Fixed issue [security] #15720: Reflected Cross-Site Scripting in posi…

…tion widget (Maxime Roy)
LimeSurvey · Jan 21, 2020 · d8f84b4 · d8f84b4
1 parent 1db3247
commit d8f84b4
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/application/controllers/admin/questions.php b/application/controllers/admin/questions.php
@@ -1284,7 +1284,8 @@ public function ajaxReloadPositionWidget($gid, $classes = '')
 
             );
 
-            if ($classes != '') {
+            // TODO: Better solution: Hard-code allowed CSS classes.
+            if ($classes != '' && $this->isValidCSSClass($classes)) {
                 $aOptions['classes'] = $classes;
             }
 
@@ -1540,6 +1541,18 @@ public function ajaxGetQuestionTemplateList()
         Yii::app()->end();
     }
 
+    /**
+     * Returns true if $class is a valid CSS class (alphanumeric + '-' and '_')
+     *
+     * @param string $class
+     * @return boolean
+     */
+    protected function isValidCSSClass($class)
+    {
+        $class = str_replace(['-', '_'], '', $class);
+        return ctype_alnum($class);
+    }
+
     /**
      * Renders template(s) wrapped in header and footer
      *