Skip to content

Commit

Permalink
Fixed issue #10435: Broken HTML or script can broke Survey Logic File
Browse files Browse the repository at this point in the history
  • Loading branch information
@Shnoulle
Shnoulle committed Mar 13, 2016
1 parent 888bf50 commit 7435568
Showing 1 changed file with 89 additions and 58 deletions.
147 changes: 89 additions & 58 deletions application/helpers/expressions/em_manager_helper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9091,7 +9091,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
);
}

$surveyname = templatereplace('{SURVEYNAME}',array('SURVEYNAME'=>$aSurveyInfo['surveyls_title']));
$surveyname = viewHelper::purified(templatereplace('{SURVEYNAME}',array('SURVEYNAME'=>$aSurveyInfo['surveyls_title'])));

$out = '<div id="showlogicfilediv" ><H3>' . $LEM->gT('Logic File for Survey # ') . '[' . $LEM->sid . "]: $surveyname</H3>\n";
$out .= "<table id='logicfiletable'>";
Expand All @@ -9101,28 +9101,28 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
if ($aSurveyInfo['surveyls_description'] != '')
{
$LEM->ProcessString($aSurveyInfo['surveyls_description'],0);
$sPrint= $LEM->GetLastPrettyPrintExpression();
$sPrint= viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
$errClass = ($LEM->em->HasErrors() ? 'LEMerror' : '');
$out .= "<tr class='LEMgroup $errClass'><td colspan=2>" . $LEM->gT("Description:") . "</td><td colspan=2>" . $sPrint . "</td></tr>";
}
if ($aSurveyInfo['surveyls_welcometext'] != '')
{
$LEM->ProcessString($aSurveyInfo['surveyls_welcometext'],0);
$sPrint= $LEM->GetLastPrettyPrintExpression();
$sPrint= viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
$errClass = ($LEM->em->HasErrors() ? 'LEMerror' : '');
$out .= "<tr class='LEMgroup $errClass'><td colspan=2>" . $LEM->gT("Welcome:") . "</td><td colspan=2>" . $sPrint . "</td></tr>";
}
if ($aSurveyInfo['surveyls_endtext'] != '')
{
$LEM->ProcessString($aSurveyInfo['surveyls_endtext']);
$sPrint= $LEM->GetLastPrettyPrintExpression();
$sPrint= viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
$errClass = ($LEM->em->HasErrors() ? 'LEMerror' : '');
$out .= "<tr class='LEMgroup $errClass'><td colspan=2>" . $LEM->gT("End message:") . "</td><td colspan=2>" . $sPrint . "</td></tr>";
}
if ($aSurveyInfo['surveyls_url'] != '')
{
$LEM->ProcessString($aSurveyInfo['surveyls_urldescription']." - ".$aSurveyInfo['surveyls_url']);
$sPrint= $LEM->GetLastPrettyPrintExpression();
$sPrint= viewHelper::purified($LEM->GetLastPrettyPrintExpression());
$errClass = ($LEM->em->HasErrors() ? 'LEMerror' : '');
$out .= "<tr class='LEMgroup $errClass'><td colspan=2>" . $LEM->gT("End URL:") . "</td><td colspan=2>" . $sPrint . "</td></tr>";
}
Expand All @@ -9143,26 +9143,31 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
// SHOW GROUP-LEVEL INFO
//////
if ($gseq != $_gseq) {
$bGroupHaveError=false;
$errClass='';
$LEM->ParseResultCache=array(); // reset for each group so get proper color coding?
$_gseq = $gseq;
$ginfo = $LEM->gseq2info[$gseq];

$grelevance = '{' . (($ginfo['grelevance']=='') ? 1 : $ginfo['grelevance']) . '}';
$gtext = ((trim($ginfo['description']) == '') ? '&nbsp;' : $ginfo['description']);

