Skip to content

Commit

Permalink
Fixed issue: Several XSS issues fixed in administration - thanks to S…
Browse files Browse the repository at this point in the history 
…tefan Peherstorfer from http://www.hackner-security.com
  • Loading branch information
@c-schmitz
c-schmitz committed Feb 23, 2015
1 parent fd82602 commit 25d0dea
Show file tree
Hide file tree
Showing 7 changed files with 66 additions and 60 deletions.
4 changes: 2 additions & 2 deletions application/controllers/admin/participantsaction.php
View file
Expand Up @@ -398,9 +398,9 @@ function getAttributeInfo_json()
$aData->total = ceil(ParticipantAttributeName::model()->getCPDBAttributes(true) / $limit);
$i = 0;
foreach($records as $row) { //Iterate through each attribute
$sAttributeCaption=$row->defaultname; //Choose the first item by default
$sAttributeCaption=htmlspecialchars($row->defaultname); //Choose the first item by default
foreach($row->participant_attribute_names_lang as $names) { //Iterate through each language version of this attribute
if($names->lang == Yii::app()->session['adminlang']) {$sAttributeCaption= $sAttributeCaption." ({$names->attribute_name})";} //Override the default with the admin language version if found
if($names->lang == Yii::app()->session['adminlang']) {$sAttributeCaption= $sAttributeCaption.htmlspecialchars(" ({$names->attribute_name})");} //Override the default with the admin language version if found
}
$aData->rows[$i]['id'] = $row->attribute_id;
$aData->rows[$i]['cell'] = array('', $sAttributeCaption, $attribute_types[$row->attribute_type], $row->visible);
Expand Down
4 changes: 2 additions & 2 deletions application/controllers/admin/responses.php
View file
Expand Up @@ -868,8 +868,8 @@ function oldbrowse($iSurveyID)

$fncount = count($fnames);

$start = Yii::app()->request->getParam('start', 0);
$limit = Yii::app()->request->getParam('limit', 50);
$start = (int)Yii::app()->request->getParam('start', 0);
$limit = (int)Yii::app()->request->getParam('limit', 50);
$order = Yii::app()->request->getParam('order', 'asc');
if(!$limit){$limit=50;}
$oCriteria = new CDbCriteria;
Expand Down
2 changes: 1 addition & 1 deletion application/core/LSYii_Validators.php
View file
Expand Up @@ -54,7 +54,7 @@ protected function validateAttribute($object,$attribute)
if($this->isUrl)
{
if ($object->$attribute== 'http://' || $object->$attribute=='https://') {$object->$attribute="";}
$object->$attribute=html_entity_decode($object->$attribute, ENT_QUOTES, "UTF-8"); // 140219 : Why not urlencode ?
$object->$attribute=str_replace(array('"',"'",' ','<','>'),'',html_entity_decode($object->$attribute, ENT_QUOTES, "UTF-8")); // 140219 : Why not urlencode ?
}
if($this->isLanguage)
{
Expand Down
2 changes: 1 addition & 1 deletion application/core/Survey_Common_Action.php
View file
Expand Up @@ -806,7 +806,7 @@ function _surveysummary($iSurveyID, $action=null, $gid=null)

if ($aSurveyInfo['surveyls_url'] != "")
{
$aData['endurl'] = " <a target='_blank' href=\"" . flattenText($aSurveyInfo['surveyls_url']) . "\" title=\"" . flattenText($aSurveyInfo['surveyls_url']) . "\">".flattenText($aSurveyInfo['surveyls_urldescription'])."</a>";
$aData['endurl'] = " <a target='_blank' href=\"" . htmlspecialchars($aSurveyInfo['surveyls_url']) . "\" title=\"" . htmlspecialchars($aSurveyInfo['surveyls_url']) . "\">".flattenText($aSurveyInfo['surveyls_urldescription'])."</a>";
}
else
{
Expand Down
98 changes: 52 additions & 46 deletions application/models/ParticipantAttributeName.php
View file
Expand Up @@ -77,9 +77,9 @@ public function tableName() {
*/
public function rules()
{
// NOTE: you should only define rules for those attributes that
// will receive user inputs.
// NOTE: you should only define rules for those attributes that will receive user inputs.
return array(
array('defaultname','filter','filter' => 'strip_tags'),
array('attribute_type, visible', 'required'),
array('attribute_type', 'length', 'max'=>4),
array('visible', 'length', 'max'=>5),
Expand Down Expand Up @@ -134,14 +134,14 @@ public function search()
));
}


function getAllAttributes()
{
$aResult=Yii::app()->db->createCommand()->select('{{participant_attribute_names}}.*')
->from('{{participant_attribute_names}}')
->order('{{participant_attribute_names}}.attribute_id')
->queryAll();
return $aResult;
return $aResult;
}

function getAllAttributesValues()
Expand All @@ -151,7 +151,7 @@ function getAllAttributesValues()

