Fixed issue #10018: XSS vulnerabilities in admin section

application/controllers/admin/participantsaction.php

@@ -383,9 +383,9 @@ function attributeControl()
     function getAttributeInfo_json()
     {
 
-        $page = Yii::app()->request->getPost('page');
-        $limit = Yii::app()->request->getPost('rows');
-        $limit = isset($limit) ? $limit : 50; //Stop division by zero errors
+        $page = (int)Yii::app()->request->getPost('page');
+        $limit = (int)Yii::app()->request->getPost('rows');
+        $limit = empty($limit) ? $limit : 50; //Stop division by zero errors
         $records = ParticipantAttributeName::model()->with('participant_attribute_names_lang')->findAll(array('order'=>'attribute_name'));
         $attribute_types = array(
             'DD' => gT("Drop-down list"),
@@ -1145,7 +1145,7 @@ function attributeMapCSV()
                         ."var cannotAcceptErrorTxt='".gT("This list cannot accept token attributes.")."';\n"
                         ."var separator = '".sanitize_paranoid_string($_POST['separatorused'])."';\n"
                         ."var thefilepath = '".$sRandomFileName."';\n"
-                        ."var filterblankemails = '".$filterblankemails."';\n";
+                        ."var filterblankemails = '".sanitize_paranoid_string($filterblankemails)."';\n";
         App()->getClientScript()->registerScript("sAttributeMapJS",$sAttributeMapJS,CClientScript::POS_BEGIN);
             $this->_renderWrappedTemplate('participants', 'attributeMapCSV', $aData);
         }

application/controllers/admin/tokens.php

@@ -354,11 +354,13 @@ function getTokens_json($iSurveyId, $search = null)
             eT("We are sorry but you don't have permissions to do this.");// return json ? error not treated in js.
             return;
         }
-        $page  = Yii::app()->request->getPost('page', 1);
+        $page  = (int)Yii::app()->request->getPost('page', 1);
+        $limit = (int)Yii::app()->request->getPost('rows', 25);
         $sidx = Yii::app()->request->getPost('sidx', 'lastname');
         $sord = Yii::app()->request->getPost('sord', 'asc');
-        $limit = Yii::app()->request->getPost('rows', 25);
-
+        if (strtolower($sord)!='desc') {
+            $sord='asc';
+        }
         $aData = new stdClass;
         $aData->page = $page;
 
@@ -372,7 +374,7 @@ function getTokens_json($iSurveyId, $search = null)
             $condition = new CDbCriteria();
         }
 
-        $condition->order = $sidx. " ". $sord;
+        $condition->order = Yii::app()->db->quoteColumnName($sidx). " ". $sord;
         $condition->offset = ($page - 1) * $limit;
         $condition->limit = $limit;
 		$tokens = Token::model($iSurveyId)->findAll($condition);

application/models/Participant.php

@@ -281,6 +281,7 @@ function getParticipantsCount($attid, $search = null, $userid = null) {
 
     private function getParticipantsSelectCommand($count = false, $attid, $search = null, $userid = null, $page = null, $limit = null, $order = null)
     {
+        debugbreak();
         $selectValue = array();
         $joinValue = array();
 
@@ -856,11 +857,21 @@ function getParticipantsSearchMultipleCondition($condition)
             elseif (is_numeric($sFieldname)) //Searching for an attribute
             {
                 $command->addCondition('attribute'. $sFieldname . '.value ' . $operator . ' '.$param, $booloperator);
-//                $command->addCondition('(attribute_id='. $sFieldname . ' AND value ' . $operator . ' '.$param.' )', $booloperator);
             }
             else
             {
-                $command->addCondition($sFieldname . ' '.$operator.' '.$param, $booloperator);
+                // Check if fieldname exists to prevent SQL injection
+                $aSafeFieldNames=array('firstname',
+                                  'lastname',
+                                  'email',
+                                  'blacklisted',
+                                  'surveys',
+                                  'survey',
+                                  'language',
+                                  'owner_uid',
+                                  'owner_name');
+                if (!in_array($sFieldname,$aSafeFieldNames)) continue; // Skip invalid fieldname
+                $command->addCondition(Yii::app()->db->quoteColumnName($sFieldname) . ' '.$operator.' '.$param, $booloperator);
             }
 
             $i++;

application/views/admin/participants/importCSV_view.php

@@ -16,12 +16,9 @@
             <select name="characterset">
                 <option value="auto" selected="selected">Automatic</option>
                 <?php
-                $encodingsarray =aEncodingsArray();
-                $encodingsarray_keys = array_keys($encodingsarray);
-                $i = 0;
-                foreach ($encodingsarray as $encoding):
+                foreach (aEncodingsArray() as $key=>$encoding):
                     ?>
-                    <option value="<?php echo ($encodingsarray_keys[$i++]); ?>"><?php echo $encoding; ?></option>
+                    <option value="<?php echo $key;?>"><?php echo $encoding; ?></option>
                     <?php
                 endforeach;
                 ?>
@@ -39,11 +36,9 @@
             <select name="separatorused">
                 <option value="auto" selected="selected"><?php eT("(Autodetect)"); ?></option>
                 <?php
-                $separatorused_keys = array_keys($separatorused);
-                $i = 0;
-                foreach ($separatorused as $separator):
+                foreach ($separatorused as $key=>$separator):
                     ?>
-                    <option value="<?php echo ($separatorused_keys[$i++]); ?>"><?php echo $separator; ?></option>
+                    <option value="<?php echo $key;?>"><?php echo $separator; ?></option>
                     <?php
                 endforeach;
                 ?>