$sGroupRelevance= '{'.($ginfo['grelevance']=='' ? 1 : $ginfo['grelevance']).'}';
$LEM->ProcessString($sGroupRelevance, $qid,NULL,false,1,1,false,false);
$bGroupHaveError=$bGroupHaveError || $LEM->em->HasErrors();
$sGroupRelevance= viewHelper::stripTagsEM($LEM->GetLastPrettyPrintExpression());
$sGroupText = ((trim($ginfo['description']) == '') ? '&nbsp;' : $ginfo['description']);
$LEM->ProcessString($sGroupText, $qid,NULL,false,1,1,false,false);
$bGroupHaveError=$bGroupHaveError || $LEM->em->HasErrors();
$sGroupText= viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
$editlink = Yii::app()->getController()->createUrl('admin/survey/sa/view/surveyid/' . $LEM->sid . '/gid/' . $gid);
if($bGroupHaveError)
{
$errClass='LEMerror';
}
$groupRow = "<tr class='LEMgroup'>"
. "<td>G-$gseq</td>"
. "<td class='$errClass'>G-$gseq</td>"
. "<td><b>".$ginfo['group_name']."</b><br />[<a target='_blank' href='$editlink'>GID ".$gid."</a>]</td>"
. "<td>".$grelevance."</td>"
. "<td>".$gtext."</td>"
. "<td>".$sGroupRelevance."</td>"
. "<td>".$sGroupText."</td>"
. "</tr>\n";

$LEM->ProcessString($groupRow, $qid,NULL,false,1,1,false,false);
$out .= $LEM->GetLastPrettyPrintExpression();
if ($LEM->em->HasErrors()) {
++$errorCount;
}
$out .= $groupRow;
}

//////
Expand All @@ -9176,20 +9181,38 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
if (count($sgqas) == 1 && !is_null($q['info']['default']))
{
$LEM->ProcessString($q['info']['default'], $qid,NULL,false,1,1,false,false);// Default value is Y or answer code or go to input/textarea, then we can filter it
$_default = $LEM->GetLastPrettyPrintExpression();
if ($LEM->em->HasErrors()) {
$_default = viewHelper::stripTagsEM($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors())
{
++$errorCount;
}
$default = '<br />(' . $LEM->gT('Default:') . ' ' . viewHelper::filterScript($_default) . ')';
$default = '<br />(' . $LEM->gT('Default:') . ' ' . $_default . ')';
}
else
{
$default = '';
}

$qtext = (($q['info']['qtext'] != '') ? $q['info']['qtext'] : '&nbsp');
$help = (($q['info']['help'] != '') ? '<hr/>[' . $LEM->gT("Help:") . ' ' . $q['info']['help'] . ']': '');
$prettyValidTip = (($q['prettyValidTip'] == '') ? '' : '<hr/>(' . $LEM->gT("Tip:") . ' ' . $q['prettyValidTip'] . ')');
$sQuestionText = (($q['info']['qtext'] != '') ? $q['info']['qtext'] : '&nbsp');
$LEM->ProcessString($sQuestionText, $qid,NULL,false,1,1,false,false);
$sQuestionText = viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
if ($LEM->em->HasErrors())
{
++$errorCount;
}
$sQuestionHelp="";
if(trim($q['info']['help'])!="")
{
$sQuestionHelp=$q['info']['help'];
$LEM->ProcessString($sQuestionHelp, $qid,NULL,false,1,1,false,false);
$sQuestionHelp = viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
if ($LEM->em->HasErrors())
{
++$errorCount;
}
$sQuestionHelp = '<hr/>[' . $LEM->gT("Help:") . ' ' . $sQuestionHelp . ']';
}
$prettyValidTip = (($q['prettyValidTip'] == '') ? '' : '<hr/>(' . $LEM->gT("Tip:") . ' ' . viewHelper::stripTagsEM($q['prettyValidTip']) . ')');// Unsure need to filter

//////
// SHOW QUESTION ATTRIBUTES THAT ARE PROCESSED BY EM
Expand All @@ -9205,7 +9228,8 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
{
$attrs['other'] = $LEM->questionSeq2relevance[$qseq]['other'];
}
if (count($attrs) > 0) {
if (count($attrs) > 0)
{
$attrTable = "<table id='logicfileattributetable'><tr><th>" . $LEM->gT("Question attribute") . "</th><th>" . $LEM->gT("Value"). "</th></tr>\n";
$count=0;
foreach ($attrs as $key=>$value) {
Expand Down Expand Up @@ -9256,6 +9280,12 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
case 'slider_max':
case 'slider_default':
$value = '{' . $value . '}';
$LEM->ProcessString($value, $qid,NULL,false,1,1,false,false);
$value = viewHelper::stripTagsEM($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors())
{
++$errorCount;
}
break;
case 'other_replace_text':
case 'show_totals':
Expand All @@ -9279,11 +9309,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
}
}

