From 2aada33c76efbbc35d33c149ac02b1dc16a81f62 Mon Sep 17 00:00:00 2001
From: Patrick Teichmann <patrick.teichmann@limesurvey.org>
Date: Thu, 2 Apr 2020 10:30:51 +0200
Subject: [PATCH] Fixed issue [security] #16068: Stored Cross Site Scripting
 Vulnerability in permission rules. (Thanks to Matthew Aberegg)

---
 .../controllers/admin/PermissiontemplatesController.php       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/application/controllers/admin/PermissiontemplatesController.php b/application/controllers/admin/PermissiontemplatesController.php
index c61e36a3ff8..47b6ed1b1f4 100644
--- a/application/controllers/admin/PermissiontemplatesController.php
+++ b/application/controllers/admin/PermissiontemplatesController.php
@@ -83,6 +83,10 @@ public function applyedit()
         $aPermissiontemplate = Yii::app()->request->getPost('Permissiontemplates');
         $model = $this->loadModel($aPermissiontemplate['ptid']);
 
+        // XSS filter
+        $aPermissiontemplate['name'] = CHtml::encode($aPermissiontemplate['name']);
+        $aPermissiontemplate['description'] = CHtml::encode($aPermissiontemplate['description']);
+
         $newAttributes = array_merge($model->attributes, $aPermissiontemplate);
         $model->attributes = $newAttributes;