From 83f74275a3dcf16be02b8fc2f0603b2cea959c25 Mon Sep 17 00:00:00 2001
From: Denis Chenu <denis@sondages.pro>
Date: Mon, 23 Nov 2020 09:39:43 +0100
Subject: [PATCH] Fixed issue [security] #16841: XSS vulnerability with
 registration Dev: encryptSave NEED validation Dev: reload value after save
 Dev: only superadmin can add XSS now

---
 application/controllers/RegisterController.php           | 5 ++---
 application/models/SurveyDynamic.php                     | 4 ++--
 application/views/admin/responses/listResponses_view.php | 5 +----
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/application/controllers/RegisterController.php b/application/controllers/RegisterController.php
index 518f60f7528..23ec072885c 100644
--- a/application/controllers/RegisterController.php
+++ b/application/controllers/RegisterController.php
@@ -294,8 +294,7 @@ public function sendRegistrationEmail($iSurveyId, $iTokenId)
         $aMessage['mail-thanks'] = gT("Thank you for registering to participate in this survey.");
         if($mailerSent) {
             $today = dateShift(date("Y-m-d H:i:s"), "Y-m-d H:i", Yii::app()->getConfig('timeadjust'));
-            $oToken->sent = $today;
-            $oToken->encryptSave();
+            Token::model($iSurveyId)->updateByPk($iTokenId, array('sent' => $today));
             $aMessage['mail-message'] = $this->sMailMessage;
         } else {
             $aMessage['mail-message-error'] = gT("You are registered but an error happened when trying to send the email - please contact the survey administrator.");
@@ -354,7 +353,7 @@ public function getTokenId($iSurveyId)
                 $oToken->validuntil = $aSurveyInfo['expires'];
             }
             $oToken->generateToken();
-            $oToken->encryptSave();
+            $oToken->encryptSave(true);
             $this->sMailMessage = gT("An email has been sent to the address you provided with access details for this survey. Please follow the link in that email to proceed.");
             return $oToken->tid;
         }
diff --git a/application/models/SurveyDynamic.php b/application/models/SurveyDynamic.php
index 55ece300392..fd00ce92dd8 100644
--- a/application/models/SurveyDynamic.php
+++ b/application/models/SurveyDynamic.php
@@ -604,9 +604,9 @@ public function getLastNameForGrid()
     public function getTokenForGrid()
     {
         if (is_object($this->tokens) && !is_null($this->tokens->tid)) {
-            $sToken = "<a class='btn btn-default btn-xs edit-token' href='#' data-sid='".self::$sid."' data-tid='".$this->tokens->tid."'  data-url='".App()->createUrl("admin/tokens", array("sa"=>"edit", "iSurveyId"=>self::$sid, "iTokenId"=>$this->tokens->tid, 'ajax'=>'true'))."' data-toggle='tooltip' title='".gT("Edit this survey participant")."'>".strip_tags($this->token)."&nbsp;&nbsp;&nbsp;<span class='fa fa-pencil'></span></a>";
+            $sToken = "<a class='btn btn-default btn-xs edit-token' href='#' data-sid='".self::$sid."' data-tid='".$this->tokens->tid."'  data-url='".App()->createUrl("admin/tokens", array("sa"=>"edit", "iSurveyId"=>self::$sid, "iTokenId"=>$this->tokens->tid, 'ajax'=>'true'))."' data-toggle='tooltip' title='".gT("Edit this survey participant")."'>".CHtml::encode($this->token)."&nbsp;&nbsp;&nbsp;<span class='fa fa-pencil'></span></a>";
         } else {
-            $sToken = '<span class="badge badge-success">'.strip_tags($this->token).'</span>';
+            $sToken = '<span class="badge badge-success">'.CHtml::encode($this->token).'</span>';
         }
 
         return $sToken;
diff --git a/application/views/admin/responses/listResponses_view.php b/application/views/admin/responses/listResponses_view.php
index 0378d1598b6..17f228965c5 100755
--- a/application/views/admin/responses/listResponses_view.php
+++ b/application/views/admin/responses/listResponses_view.php
@@ -128,10 +128,9 @@
                             if (!isset($filteredColumns) || in_array('token', $filteredColumns)) {
                                 $aColumns[] = array(
                                     'header' => 'token',
-                                    'name' => 'token',
                                     'type' => 'raw',
+                                    'name' => 'token',
                                     'value' => '$data->tokenForGrid',
-
                                 );
                             }
                             $filterableColumns['token'] = 'token';
@@ -141,7 +140,6 @@
                                     'header' => gT("First name"),
                                     'name' => 'tokens.firstname',
                                     'id' => 'firstname',
-                                    'type' => 'raw',
                                     'value' => '$data->firstNameForGrid',
                                     'filter' => TbHtml::textField(
                                         'SurveyDynamic[firstname_filter]',
@@ -154,7 +152,6 @@
                                 $aColumns[] = array(
                                     'header' => gT("Last name"),
                                     'name' => 'tokens.lastname',
-                                    'type' => 'raw',
                                     'id' => 'lastname',
                                     'value' => '$data->lastNameForGrid',
                                     'filter' => TbHtml::textField(