Skip to content

Commit

Permalink
Fixed issue #3879: Embedded javacript is shown in admin notification …
Browse files Browse the repository at this point in the history 
…emails

git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey@8022 b72ed6b6-b9f8-46b5-92b4-906544132732
  • Loading branch information
@c-schmitz
c-schmitz committed Nov 30, 2009
1 parent 7e05ce4 commit 3aa033b
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 79 deletions.
40 changes: 2 additions & 38 deletions common.php
View file
Expand Up @@ -4303,46 +4303,10 @@ function FlattenText($texttoflatten)
{
$nicetext = strip_javascript($texttoflatten);
$nicetext = strip_tags($nicetext);
$nicetext = str_replace("\r", "", $nicetext);
$nicetext = trim(str_replace("\n", "", $nicetext));
$nicetext = str_replace(array("\n","\r"),array('',''), $nicetext);
$nicetext = trim($nicetext);
return $nicetext;
}
/**
* getreferringurl() returns the reffering URL
*/
function getreferringurl()
{
global $clang,$stripQueryFromRefurl;
if (isset($_SESSION['refurl']))
{
return; // do not overwrite refurl
}

// refurl is not set in session, read it from server variable
if(isset($_SERVER["HTTP_REFERER"]))
{
if(!preg_match('/'.$_SERVER["SERVER_NAME"].'/', $_SERVER["HTTP_REFERER"]))
{
if (!isset($stripQueryFromRefurl) || !$stripQueryFromRefurl)
{
$_SESSION['refurl'] = $_SERVER["HTTP_REFERER"];
}
else
{
$aRefurl = explode("?",$_SERVER["HTTP_REFERER"]);
$_SESSION['refurl'] = $aRefurl[0];
}
}
else
{
$_SESSION['refurl'] = '-';
}
}
else
{
$_SESSION['refurl'] = null;
}
}

function getRandomID()
{ // Create a random survey ID - based on code from Ken Lyle
Expand Down
116 changes: 75 additions & 41 deletions index.php
View file
Expand Up @@ -701,7 +701,7 @@
}

//Check to see if a refering URL has been captured.
getreferringurl();
GetReferringUrl();
// Let's do this only if
// - a saved answer record hasn't been loaded through the saved feature
// - the survey is not anonymous
Expand Down Expand Up @@ -1653,7 +1653,7 @@ function sendsubmitnotification($sendnotification)
if ($prevquestion!=$qaarray[0])
{
$prevquestion=$qaarray[0];
$questiontitle=strip_tags(html_entity_decode($prevquestion, ENT_QUOTES, $emailcharset));
$questiontitle=FlattenText(html_entity_decode($prevquestion, ENT_QUOTES, $emailcharset));
$results .= "\n$questiontitle: ";
if ($qaarray[1]!='')
{
Expand All @@ -1662,7 +1662,7 @@ function sendsubmitnotification($sendnotification)
}
if ($qaarray[1]!='')
{
$answeroption=strip_tags(html_entity_decode($qaarray[1], ENT_QUOTES, $emailcharset));
$answeroption=FlattenText(html_entity_decode($qaarray[1], ENT_QUOTES, $emailcharset));
$results .= "[$answeroption]: ";
}
$details = arraySearchByKey($value, createFieldMap($surveyid),"fieldname", 1);
Expand All @@ -1673,14 +1673,14 @@ function sendsubmitnotification($sendnotification)
{
foreach (explode("\n",getextendedanswer($value,$_SESSION[$value])) as $line)
{
$results .= "\t" . strip_tags(html_entity_decode($line, ENT_QUOTES, $emailcharset));
$results .= "\t" . FlattenText(html_entity_decode($line, ENT_QUOTES, $emailcharset));
$results .= "\n";
}
}
}
elseif (isset($_SESSION[$value]))
{
$results .= strip_tags(html_entity_decode(getextendedanswer($value, $_SESSION[$value]),ENT_QUOTES, $emailcharset));
$results .= FlattenText(html_entity_decode(getextendedanswer($value, $_SESSION[$value]),ENT_QUOTES, $emailcharset));
$results .= "\n";
}
}
Expand Down Expand Up @@ -1720,7 +1720,7 @@ function sendsubmitnotification($sendnotification)
if(!SendEmailMessage($ertmessage, $ertsubject, $ert, $from, $sitename, false, getBounceEmail($surveyid)))
{
if ($debug>0) {echo '<br />Email could not be sent to EmailReponseTo field. Reason: '.$maildebug.'<br />';}
}
}
}
}
}
Expand Down Expand Up @@ -2962,43 +2962,77 @@ function check_quota($checkaction,$surveyid)

}


function encodeEmail($mail, $text="", $class="", $params=array())
{
$encmail ="";
for($i=0; $i<strlen($mail); $i++)
{
$encMod = rand(0,2);
switch ($encMod) {
case 0: // None
$encmail .= substr($mail,$i,1);
break;
case 1: // Decimal
$encmail .= "&#".ord(substr($mail,$i,1)).';';
break;
case 2: // Hexadecimal
$encmail .= "&#x".dechex(ord(substr($mail,$i,1))).';';
break;
}
/**
* put your comment there...
*
* @param mixed $mail
* @param mixed $text
* @param mixed $class
* @param mixed $params
*/
function encodeEmail($mail, $text="", $class="", $params=array())
{
$encmail ="";
for($i=0; $i<strlen($mail); $i++)
{
$encMod = rand(0,2);
switch ($encMod) {
case 0: // None
$encmail .= substr($mail,$i,1);
break;
case 1: // Decimal
$encmail .= "&#".ord(substr($mail,$i,1)).';';
break;
case 2: // Hexadecimal
$encmail .= "&#x".dechex(ord(substr($mail,$i,1))).';';
break;
}
}

if(!$text)
{
$text = $encmail;
}
/* $encmail = "&#109;&#97;&#105;&#108;&#116;&#111;&#58;".$encmail;
$querystring = "";
foreach($params as $key=>$val)
{
if($querystring){
$querystring .= "&$key=".rawurlencode($val);
} else {
$querystring = "?$key=".rawurlencode($val);
}
}
return "<a class='$class' href='$encmail$querystring'>$text</a>"; */
return $text;
if(!$text)
{
$text = $encmail;
}
return $text;
}



?>
/**
* GetReferringUrl() returns the reffering URL
*/
function GetReferringUrl()
{
global $clang,$stripQueryFromRefurl;
if (isset($_SESSION['refurl']))
{
return; // do not overwrite refurl
}

// refurl is not set in session, read it from server variable
if(isset($_SERVER["HTTP_REFERER"]))
{
if(!preg_match('/'.$_SERVER["SERVER_NAME"].'/', $_SERVER["HTTP_REFERER"]))
{
if (!isset($stripQueryFromRefurl) || !$stripQueryFromRefurl)
{
$_SESSION['refurl'] = $_SERVER["HTTP_REFERER"];
}
else
{
$aRefurl = explode("?",$_SERVER["HTTP_REFERER"]);
$_SESSION['refurl'] = $aRefurl[0];
}
}
else
{
$_SESSION['refurl'] = '-';
}
}
else
{
$_SESSION['refurl'] = null;
}
}

// Closing PHP tag intentionally left out - yes, it is okay

0 comments on commit 3aa033b

Please sign in to comment.