Skip to content

Commit

Permalink
Tested all question types. Fixed PHP and JavaScript errors in all exc…
Browse files Browse the repository at this point in the history 
…ept for FileUpload and Date (part way done with Date)

Modified ExpressionManager to properly use htmlspecialchars() where needed.

git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_ci@10851 b72ed6b6-b9f8-46b5-92b4-906544132732
  • Loading branch information
@TMSWhite
TMSWhite committed Aug 25, 2011
1 parent 10948c4 commit d1a5be9
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 52 deletions.
2 changes: 1 addition & 1 deletion application/helpers/common_helper.php
View file
Expand Up @@ -2001,7 +2001,7 @@ function getextendedanswer($surveyid, $action, $fieldcode, $value, $format='')
{
$qidattributes = getQuestionAttributes($fields['qid']);
$dateformatdetails = aGetDateFormatDataForQid($qidattributes, $surveyid);
$value = DateTime::createFromFormat("Y-m-d H:i:s", $value)->format($dateformatdetails['phpdate']);
$value=convertDateTimeFormat($value,"Y-m-d H:i:s",$dateformatdetails['phpdate']);
}
break;
case "L":
Expand Down
40 changes: 21 additions & 19 deletions application/helpers/expressions/em_core_helper.php
View file
Expand Up @@ -1139,7 +1139,7 @@ public function GetJavaScriptEquivalentOfExpression()
{
case 'DQ_STRING':
case 'SQ_STRING':
$stringParts[] = "'" . addslashes($token[0]) . "'";
$stringParts[] = "'" . htmlspecialchars($token[0],ENT_QUOTES,'UTF-8') . "'";
break;
case 'SGQA':
case 'WORD':
Expand Down Expand Up @@ -1193,7 +1193,7 @@ public function GetJavaScriptEquivalentOfExpression()
}
else
{
$stringParts[] = is_numeric($varInfo['codeValue']) ? $varInfo['codeValue'] : ("'" . addslashes($varInfo['codeValue']) . "'");
$stringParts[] = is_numeric($varInfo['codeValue']) ? $varInfo['codeValue'] : ("'" . htmlspecialchars($varInfo['codeValue'],ENT_QUOTES,'UTF-8') . "'");
}
}
break;
Expand All @@ -1202,7 +1202,7 @@ public function GetJavaScriptEquivalentOfExpression()
$stringParts[] = $token[0];
break;
case 'NUMBER':
$stringParts[] = is_numeric($token[0]) ? $token[0] : ("'" . addslashes($token[0]) . "'");
$stringParts[] = is_numeric($token[0]) ? $token[0] : ("'" . $token[0] . "'");
break;
case 'COMMA':
$stringParts[] = $token[0] . ' ';
Expand Down Expand Up @@ -1347,13 +1347,13 @@ public function GetPrettyPrintString()
case 'DQ_STRING':
// $messages[] = 'STRING';
$stringParts[] = "<span title='" . implode('; ',$messages) . "' style='color: gray'>\"";
$stringParts[] = addslashes($token[0]);
$stringParts[] = htmlspecialchars($token[0],ENT_QUOTES,'UTF-8');
$stringParts[] = "\"</span>";
break;
case 'SQ_STRING':
// $messages[] = 'STRING';
$stringParts[] = "<span title='" . implode('; ',$messages) . "' style='color: gray'>'";
$stringParts[] = addslashes($token[0]);
$stringParts[] = htmlspecialchars($token[0],ENT_QUOTES,'UTF-8');
$stringParts[] = "'</span>";
break;
case 'SGQA':
Expand Down Expand Up @@ -1381,7 +1381,7 @@ public function GetPrettyPrintString()
$messages[] = $varInfo['jsName'];
}
if (strlen(trim($varInfo['codeValue'])) > 0) {
$messages[] = 'value=' . htmlspecialchars($varInfo['codeValue'],ENT_QUOTES);
$messages[] = 'value=' . htmlspecialchars($varInfo['codeValue'],ENT_QUOTES,'UTF-8');
}
$stringParts[] = "<span title='". implode('; ',$messages) . "' style='color: #a0522d; font-weight: bold'>";
$stringParts[] = $token[0];
Expand All @@ -1393,7 +1393,7 @@ public function GetPrettyPrintString()
$messages[] = $varInfo['jsName'];
}
if (strlen(trim($varInfo['codeValue'])) > 0) {
$messages[] = 'value=' . htmlspecialchars($varInfo['codeValue'],ENT_QUOTES);
$messages[] = 'value=' . htmlspecialchars($varInfo['codeValue'],ENT_QUOTES,'UTF-8');
}
$stringParts[] = "<span title='" . implode('; ',$messages) . "' style='color: #228b22; font-weight: bold'>";
$stringParts[] = $token[0];
Expand Down Expand Up @@ -1724,7 +1724,7 @@ public function sProcessStringContainingExpressionsHelper($src, $questionNum)
if (count($jsVarsUsed) > 0)
{
$idName = "LEMtailor_Q_" . $questionNum . "_" . $this->substitutionNum;
$resolvedParts[] = "<span id='" . $idName . "' name='" . $idName . "'>" . $resolvedPart . "</span>";
$resolvedParts[] = "<span id='" . $idName . "' name='" . $idName . "'>" . htmlspecialchars($resolvedPart,ENT_QUOTES,"UTF-8") . "</span>";
$this->substitutionVars[$idName] = 1;
$this->substitutionInfo[] = array(
'questionNum' => $questionNum,
Expand Down Expand Up @@ -2165,7 +2165,7 @@ static function UnitTestEvaluator()
'ANSWER' => array('codeValue'=>'value for {ANSWER}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'ASSESSMENTS' => array('codeValue'=>'value for {ASSESSMENTS}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'ASSESSMENT_CURRENT_TOTAL' => array('codeValue'=>'value for {ASSESSMENT_CURRENT_TOTAL}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'ASSESSMENT_HEADING' => array('codeValue'=>'value for {ASSESSMENT_HEADING}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'ASSESSMENT_HEADING' => array('codeValue'=>'"Can strings contain embedded \"quoted passages\" (and parentheses + other characters?)?"', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'CHECKJAVASCRIPT' => array('codeValue'=>'value for {CHECKJAVASCRIPT}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'CLEARALL' => array('codeValue'=>'value for {CLEARALL}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'CLOSEWINDOW' => array('codeValue'=>'value for {CLOSEWINDOW}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
