaxVariables.php b/application/views/admin/update/_ajaxVariables.php
@@ -17,8 +17,8 @@
 ?>
 
 <script>
-    var csrf_token_name = "<?php echo Yii::app()->request->csrfTokenName;?>";
-    var csrf_token = "<?php echo Yii::app()->request->csrfToken;?>";
+    var csrf_token_name = "<?php echo sanitize_paranoid_string(Yii::app()->request->csrfTokenName);?>";
+    var csrf_token = "<?php echo sanitize_paranoid_string(Yii::app()->request->csrfToken);?>";
 </script>
 
 <?php if(isset($_REQUEST['update'])):?>