Fixed issue #11922: XSS vulnerability in administration

LimeSurvey · Nov 18, 2016 · 871eb76 · 871eb76
1 parent 5cf6f32
commit 871eb76
Show file tree

Hide file tree

Showing 8 changed files with 10 additions and 10 deletions.
diff --git a/application/helpers/expressions/em_manager_helper.php b/application/helpers/expressions/em_manager_helper.php
@@ -9277,7 +9277,7 @@ static public function ShowSurveyLogicFile($sid, $gid=NULL, $qid=NULL,$LEMdebugL
                     }
                     $groupRow = "<tr class='LEMgroup'>"
                     . "<td class='$errClass'>G-$gseq</td>"
-                    . "<td><b>".$ginfo['group_name']."</b><br />[<a target='_blank' href='$editlink'>GID ".$gid."</a>]</td>"
+                    . "<td><b>".viewHelper::flatEllipsizeText($ginfo['group_name'])."</b><br />[<a target='_blank' href='$editlink'>GID ".$gid."</a>]</td>"
                     . "<td>".$sGroupRelevance."</td>"
                     . "<td>".$sGroupText."</td>"
                     . "</tr>\n";

diff --git a/application/views/admin/assessments_view.php b/application/views/admin/assessments_view.php
@@ -148,7 +148,7 @@
                         <select name='gid' id='gid' class="form-control">
                             <?php
                             foreach ($groups as $groupId => $groupName) {
-                                echo '<option value="' . $groupId . '"'.(isset($editdata['gid']) && $editdata['gid']== $groupId ? ' selected' : '').'>' . $groupName . '</option>';
+                                echo '<option value="' . $groupId . '"'.(isset($editdata['gid']) && $editdata['gid']== $groupId ? ' selected' : '').'>' . flattenText($groupName) . '</option>';
                             }
                             ?>
                         </select>

diff --git a/application/views/admin/export/statistics_subviews/_response_filter_choice.php b/application/views/admin/export/statistics_subviews/_response_filter_choice.php
@@ -11,7 +11,7 @@
 
                         <span class="groupTitle">
 
-                                <?php echo $aGroup['name']; ?>
+                                <?php echo flattenText($aGroup['name']); ?>
 
                             (<?php echo gT("Question group").$aGroup['gid']; ?>)
                         </span>

diff --git a/application/views/admin/quotas/viewquotasrowsub_view.php b/application/views/admin/quotas/viewquotasrowsub_view.php
@@ -1,7 +1,7 @@
 <tr class="evenrow">
     <td align="center">&nbsp;</td>
-    <td align="center"><?php echo @$question_answers[$quota_questions['code']]['Title'];?></td>
-    <td align="center"><?php echo @$question_answers[$quota_questions['code']]['Display'];?></td>
+    <td align="center"><?php echo $question_answers[$quota_questions['code']]['Title'];?></td>
+    <td align="center"><?php echo flattenText($question_answers[$quota_questions['code']]['Display']);?></td>
     <td align="center">&nbsp;</td>
     <td align="center">&nbsp;</td>
     <td style="padding: 3px;" align="center">

diff --git a/application/views/admin/saved/savedlist_view.php b/application/views/admin/saved/savedlist_view.php
@@ -1,7 +1,7 @@
 <div class='side-body <?php echo getSideBodyClass(true); ?>'>
     <h3>
         <span style='font-weight:bold;'><?php eT('Saved responses'); ?></span>
-        <?php echo $sSurveyName . ' ' . sprintf(gT('ID: %s'), $iSurveyId); ?>
+        <?php echo flattenText($sSurveyName) . ' ' . sprintf(gT('ID: %s'), $iSurveyId); ?>
     </h3>
 
         <div class="row">

diff --git a/application/views/admin/survey/Question/listquestions.php b/application/views/admin/survey/Question/listquestions.php
@@ -42,8 +42,8 @@
                                     <select name="group_name" class="form-control">
                                         <option value=""><?php eT('(Any group)');?></option>
                                         <?php foreach($model->AllGroups as $group): ?>
-                                            <option value="<?php echo $group->group_name;?>" <?php if( $group->group_name == $model->group_name){echo 'selected';} ?>>
-                                                <?php echo $group->group_name;?>
+                                            <option value="<?php echo $group->gid;?>" <?php if( $group->group_name == $model->group_name){echo 'selected';} ?>>
+                                                <?php echo flattenText($group->group_name);?>
                                             </option>
                                         <?php endforeach?>
                                     </select>

diff --git a/application/views/admin/survey/Question/massive_actions/_set_question_group_position.php b/application/views/admin/survey/Question/massive_actions/_set_question_group_position.php
@@ -16,7 +16,7 @@
             <select name="group_gid" class="form-control custom-data" id="gid">
                 <?php foreach($model->AllGroups as $group): ?>
                     <option value="<?php echo $group->gid;?>">
-                        <?php echo $group->group_name;?>
+                        <?php echo flattenText($group->group_name);?>
                     </option>
                 <?php endforeach?>
             </select>

diff --git a/application/views/admin/survey/activateSurvey_view.php b/application/views/admin/survey/activateSurvey_view.php
@@ -24,7 +24,7 @@
                             foreach ($failedgroupcheck as $fg)
                             { ?>
 
-                            <li> Group gid-<?php echo $fg[0]; ?> ("<a href='<?php echo Yii::app()->getController()->createUrl('admin/questiongroups/sa/view/surveyid/'.$surveyid.'/gid/'.$fg[0]); ?>'><?php echo $fg[1]; ?></a>")<?php echo $fg[2]; ?></li>
+                            <li> Group gid-<?php echo $fg[0]; ?> ("<a href='<?php echo Yii::app()->getController()->createUrl('admin/questiongroups/sa/view/surveyid/'.$surveyid.'/gid/'.$fg[0]); ?>'><?php echo flattenText($fg[1]); ?></a>")<?php echo $fg[2]; ?></li>
                             <?php }
                         } ?>
                     </ul>