Expand Down Expand Up @@ -2204,12 +2204,12 @@ static function UnitTestEvaluator()
'PRIVACY' => array('codeValue'=>'value for {PRIVACY}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QID' => array('codeValue'=>'value for {QID}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTIONHELPPLAINTEXT' => array('codeValue'=>'value for {QUESTIONHELPPLAINTEXT}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTIONHELP' => array('codeValue'=>'value for {QUESTIONHELP}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTIONHELP' => array('codeValue'=>'"can single quoted strings" . \'contain nested \'quoted sections\'?', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_CLASS' => array('codeValue'=>'value for {QUESTION_CLASS}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_CODE' => array('codeValue'=>'value for {QUESTION_CODE}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_ESSENTIALS' => array('codeValue'=>'value for {QUESTION_ESSENTIALS}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_FILE_VALID_MESSAGE' => array('codeValue'=>'value for {QUESTION_FILE_VALID_MESSAGE}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_HELP' => array('codeValue'=>'value for {QUESTION_HELP}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_HELP' => array('codeValue'=>'Can strings have embedded <tags> like <html>, or even unbalanced "quotes or entities without terminal semicolons like &amp and &lt?', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_INPUT_ERROR_CLASS' => array('codeValue'=>'value for {QUESTION_INPUT_ERROR_CLASS}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_MANDATORY' => array('codeValue'=>'value for {QUESTION_MANDATORY}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'QUESTION_MAN_CLASS' => array('codeValue'=>'value for {QUESTION_MAN_CLASS}', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
Expand Down Expand Up @@ -2350,7 +2350,9 @@ static function UnitTestEvaluator()
NULL~--b
value for {INSERTANS:123X45X67}~INSERTANS:123X45X67
value for {QID}~QID
value for {ASSESSMENT_HEADING}~ASSESSMENT_HEADING
"Can strings contain embedded \"quoted passages\" (and parentheses + other characters?)?"~ASSESSMENT_HEADING
"can single quoted strings" . 'contain nested 'quoted sections'?~QUESTIONHELP
Can strings have embedded <tags> like <html>, or even unbalanced "quotes or entities without terminal semicolons like &amp and &lt?~QUESTION_HELP
value for {TOKEN:FIRSTNAME}~TOKEN:FIRSTNAME
value for {THEREAREXQUESTIONS}~THEREAREXQUESTIONS
5~q5pointChoice.code
Expand Down Expand Up @@ -2403,7 +2405,7 @@ static function UnitTestEvaluator()
5~strlen(hi)
I love LimeSurvey~str_replace('like','love','I like LimeSurvey')
2~strpos('I like LimeSurvey','like')
Hi there!~d='<span id="d" style="border-style: solid; border-width: 2px; border-color: green">Hi there!</span>'
<span id="d" style="border-style: solid; border-width: 2px; border-color: green">Hi there!</span>~d='<span id="d" style="border-style: solid; border-width: 2px; border-color: green">Hi there!</span>'
Hi there!~c=strip_tags(d)
Hi there!~c
+,-,*,/,!,,,and,&&,or,||,gt,>,lt,<,ge,>=,le,<=,eq,==,ne,!=~implode(',','+','-','*','/','!',',','and','&&','or','||','gt','>','lt','<','ge','>=','le','<=','eq','==','ne','!=')
Expand Down Expand Up @@ -2479,8 +2481,7 @@ static function UnitTestEvaluator()
$LEMalias2varName[] = "'" . $jsVarName . "':{'jsName':'" . $jsVarName . "'}";
$LEMvarNameAttr[] = "'" . $jsVarName . "': {"
. "'jsName':'" . $jsVarName
. "','code':'" . $value
. "','shown':'" . $value
. "','code':'" . htmlspecialchars(preg_replace("/[[:space:]]/",' ',$value),ENT_QUOTES,'UTF-8')
. "','question':'"
. "','qid':'" . $i . "'}";
}
Expand All @@ -2501,19 +2502,20 @@ static function UnitTestEvaluator()
$resultStatus = 'ok';
$status = $em->Evaluate($expr);
$result = $em->GetResult();
$valToShow = $result;
$valToShow = htmlspecialchars($result,ENT_QUOTES,'UTF-8');
$expectedToShow = htmlspecialchars($expectedResult,ENT_QUOTES,'UTF-8');
print "<tr>";
print "<td>" . $em->GetPrettyPrintString() . "</td>\n";
if (is_null($result)) {
$valToShow = "NULL";
}
print '<td>' . $valToShow . "</td>\n";
if ($valToShow != $expectedResult)
if ($valToShow != $expectedToShow)
{
$resultStatus = 'error';
}
print "<td class='" . $resultStatus . "'>" . $expectedResult . "</td>\n";
print "<td>" . $em->GetJavascriptTestforExpression($expectedResult) . "&nbsp;</td>\n";
print "<td class='" . $resultStatus . "'>" . $expectedToShow . "</td>\n";
print "<td>" . $em->GetJavascriptTestforExpression($expectedToShow) . "&nbsp;</td>\n";
$varsUsed = $em->GetVarsUsed();
if (is_array($varsUsed) and count($varsUsed) > 0) {
$varDesc = array();
Expand Down
30 changes: 21 additions & 9 deletions application/helpers/expressions/em_manager_helper.php
View file
Expand Up @@ -300,7 +300,7 @@ public function setVariableAndTokenMappingsForExpressionManager($forceRefresh=fa