/**
* Get an array of CPDB attributes
*
*
* @param mixed $sLanguageFilter
*/
function getVisibleAttributes($sLanguageFilter=null)
Expand Down Expand Up @@ -333,26 +333,28 @@ function getnotaddedAttributes($attributeid)

/**
* Adds the data for a new attribute
*
*
* @param mixed $data
*/
function storeAttribute($data)
{
$insertnames = array('attribute_type' => $data['attribute_type'],
'defaultname'=> $data['defaultname'],
'visible' => $data['visible']);
{
// Do not allow more than 60 attributes because queries will break because of too many joins
if (ParticipantAttributeName::model()->count()>59)
if (ParticipantAttributeName::model()->count()>59)
{
return false;
};
Yii::app()->db->createCommand()->insert('{{participant_attribute_names}}',$insertnames);
$attribute_id = getLastInsertID($this->tableName());
$insertnameslang = array('attribute_id' => intval($attribute_id),
'attribute_name'=> $data['attribute_name'],
'lang' => Yii::app()->session['adminlang']);
Yii::app()->db->createCommand()->insert('{{participant_attribute_names_lang}}',$insertnameslang);
return $attribute_id;
$oParticipantAttributeName=new ParticipantAttributeName;
$oParticipantAttributeName->attribute_type=$data['attribute_type'];
$oParticipantAttributeName->defaultname=$data['defaultname'];
$oParticipantAttributeName->visible=$data['visible'];
$oParticipantAttributeName->save();
$iAttributeID = $oParticipantAttributeName->attribute_id;
$oParticipantAttributeNameLang=new ParticipantAttributeNameLang;
$oParticipantAttributeNameLang->attribute_id= intval($iAttributeID);
$oParticipantAttributeNameLang->attribute_name= $data['attribute_name'];
$oParticipantAttributeNameLang->lang= Yii::app()->session['adminlang'];
$oParticipantAttributeNameLang->save();
return $iAttributeID;
}

function editParticipantAttributeValue($data)
Expand Down Expand Up @@ -429,16 +431,18 @@ function saveAttribute($data)
}
if (!empty($insertnames))
{
self::model()->updateAll($insertnames, 'attribute_id = :id', array(':id' => $data['attribute_id']));
$oParticipantAttributeName=ParticipantAttributeName::model()->findByPk($data['attribute_id']);
foreach ($insertnames as $sFieldname=>$sValue)
{
$oParticipantAttributeName->$sFieldname=$sValue;
}
$oParticipantAttributeName->save();
}
if (!empty($data['attribute_name']))
{
Yii::app()->db->createCommand()
->update('{{participant_attribute_names_lang}}', array('attribute_name' => $data['attribute_name']),
'attribute_id = :attribute_id AND lang=:lang', array(
':lang' => Yii::app()->session['adminlang'],
':attribute_id' => $data['attribute_id'],
));
$oParticipantAttributeNameLang=ParticipantAttributeNameLang::model()->findByPk(array('attribute_id'=>$data['attribute_id'],'lang'=>Yii::app()->session['adminlang']));
$oParticipantAttributeNameLang->attribute_name=$data['attribute_name'];
$oParticipantAttributeNameLang->save();
}
}

Expand All @@ -447,19 +451,18 @@ function saveAttributeLanguages($data)
$query = Yii::app()->db->createCommand()->from('{{participant_attribute_names_lang}}')->where('attribute_id = :attribute_id AND lang = :lang')->select('*')->bindParam(":attribute_id", $data['attribute_id'], PDO::PARAM_INT)->bindParam(":lang", $data['lang'], PDO::PARAM_STR)->queryAll();
if (count($query) == 0)
{
// A record does not exist, insert one.
$record = array('attribute_id'=>$data['attribute_id'],'attribute_name'=>$data['attribute_name'],'lang'=>$data['lang']);
$query = Yii::app()->db->createCommand()->insert('{{participant_attribute_names_lang}}', $data);
// A record does not exist, insert one.
$oParticipantAttributeNameLang=new ParticipantAttributeNameLang;
$oParticipantAttributeNameLang->attribute_id=$data['attribute_id'];
$oParticipantAttributeNameLang->attribute_name=$data['attribute_name'];
$oParticipantAttributeNameLang->lang=$data['lang'];
$oParticipantAttributeNameLang->save();
}
else
{
// A record does exist, update it.
$query = Yii::app()->db->createCommand()
->update('{{participant_attribute_names_lang}}', array('attribute_name' => $data['attribute_name']),
'attribute_id = :attribute_id AND lang= :lang', array(
':attribute_id' => $data['attribute_id'],
':lang' => $data['lang'],
));
$oParticipantAttributeNameLang=ParticipantAttributeNameLang::model()->findByPk(array('attribute_id'=>$data['attribute_id'],'lang'=>$data['lang']));
$oParticipantAttributeNameLang->attribute_name=$data['attribute_name'];
$oParticipantAttributeNameLang->save();
}
}

