Fixed issue: [security] #15204: Stored XSS vulnerabilities - Thanks t…

…o J. Greil from the SEC Consult Vulnerability Lab (https://www.sec-consult.com)

Dev: encode group name in alert deleted

application/controllers/admin/SurveysGroupsController.php

@@ -130,7 +130,7 @@ public function delete($id)
 
             // if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser
             if (!isset($_GET['ajax'])) {
-                Yii::app()->setFlashMessage(sprintf(gT("The survey group '%s' was deleted."), $sGroupTitle), 'success');
+                Yii::app()->setFlashMessage(sprintf(gT("The survey group '%s' was deleted."), CHtml::encode($sGroupTitle)), 'success');
                 $this->getController()->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin/survey/sa/listsurveys '));
             }
         }