$varNameAttr[$jsVarName] = "'" . $jsVarName . "':{"
. "'jsName':'" . $jsVarName
. "','code':'" . $codeValue
. "','code':'" . htmlspecialchars(preg_replace('/[[:space:]]/',' ',$codeValue),ENT_QUOTES,'UTF-8')
// . "','shown':'" . $displayValue
// . "','question':'" . $question
. "','qid':'" . $questionNum
Expand Down Expand Up @@ -779,7 +779,7 @@ static function GetRelevanceAndTailoringJavaScript()
foreach ($undeclaredJsVars as $jsVar)
{
// TODO - is different type needed for text? Or process value to striphtml?
$jsParts[] = "<input type='hidden' id='" . $jsVar . "' name='" . $jsVar . "' value='" . htmlspecialchars($undeclaredVal[$jsVar]) . "'/>\n";
$jsParts[] = "<input type='hidden' id='" . $jsVar . "' name='" . $jsVar . "' value='" . htmlspecialchars($undeclaredVal[$jsVar],ENT_QUOTES,'UTF-8') . "'/>\n";
}
}
sort($qidList,SORT_NUMERIC);
Expand Down Expand Up @@ -814,12 +814,12 @@ static function SetResetFunction($questionNum, $functionContents)
static function UnitTestProcessStringContainingExpressions()
{
$vars = array(
'name' => array('codeValue'=>'Sergei', 'jsName'=>'java61764X1X1', 'readWrite'=>'Y', 'isOnCurrentPage'=>'Y'),
'name' => array('codeValue'=>'"<Sergei>\'', 'jsName'=>'java61764X1X1', 'readWrite'=>'Y', 'isOnCurrentPage'=>'Y'),
'age' => array('codeValue'=>45, 'jsName'=>'java61764X1X2', 'readWrite'=>'Y', 'isOnCurrentPage'=>'Y'),
'numKids' => array('codeValue'=>2, 'jsName'=>'java61764X1X3', 'readWrite'=>'Y', 'isOnCurrentPage'=>'Y'),
'numPets' => array('codeValue'=>1, 'jsName'=>'java61764X1X4', 'readWrite'=>'Y', 'isOnCurrentPage'=>'Y'),
// Constants
'INSERTANS:61764X1X1' => array('codeValue'=> 'Sergei', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'Y'),
'INSERTANS:61764X1X1' => array('codeValue'=> '<Sergei>', 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'Y'),
'INSERTANS:61764X1X2' => array('codeValue'=> 45, 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'Y'),
'INSERTANS:61764X1X3' => array('codeValue'=> 2, 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
'INSERTANS:61764X1X4' => array('codeValue'=> 1, 'jsName'=>'', 'readWrite'=>'N', 'isOnCurrentPage'=>'N'),
Expand Down Expand Up @@ -867,20 +867,25 @@ static function UnitTestProcessStringContainingExpressions()
$alltests[] = 'This line has a hidden script: <script type="text/javascript" language="Javascript">' . $javascript1 . '</script>';
$alltests[] = 'This line has a hidden script: <script type="text/javascript" language="Javascript">' . $javascript2 . '</script>';