$LEM->ProcessString($qtext . $help . $prettyValidTip . $attrTable, $qid,NULL,false,1,1,false,false);
$qdetails = viewHelper::filterScript($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors()) {
++$errorCount;
}
$qdetails= $sQuestionText . $sQuestionHelp . $prettyValidTip . $attrTable;

//////
// SHOW RELEVANCE
Expand All @@ -9293,7 +9319,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
if (!isset($LEM->ParseResultCache[$relevanceEqn]))
{
$result = $LEM->em->ProcessBooleanExpression($relevanceEqn, $gseq, $qseq);
$prettyPrint = $LEM->em->GetPrettyPrintString();
$prettyPrint = viewHelper::stripTagsEM($LEM->em->GetPrettyPrintString());
$hasErrors = $LEM->em->HasErrors();
$LEM->ParseResultCache[$relevanceEqn] = array(
'result' => $result,
Expand All @@ -9302,7 +9328,8 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
);
}
$relevance = $LEM->ParseResultCache[$relevanceEqn]['prettyprint'];
if ($LEM->ParseResultCache[$relevanceEqn]['hasErrors']) {
if ($LEM->ParseResultCache[$relevanceEqn]['hasErrors'])
{
++$errorCount;
}

Expand All @@ -9316,7 +9343,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
if (!isset($LEM->ParseResultCache[$validationEqn]))
{
$result = $LEM->em->ProcessBooleanExpression($validationEqn, $gseq, $qseq);
$prettyPrint = $LEM->em->GetPrettyPrintString();
$prettyPrint = viewHelper::stripTagsEM($LEM->em->GetPrettyPrintString());
$hasErrors = $LEM->em->HasErrors();
$LEM->ParseResultCache[$validationEqn] = array(
'result' => $result,
Expand Down Expand Up @@ -9378,7 +9405,9 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
$sawThis = array(); // array of rowdivids already seen so only show them once
foreach ($sgqas as $sgqa)
{
if ($LEM->knownVars[$sgqa]['qcode'] == $rootVarName) {
$bSubQhasError=false;
if ($LEM->knownVars[$sgqa]['qcode'] == $rootVarName)
{
continue; // so don't show the main question as a sub-question too
}
$rowdivid=$sgqa;
Expand Down Expand Up @@ -9420,36 +9449,36 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
if (isset($LEM->subQrelInfo[$qid][$rowdivid]))
{
$sq = $LEM->subQrelInfo[$qid][$rowdivid];
$subQeqn = $sq['prettyPrintEqn']; // {' . $sq['eqn'] . '}'; // $sq['prettyPrintEqn'];
$subQeqn = viewHelper::stripTagsEM($sq['prettyPrintEqn']); // {' . $sq['eqn'] . '}'; // $sq['prettyPrintEqn'];
if ($sq['hasErrors']) {
++$errorCount;
}
}

$sgqaInfo = $LEM->knownVars[$sgqa];
$subqText = $sgqaInfo['subqtext'];
$LEM->ProcessString($subqText, $qid,NULL,false,1,1,false,false);
$subqText = viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
if ($LEM->em->HasErrors()) {
++$errorCount;
}
if (isset($sgqaInfo['default']) && $sgqaInfo['default'] !== '')
{
$LEM->ProcessString(htmlspecialchars($sgqaInfo['default']), $qid,NULL,false,1,1,false,false);
$_default = viewHelper::filterScript($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors()) {
$LEM->ProcessString($sgqaInfo['default'], $qid,NULL,false,1,1,false,false);
$_default = viewHelper::stripTagsEM($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors())
{
++$errorCount;
}
$subQeqn .= '<br />(' . $LEM->gT('Default:') . ' ' . $_default . ')';
}