Expand All @@ -472,17 +475,20 @@ function storeAttributeValues($data)

function storeAttributeCSV($data)
{
$insertnames = array('attribute_type' => $data['attribute_type'],
'defaultname' => $data['defaultname'],
'visible' => $data['visible']);
Yii::app()->db->createCommand()->insert('{{participant_attribute_names}}', $insertnames);

$insertid = getLastInsertID($this->tableName());
$insertnameslang = array('attribute_id' => $insertid,
'attribute_name'=>$data['defaultname'],
'lang' => Yii::app()->session['adminlang']);
Yii::app()->db->createCommand()->insert('{{participant_attribute_names_lang}}', $insertnameslang);
return $insertid;
$oParticipantAttributeName=new ParticipantAttributeName;
$oParticipantAttributeName->attribute_type=$data['attribute_type'];
$oParticipantAttributeName->defaultname=$data['defaultname'];
$oParticipantAttributeName->visible=$data['visible'];
$oParticipantAttributeName->save();
$iAttributeID = $oParticipantAttributeName->attribute_id;

$oParticipantAttributeNameLang=new ParticipantAttributeNameLang;
$oParticipantAttributeNameLang->attribute_id=$iAttributeID;
$oParticipantAttributeNameLang->attribute_name=$data['defaultname'];
$oParticipantAttributeNameLang->lang=Yii::app()->session['adminlang'];
$oParticipantAttributeNameLang->save();

