Skip to content

Commit

Permalink
Improve/implement XSS filtering in the Yii branch - done by Noostra
Browse files Browse the repository at this point in the history 
git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/limesurvey_yii@11942 b72ed6b6-b9f8-46b5-92b4-906544132732
  • Loading branch information
@c-schmitz
c-schmitz committed Jan 6, 2012
1 parent a292b83 commit d7c2ed9
Show file tree
Hide file tree
Showing 5 changed files with 196 additions and 49 deletions.
49 changes: 27 additions & 22 deletions application/controllers/admin/database.php
View file
Expand Up @@ -29,7 +29,6 @@ class database extends Survey_Common_Action
*
* @param mixed $action
* @return
* @todo Implement XSS filter
*/
function index($sa = null)
{
Expand All @@ -45,7 +44,19 @@ function index($sa = null)
$gid = returnglobal('gid');
$qid = returnglobal('qid');
// if $action is not passed, check post data.


if(Yii::app()->getConfig('filterxsshtml') && Yii::app()->session['USER_RIGHT_SUPERADMIN'] != 1)
{
$filter = new CHtmlPurifier();
$filter->options = array('URI.AllowedSchemes'=>array(
'http' => true,
'https' => true,
));
$xssfilter = true;
}
else
$xssfilter = false;

if ($action == "updatedefaultvalues" && bHasSurveyPermission($surveyid, 'surveycontent','update'))
{

Expand Down Expand Up @@ -174,18 +185,14 @@ function index($sa = null)
{
$answer=$_POST['answer_'.$language.'_'.$sortorderid.'_'.$scale_id];

/*
if (Yii::app()->getConfig('filterxsshtml'))
if ($xssfilter)
{
//Sanitize input, strip XSS
// Todo: Put back in XSS filter
//$answer=$this->security->xss_clean($answer);
$answer=$filter->purify($answer);
}
else
{
*/
$answer=html_entity_decode($answer, ENT_QUOTES, "UTF-8");
//}
$answer=html_entity_decode($answer, ENT_QUOTES, "UTF-8");
}
// Fix bug with FCKEditor saving strange BR types
$answer=fix_FCKeditor_text($answer);

Expand Down Expand Up @@ -391,14 +398,13 @@ function index($sa = null)
$_POST['question_'.$baselang] = html_entity_decode($_POST['question_'.$baselang], ENT_QUOTES, "UTF-8");
$_POST['help_'.$baselang] = html_entity_decode($_POST['help_'.$baselang], ENT_QUOTES, "UTF-8");

$purifier = new CHtmlPurifier();

// Fix bug with FCKEditor saving strange BR types
if (Yii::app()->getConfig('filterxsshtml'))
if ($xssfilter)
{
$_POST['title']=$purifier->purify($_POST['title']);
$_POST['question_'.$baselang]=$purifier->purify($_POST['question_'.$baselang]);
$_POST['help_'.$baselang]=$purifier->purify($_POST['help_'.$baselang]);
$_POST['title']=$filter->purify($_POST['title']);
$_POST['question_'.$baselang]=$filter->purify($_POST['question_'.$baselang]);
$_POST['help_'.$baselang]=$filter->purify($_POST['help_'.$baselang]);
}
else
{
Expand Down Expand Up @@ -715,20 +721,19 @@ function index($sa = null)
$questlangs = Survey::model()->findByPk($surveyid)->additionalLanguages;
$baselang = Survey::model()->findByPk($surveyid)->language;
array_push($questlangs,$baselang);
$p = new CHtmlPurifier();
if (Yii::app()->getConfig('filterxsshtml'))
$_POST['title'] = $p->purify($_POST['title']);
if ($xssfilter)
$_POST['title'] = $filter->purify($_POST['title']);
else
$_POST['title'] = html_entity_decode($_POST['title'], ENT_QUOTES, "UTF-8");

// Fix bug with FCKEditor saving strange BR types
$_POST['title']=fix_FCKeditor_text($_POST['title']);
foreach ($questlangs as $qlang)
{
if (Yii::app()->getConfig('filterxsshtml'))
if ($xssfilter)
{
$_POST['question_'.$qlang] = $p->purify($_POST['question_'.$qlang]);
$_POST['help_'.$qlang] = $p->purify($_POST['help_'.$qlang]);
$_POST['question_'.$qlang] = $filter->purify($_POST['question_'.$qlang]);
$_POST['help_'.$qlang] = $filter->purify($_POST['help_'.$qlang]);
}
else
{
Expand Down Expand Up @@ -882,7 +887,7 @@ function index($sa = null)
if ($url == 'http://') {$url="";}

// Clean XSS attacks
if (Yii::app()->getConfig('filterxsshtml'))
if ($xssfilter)
{
$purifier = new CHtmlPurifier();
$purifier->options = array(
Expand Down
11 changes: 8 additions & 3 deletions application/controllers/admin/surveyaction.php
View file
Expand Up @@ -1531,13 +1531,18 @@ function insert($iSurveyId=null)
'emailresponseto' => $_POST['emailresponseto'],
'tokenlength' => $_POST['tokenlength']
);


if(Yii::app()->getConfig('filterxsshtml') && Yii::app()->session['USER_RIGHT_SUPERADMIN'] != 1)
$xssfilter = true;
else
$xssfilter = false;

if (!is_null($iSurveyId))
{
$aInsertData['wishSID'] = $iSurveyId;
}

$iNewSurveyid = Survey::model()->insertNewSurvey($aInsertData);
$iNewSurveyid = Survey::model()->insertNewSurvey($aInsertData, $xssfilter);
if (!$iNewSurveyid)
die('Survey could not be created.');

Expand Down Expand Up @@ -1607,7 +1612,7 @@ function insert($iSurveyId=null)
);

$langsettings = new Surveys_languagesettings;
$langsettings->insertNewSurvey($aInsertData);
$langsettings->insertNewSurvey($aInsertData, $xssfilter);

Yii::app()->session['flashmessage'] = $this->getController()->lang->gT("Survey was successfully added.");

Expand Down

0 comments on commit d7c2ed9

Please sign in to comment.