Fixed issue #16208: escape in Multiple choice with comments

Dev: Encode in renderClass Dev: don't fix the param for previous questiontheme compatibility Dev: CHtml::encode are htmlspecialchars($dispVal, ENT_QUOTES,Yii::app()->charset) Dev: then good replacer
LimeSurvey · May 6, 2020 · c66766f · c66766f
1 parent dabfe29
commit c66766f
Showing 1 changed file with 4 additions and 24 deletions.
diff --git a/...cation/core/QuestionTypes/MultipleChoiceWithComments/RenderMultipleChoiceWithComments.php b/...cation/core/QuestionTypes/MultipleChoiceWithComments/RenderMultipleChoiceWithComments.php
@@ -1,9 +1,6 @@
 <?php
-
-
-
 /**
- * RenderClass for Boilerplate Question
+ * RenderClass for MultipleChoiceWithComments Question
  *  * The ia Array contains the following
  *  0 => string qid
  *  1 => string sgqa
@@ -29,8 +26,6 @@ class RenderMultipleChoiceWithComments extends QuestionBaseRenderer
     private $sLabelWidth;
     private $sInputContainerWidth;
 
-
-
     public function __construct($aFieldArray, $bRenderDirect = false)
     {
         parent::__construct($aFieldArray, $bRenderDirect);
@@ -120,7 +115,7 @@ public function getRows()
                 'inputCommentId'       => 'answer'.$myfname2,
                 'commentLabelText'     => gT('Make a comment on your choice here:'),
                 'inputCommentName'     => $myfname2,
-                'inputCOmmentValue'    => (isset($mSessionValue2)) ? $mSessionValue2 : '',
+                'inputCOmmentValue'    => CHtml::encode($mSessionValue2),
                 'sInputContainerWidth' => $this->sInputContainerWidth,
                 'sLabelWidth'          => $this->sLabelWidth,
             );
@@ -152,22 +147,7 @@ public function getOtherRow(){
             if ($this->getQuestionAttribute('other_numbers_only') == 1) {
                 $dispVal = str_replace('.', $sSeparator, $dispVal);
             }
-            $sValue .= htmlspecialchars($dispVal, ENT_QUOTES);
-        }
-
-        // TODO : check if $sValueHidden === $sValue
-        $sValueHidden = '';
-        if (!empty($mSessionValue)) {
-            $dispVal = $mSessionValue;
-            if ($this->getQuestionAttribute('other_numbers_only') == 1) {
-                $dispVal = str_replace('.', $sSeparator, $dispVal);
-            }
-            $sValueHidden = htmlspecialchars($dispVal, ENT_QUOTES);
-        }
-
-        // TODO: $value is not defined for some execution paths.
-        if (!isset($value)) {
-            $sValue = '';
+            $sValue .= CHtml::encode($dispVal);
         }
 
         ////
@@ -186,7 +166,7 @@ public function getOtherRow(){
             'inputCommentId'       => 'answer'.$myfname2,
             'commentLabelText'     => gT('Make a comment on your choice here:'),
             'inputCommentName'     => $myfname2,
-            'inputCOmmentValue'    => $mSessionValue2,
+            'inputCOmmentValue'    => CHtml::encode($mSessionValue2),
             'checked'              => ($mSessionValue == 'Y' ? CHECKED : ''),
             'javainput'            => false,
             'javaname'             => '',