return $iAttributeID;
}

//updates the attribute values in participant_attribute_values
Expand Down
8 changes: 4 additions & 4 deletions application/models/ParticipantAttributeNameLang.php
View file
Expand Up @@ -59,11 +59,11 @@ public function tableName()
*/
public function rules()
{
// NOTE: you should only define rules for those attributes that
// will receive user inputs.
// NOTE: you should only define rules for those attributes that will receive user inputs.
return array(
// The following rule is used by search().
// Please remove those attributes that should not be searched.
array('attribute_name','filter','filter' => 'strip_tags'),
// The following rule is used by search().
// Please remove those attributes that should not be searched.
array('attribute_id, attribute_name, lang', 'safe', 'on'=>'search'),
);
}
Expand Down
8 changes: 4 additions & 4 deletions scripts/admin/subquestions.js
View file
Expand Up @@ -19,7 +19,7 @@ $(document).ready(function(){
modal: true,
width:800,
title: lsbrowsertitle});
$('#quickadd').dialog({
$('#quickadd').dialog({
autoOpen: false,
modal: true,
width:600,
Expand Down Expand Up @@ -562,11 +562,11 @@ function quickaddlabels()
if (x==0)
{
$(".relevance").toggle(false);
tablerows=tablerows+'<tr class="row_'+k+'" ><td><img class="handle" src="' + sImageURL + 'handle.png" /></td><td><input class="code" required="required" pattern="^[a-zA-Z0-9]*$" id="code_'+randomid+'_'+scale_id+'" name="code_'+randomid+'_'+scale_id+'" type="text" maxlength="20" size="5" value="'+thisrow[0]+'" /></td><td><input type="text" size="100" id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" name="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" class="answer" value="'+thisrow[parseInt(x)+1]+'"></input> <a id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_ctrl" href="javascript:start_popup_editor(\'answer_'+languages[x]+'_'+randomid+'_'+scale_id+'\',\'[Subquestion:]('+languages[x]+')\',\''+sID+'\',\''+gID+'\',\''+qID+'\',\'editanswer\',\'editanswer\')" class="editorLink"><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrlena" class="btneditanswerena" src="' + sImageURL + 'edithtmlpopup.png" width="16" height="16" border="0" /><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrldis" class="btneditanswerdis" alt="Give focus to the HTML editor popup window" src="' + sImageURL + 'edithtmlpopup_disabled.png" style="display: none;" width="16" height="16" align="top" border="0" /></a></td><td><img src="' + sImageURL + 'addanswer.png" class="btnaddanswer" /> <img src="' + sImageURL + 'deleteanswer.png" class="btndelanswer" /></td><td><img src="' + sImageURL + 'subq_relevance_dis.png" class="btntogglerelevance"/> <input style="display: none" type="text" size="20" id="relevance_'+randomid+'_'+scale_id+'" name="relevance_'+randomid+'_'+scale_id+'" class="relevance" value="1"></input></td></tr>'
tablerows=tablerows+'<tr class="row_'+k+'" ><td><img class="handle" src="' + sImageURL + 'handle.png" /></td><td><input class="code" required="required" pattern="^[a-zA-Z0-9]*$" id="code_'+randomid+'_'+scale_id+'" name="code_'+randomid+'_'+scale_id+'" type="text" maxlength="20" size="5" value="'+htmlspecialchars(thisrow[0],'ENT_QUOTES')+'" /></td><td><input type="text" size="100" id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" name="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" class="answer" value="'+htmlspecialchars(thisrow[parseInt(x)+1],'ENT_QUOTES')+'"></input><a id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_ctrl" href="javascript:start_popup_editor(\'answer_'+languages[x]+'_'+randomid+'_'+scale_id+'\',\'[Subquestion:]('+languages[x]+')\',\''+sID+'\',\''+gID+'\',\''+qID+'\',\'editanswer\',\'editanswer\')" class="editorLink"><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrlena" class="btneditanswerena" src="' + sImageURL + 'edithtmlpopup.png" width="16" height="16" border="0" /><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrldis" class="btneditanswerdis" alt="Give focus to the HTML editor popup window" src="' + sImageURL + 'edithtmlpopup_disabled.png" style="display: none;" width="16" height="16" align="top" border="0" /></a></td><td><img src="' + sImageURL + 'addanswer.png" class="btnaddanswer" /><img src="' + sImageURL + 'deleteanswer.png" class="btndelanswer" /></td></tr>'
}
else
{
tablerows=tablerows+'<tr class="row_'+k+'" ><td>&nbsp;</td><td>&nbsp;</td><td><input type="text" size="100" id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" name="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" class="answer" value="'+thisrow[parseInt(x)+1]+'"></input> <a id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_ctrl" href="javascript:start_popup_editor(\'answer_'+languages[x]+'_'+randomid+'_'+scale_id+'\',\'[Subquestion:]('+languages[x]+')\',\''+sID+'\',\''+gID+'\',\''+qID+'\',\'editanswer\',\'editanswer\')" class="editorLink"><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrlena" class="btneditanswerena" src="' + sImageURL + 'edithtmlpopup.png" width="16" height="16" border="0" /><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrldis" class="btneditanswerdis" alt="Give focus to the HTML editor popup window" src="' + sImageURL + 'edithtmlpopup_disabled.png" style="display: none;" width="16" height="16" align="top" border="0" /></a></td><td><img src="' + sImageURL + 'subq_relevance_dis.png" class="btntogglerelevance"/> <span style="display: none" class="relevance">1</span></td></tr>'
{
tablerows=tablerows+'<tr class="row_'+k+'" ><td>&nbsp;</td><td>&nbsp;</td><td><input type="text" size="100" id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" name="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'" class="answer" value="'+htmlspecialchars(thisrow[parseInt(x)+1],'ENT_QUOTES')+'"></input><a id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_ctrl" href="javascript:start_popup_editor(\'answer_'+languages[x]+'_'+randomid+'_'+scale_id+'\',\'[Subquestion:]('+languages[x]+')\',\''+sID+'\',\''+gID+'\',\''+qID+'\',\'editanswer\',\'editanswer\')" class="editorLink"><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrlena" class="btneditanswerena" src="' + sImageURL + 'edithtmlpopup.png" width="16" height="16" border="0" /><img id="answer_'+languages[x]+'_'+randomid+'_'+scale_id+'_popupctrldis" class="btneditanswerdis" alt="Give focus to the HTML editor popup window" src="' + sImageURL + 'edithtmlpopup_disabled.png" style="display: none;" width="16" height="16" align="top" border="0" /></a></td><td>&nbsp;</td></tr>'
}
}
if (lsreplace) {
Expand Down

0 comments on commit 25d0dea

Please sign in to comment.