Skip to content

Commit

Permalink
Fixed issue #9683: XSS vulnerabilities
Browse files Browse the repository at this point in the history
  • Loading branch information
@c-schmitz
c-schmitz committed Jun 15, 2015
1 parent 7a24413 commit 7ece73b
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 17 deletions.
4 changes: 2 additions & 2 deletions application/controllers/admin/responses.php
View file
Expand Up @@ -756,8 +756,8 @@ public function getResponses_json($iSurveyID)
{
if (isset($aFilesInfo[$iFileIndex]))
{
$aSurveyEntry[] = $aFilesInfo[$iFileIndex]['title'];
$aSurveyEntry[] = $aFilesInfo[$iFileIndex]['comment'];
$aSurveyEntry[] = htmlspecialchars($aFilesInfo[$iFileIndex]['title'],ENT_QUOTES, 'UTF-8');
$aSurveyEntry[] = htmlspecialchars($aFilesInfo[$iFileIndex]['comment'],ENT_QUOTES, 'UTF-8');
$aSurveyEntry[] = CHtml::link(rawurldecode($aFilesInfo[$iFileIndex]['name']), $this->getController()->createUrl("/admin/responses",array("sa"=>"actionDownloadfile","surveyid"=>$surveyid,"iResponseId"=>$row['id'],"sFileName"=>$aFilesInfo[$iFileIndex]['name'])) );
$aSurveyEntry[] = sprintf('%s Mb',round($aFilesInfo[$iFileIndex]['size']/1000,2));
}
Expand Down
6 changes: 5 additions & 1 deletion application/core/LSYii_Validators.php
View file
Expand Up @@ -42,7 +42,7 @@ class LSYii_Validators extends CValidator {

public function __construct()
{
if(Yii::app()->getConfig('DBVersion')< 172) // Permssion::model exist only after 172 DB version
if(Yii::app()->getConfig('DBVersion')< 172) // Permission::model exist only after 172 DB version
return $this->xssfilter=($this->xssfilter && Yii::app()->getConfig('filterxsshtml'));
$this->xssfilter=($this->xssfilter && Yii::app()->getConfig('filterxsshtml') && !Permission::model()->hasGlobalPermission('superadmin','read'));
}
Expand All @@ -52,6 +52,10 @@ protected function validateAttribute($object,$attribute)
if($this->xssfilter)
{
$object->$attribute=$this->xssFilter($object->$attribute);
if($this->isUrl)
{
$object->$attribute=str_replace('javascript:','',html_entity_decode($object->$attribute, ENT_QUOTES, "UTF-8"));
}
}
if($this->isUrl)
{
Expand Down
24 changes: 12 additions & 12 deletions application/helpers/frontend_helper.php
View file
Expand Up @@ -888,10 +888,10 @@ function buildsurveysession($surveyid,$preview=false)
&& isset($_GET['loadname']) && isset($_GET['loadpass']))
{
echo "
<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
<input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
}

echo "
Expand Down Expand Up @@ -972,10 +972,10 @@ function buildsurveysession($surveyid,$preview=false)
&& isset($_GET['loadname']) && isset($_GET['loadpass']))
{
echo "
<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
<input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
}
echo "</li>";

Expand Down Expand Up @@ -1114,10 +1114,10 @@ function buildsurveysession($surveyid,$preview=false)
if (isset($_GET['loadall']) && isset($_GET['scid'])
&& isset($_GET['loadname']) && isset($_GET['loadpass']))
{
echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
<input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
}

echo '<label for="token">'.gT("Token")."</label><input class='text' type='password' id='token' name='token'></li>";
Expand All @@ -1133,10 +1133,10 @@ function buildsurveysession($surveyid,$preview=false)
if (isset($_GET['loadall']) && isset($_GET['scid'])
&& isset($_GET['loadname']) && isset($_GET['loadpass']))
{
echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'])."' id='loadall' />
echo "<input type='hidden' name='loadall' value='".htmlspecialchars($_GET['loadall'],ENT_QUOTES, 'UTF-8')."' id='loadall' />
<input type='hidden' name='scid' value='".returnGlobal('scid',true)."' id='scid' />
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'])."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'])."' id='loadpass' />";
<input type='hidden' name='loadname' value='".htmlspecialchars($_GET['loadname'],ENT_QUOTES, 'UTF-8')."' id='loadname' />
<input type='hidden' name='loadpass' value='".htmlspecialchars($_GET['loadpass'],ENT_QUOTES, 'UTF-8')."' id='loadpass' />";
}
echo '<label for="token">'.gT("Token:")."</label><span id='token'>$gettoken</span>"
."<input type='hidden' name='token' value='$gettoken'></li>";
Expand Down
4 changes: 2 additions & 2 deletions application/views/admin/usergroup/editUserGroup_view.php
View file
Expand Up @@ -2,9 +2,9 @@
<?php echo CHtml::form(array("admin/usergroups/sa/edit/ugid/{$ugid}"), 'post', array('class'=>'form30', 'id'=>'usergroupform', 'name'=>'usergroupform')); ?>
<ul>
<li><label for='name'><?php eT("Name:"); ?></label>
<input type='text' size='50' maxlength='20' id='name' name='name' value="<?php echo $esrow['name']; ?>" /></li>
<input type='text' size='50' maxlength='20' id='name' name='name' value="<?php echo htmlspecialchars($esrow['name'],ENT_QUOTES, 'UTF-8'); ?>" /></li>
<li><label for='description'><?php eT("Description:"); ?></label>
<textarea cols='50' rows='4' id='description' name='description'><?php echo $esrow['description']; ?></textarea></li>
<textarea cols='50' rows='4' id='description' name='description'><?php echo htmlspecialchars($esrow['description'],ENT_QUOTES, 'UTF-8'); ?></textarea></li>
<ul><p><input type='submit' value='<?php eT("Update user group"); ?>' />
<input type='hidden' name='action' value='editusergroupindb' />
<input type='hidden' name='owner_id' value='<?php echo Yii::app()->session['loginID']; ?>' />
Expand Down

0 comments on commit 7ece73b

Please sign in to comment.