$sqRows .= "<tr class='LEMsubq'>"
. "<td>SQ-$i</td>"
. "<td><b>" . $varName . "</b></td>"
. "<td>$subQeqn</td>"
. "<td>" .$subqText . "</td>"
. "</tr>";
}
$LEM->ProcessString($sqRows, $qid,NULL,false,1,1,false,false);
$sqRows = viewHelper::filterScript($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors()) {
++$errorCount;
}

//////
// SHOW ANSWER OPTIONS FOR ENUMERATED LISTS, AND FOR MULTIFLEXI
Expand All @@ -9464,6 +9493,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
else {
$ansList = $LEM->qans[$qid];
}

foreach ($ansList as $ans=>$value)
{
$ansInfo = explode('~',$ans);
Expand All @@ -9484,37 +9514,39 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
if (isset($LEM->subQrelInfo[$qid][$rowdivid]))
{
$sq = $LEM->subQrelInfo[$qid][$rowdivid];
$subQeqn = ' ' . $sq['prettyPrintEqn'];
if ($sq['hasErrors']) {
$subQeqn = ' ' . viewHelper::stripTagsEM($sq['prettyPrintEqn']);
if ($sq['hasErrors'])
{
++$errorCount;
}
}

$sAnswerText=$valInfo[1];
$LEM->ProcessString($sAnswerText, $qid,NULL,false,1,1,false,false);
$sAnswerText = viewHelper::purified(viewHelper::filterScript($LEM->GetLastPrettyPrintExpression()));
if ($LEM->em->HasErrors()) {
++$errorCount;
}
$answerRows .= "<tr class='LEManswer'>"
. "<td>A[" . $ansInfo[0] . "]-" . $i++ . "</td>"
. "<td><b>" . $ansInfo[1]. "</b></td>"
. "<td>[VALUE: " . $valInfo[0] . "]".$subQeqn."</td>"
. "<td>" . $valInfo[1] . "</td>"
. "<td>" . $sAnswerText . "</td>"
. "</tr>\n";
}
$LEM->ProcessString($answerRows, $qid,NULL,false,1,1,false,false);
$answerRows = viewHelper::filterScript($LEM->GetLastPrettyPrintExpression());
if ($LEM->em->HasErrors()) {
++$errorCount;
}
}

//////
// FINALLY, SHOW THE QUESTION ROW(S), COLOR-CODING QUESTIONS THAT CONTAIN ERRORS
//////
$errclass = ($errorCount > 0) ? "class='LEMerror' title='" . sprintf($LEM->ngT("This question has at least %s error.|This question has at least %s errors.",$errorCount), $errorCount) . "'" : '';

$errclass = ($errorCount > 0) ? 'LEMerror': '';
$errText=($errorCount > 0) ? "<br><em class='error'>".sprintf($LEM->ngT("This question has at least %s error.|This question has at least %s errors.",$errorCount), $errorCount)."<em>" : "";
$questionRow = "<tr class='LEMquestion'>"
. "<td $errclass>Q-" . $q['info']['qseq'] . "</td>"
. "<td class='$errclass'>Q-" . $q['info']['qseq'] . "</td>"
. "<td><b>" . $mandatory;

if ($varNameErrorMsg == '')
{
$editlink = Yii::app()->getController()->createUrl('admin/survey/sa/view/surveyid/' . $sid . '/gid/' . $gid . '/qid/' . $qid);
$questionRow .= $rootVarName;
}
else
Expand All @@ -9524,8 +9556,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
. "onclick='window.open(\"$editlink\",\"_blank\")'>"
. $rootVarName . "</span>";
}
$editlink = Yii::app()->getController()->createUrl('admin/survey/sa/view/surveyid/' . $sid . '/gid/' . $gid . '/qid/' . $qid);
$questionRow .= "</b><br />[<a target='_blank' href='$editlink'>QID $qid</a>]<br/>$typedesc [$type]</td>"
$questionRow .= "</b><br />[<a target='_blank' href='$editlink'>QID $qid</a>]<br/>$typedesc [$type] $errText</td>"
. "<td>" . $relevance . $prettyValidEqn . $default . "</td>"
. "<td>" . $qdetails . "</td>"
. "</tr>\n";
Expand Down

0 comments on commit 7435568

Please sign in to comment.