LimeExpressionManager::StartProcessingPage();
LimeExpressionManager::StartProcessingGroup(1);

$lem = LimeExpressionManager::singleton();
$em = $lem->em;
$em->StartProcessingGroup();

// $em->StartProcessingGroup();
$em->RegisterVarnamesUsingMerge($vars);

print '<table border="1"><tr><th>Test</th><th>Result</th><th>VarName(jsName, readWrite, isOnCurrentPage)</th></tr>';
print '<table border="1"><tr><th>Test</th><th>Result</th></tr>'; // <th>VarName(jsName, readWrite, isOnCurrentPage)</th></tr>';
for ($i=0;$i<count($alltests);++$i)
{
$test = $alltests[$i];
$result = $em->sProcessStringContainingExpressions($test,$i,2,1);
$prettyPrint = $em->GetLastPrettyPrintExpression();
$result = LimeExpressionManager::ProcessString($test, $i, NULL, false, 1, 1);
// $result = $em->sProcessStringContainingExpressions($test,$i,2,1);
$prettyPrint = LimeExpressionManager::GetLastPrettyPrintExpression();
// $prettyPrint = $em->GetLastPrettyPrintExpression();
print "<tr><td>" . $prettyPrint . "</td>\n";
print "<td>" . $result . "</td>\n";
/*
$varsUsed = $em->getAllVarsUsed();
if (is_array($varsUsed) and count($varsUsed) > 0) {
$varDesc = array();
Expand All @@ -893,15 +898,22 @@ static function UnitTestProcessStringContainingExpressions()
else {
print "<td>&nbsp;</td>\n";
}
*/
print "</tr>\n";
}
print '</table>';
LimeExpressionManager::FinishProcessingGroup();
LimeExpressionManager::FinishProcessingPage();
print LimeExpressionManager::GetRelevanceAndTailoringJavaScript();
}

static function UnitTestRelevance()
{
// Tests: varName~relevance~inputType~message
$tests = <<<EOT
junk~1~text~Enter "junk" here to test XSS - will show below
info~1~expr~{info='Can strings have embedded <tags> like <html>, or even unbalanced "quotes, \'single quoted strings\', or entities without terminal semicolons like &amp and &lt?'}
info2~1~message~Here is a messy string: {info}<br/>Here is the "junk" you entered: {junk}
name~1~text~What is your name?
age~1~text~How old are you?
badage~1~expr~{badage=((age<16) || (age>80))}
Expand Down
8 changes: 4 additions & 4 deletions application/helpers/frontend_helper.php
View file
Expand Up @@ -930,13 +930,13 @@ function checkUploadedFileValidity($surveyid, $move, $backok=null)
{
if (isset($append) && $append)
{
$filenotvalidated[$field."_file_".$i] .= sprintf($clang->gT("Sorry, only %s extensions are allowed !"),$validation['allowed_filetypes']);
$filenotvalidated[$field."_file_".$i] .= sprintf($clang->gT("Sorry, only %s extensions are allowed!"),$validation['allowed_filetypes']);
unset($append);
}
else
{
$filenotvalidated = array();
$filenotvalidated[$field."_file_".$i] .= sprintf($clang->gT("Sorry, only %s extensions are allowed !"),$validation['allowed_filetypes']);
$filenotvalidated[$field."_file_".$i] .= sprintf($clang->gT("Sorry, only %s extensions are allowed!"),$validation['allowed_filetypes']);
}
}
}
Expand All @@ -945,10 +945,10 @@ function checkUploadedFileValidity($surveyid, $move, $backok=null)
else
$filecount = 0;

if ($filecount < $validation['min_num_of_files'])
if (isset($validation['min_num_of_files']) && $filecount < $validation['min_num_of_files'])
{
$filenotvalidated = array();
$filenotvalidated[$field] = $clang->gT("The minimum number of files have not been uploaded");
$filenotvalidated[$field] = $clang->gT("The minimum number of files has not been uploaded.");
}
}
}
Expand Down

0 comments on commit d1a5be9

Please sign in to comment.