Fixed issue #09300: XSS protection or variable substitution breaks li…

…nks with variable substitutions Dev: adding some manual : http://manual.limesurvey.org/Expression_Manager#XSS_security Dev: some EM method still can not be used
LimeSurvey · Oct 15, 2014 · 73b4a00 · 73b4a00
1 parent 1e883c5
commit 73b4a00
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/application/core/LSYii_Validators.php b/application/core/LSYii_Validators.php
@@ -119,22 +119,29 @@ public function xssFilter($value)
                 )
         );
         // To allow script BUT purify : HTML.Trusted=true (plugin idea for admin or without XSS filtering ?)
+
+        /** Start to get complete filtered value with  url decode {QCODE} (bug #09300). This allow only question number in url, seems OK with XSS protection **/
+        $sFiltered=preg_replace('#%7B([a-zA-Z0-9\.]*)%7D#','{$1}',$filter->purify($value));
         Yii::import('application.helpers.expressions.em_core_helper');// Already imported in em_manager_helper.php ?
         $oExpressionManager= new ExpressionManager;
+        /**  We get 2 array : one filtered, other unfiltered **/
         $aValues=$oExpressionManager->asSplitStringOnExpressions($value);// Return array of array : 0=>the string,1=>string length,2=>string type (STRING or EXPRESSION)
+        $aFilteredValues=$oExpressionManager->asSplitStringOnExpressions($sFiltered);// Same but for the filtered string
+        $bCountIsOk=count($aValues)==count($aFilteredValues);
+        /** Construction of new string with unfiltered EM and filtered HTML **/
         $sNewValue="";
-        foreach($aValues as $aValue){
+        foreach($aValues as $key=>$aValue){
             if($aValue[2]=="STRING")
-                $sNewValue.=$filter->purify($aValue[0]);
+                $sNewValue.=$bCountIsOk ? $aFilteredValues[$key][0]:$filter->purify($aValue[0]);// If EM is broken : can throw invalid $key
             else
             {
                 $sExpression=trim($aValue[0], '{}');
                 $sNewValue.="{";
-                $aParsedExpressions=$oExpressionManager->Tokenize($sExpression,true);// Return array of array : 0=>the string,1=>string length,2=>string type 
+                $aParsedExpressions=$oExpressionManager->Tokenize($sExpression,true);
                 foreach($aParsedExpressions as $aParsedExpression)
                 {
                     if($aParsedExpression[2]=='DQ_STRING')
-                        $sNewValue.="\"".$filter->purify($aParsedExpression[0])."\"";
+                        $sNewValue.="\"".$filter->purify($aParsedExpression[0])."\""; // This disallow complex HTML construction with XSS
                     elseif($aParsedExpression[2]=='SQ_STRING')
                         $sNewValue.="'".$filter->purify($aParsedExpression[0])."'";
                     else