Fixed issue #19163: [security] Reflected XSS in HtmlEditorPop - Bypas…

…sing XSS sanitization function (#3583)
LimeSurvey · Oct 31, 2023 · 4ef1693 · 4ef1693
1 parent 6fff694
commit 4ef1693
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/application/controllers/admin/HtmlEditorPop.php b/application/controllers/admin/HtmlEditorPop.php
@@ -35,7 +35,11 @@ public function index()
             $aData['sControlIdDis'] = $aData['sFieldName'] . '_popupctrldis';
             $aData['toolbarname'] = 'popup';
             $aData['htmlformatoption'] = '';
-            $aData['contentsLangDirection'] = sanitize_xss_string(App()->request->getQuery('contdir'));
+            $contentsLangDirection = App()->request->getQuery('contdir');
+            if (!in_array(strtolower((string) $contentsLangDirection), ['ltr', 'rtl'])) {
+                $contentsLangDirection = getLanguageRTL(Yii::app()->session['adminlang']) ? 'rtl' : 'ltr';
+            }
+            $aData['contentsLangDirection'] = $contentsLangDirection;
             if (in_array($aData['sFieldType'], array('email-invitation', 'email-registration', 'email-confirmation', 'email-reminder'))) {
                 $aData['htmlformatoption'] = ',fullPage:true';
             }