Fixed issue #6916: HTML not properly saved when editing an assessment…

… rule
LimeSurvey · Nov 23, 2012 · 5a25a2a · 5a25a2a · Shnoulle · Nov 23, 2012
1 parent e850e3c
commit 5a25a2a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 6 deletions.
diff --git a/application/controllers/admin/assessments.php b/application/controllers/admin/assessments.php
@@ -197,11 +197,6 @@ private function _getAssessmentPostData($iSurveyID, $language)
         if (!isset($_POST['gid']))
             $_POST['gid'] = 0;
 
-        if (Yii::app()->getConfig('filterxsshtml')) {
-            $_POST['name_' . $language] = htmlspecialchars($_POST['name_' . $language]);
-            $_POST['assessmentmessage_' . $language] = htmlspecialchars($_POST['assessmentmessage_' . $language]);
-        }
-
         return array(
             'sid' => $iSurveyID,
             'scope' => sanitize_paranoid_string($_POST['scope']),

diff --git a/application/models/Assessment.php b/application/models/Assessment.php
@@ -29,6 +29,33 @@ public static function model($class = __CLASS__)
 		return parent::model($class);
 	}
 
+    public function rules()
+    {
+        return array(
+        array('name', 'xssfilter'),
+        array('message', 'xssfilter')
+        );
+    }
+
+    /**
+    * Defines the customs validation rule xssfilter
+    *
+    * @param mixed $attribute
+    * @param mixed $params
+    */
+    public function xssfilter($attribute,$params)
+    {
+        if(Yii::app()->getConfig('filterxsshtml') && Yii::app()->session['USER_RIGHT_SUPERADMIN'] != 1)
+        {
+            $filter = new CHtmlPurifier();
+            $filter->options = array('URI.AllowedSchemes'=>array(
+            'http' => true,
+            'https' => true,
+            ));
+            $this->$attribute = $filter->purify($this->$attribute);
+        }
+    }    
+
 	/**
 	 * Returns the setting's table name to be used by the model
 	 *

diff --git a/application/views/admin/assessments_view.php b/application/views/admin/assessments_view.php
@@ -70,7 +70,7 @@
 	        <select name='gid' id='gid'>
 	            <?php
 	            foreach ($groups as $groupId => $groupName) {
-	                echo '<option value="' . $groupId . '"'.($editId == $groupId ? ' selected' : '').'>' . $groupName . '</option>';
+	                echo '<option value="' . $groupId . '"'.(isset($editdata['gid']) && $editdata['gid']== $groupId ? ' selected' : '').'>' . $groupName . '</option>';
 	            }
 	            ?>
 	        </select>