From d905a9a7f8ac9b45fb4445b4cce97d7c2475492a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fl=C3=BCr?= <fluer.markus@googlemail.com>
Date: Wed, 1 Aug 2018 11:01:52 +0200
Subject: [PATCH] Fixed issue: convertGETtoPOST has to be wrapped in
 singlequotes

---
 application/controllers/admin/tokens.php      |  4 ++--
 application/helpers/common_helper.php         | 10 +++++++--
 application/models/Question.php               | 11 ++++++----
 .../admin/responses/browsemenubar_view.php    |  2 +-
 .../admin/survey/_activation_feedback.php     |  2 +-
 application/views/admin/token/actions.php     | 21 ++++++++++++++++++-
 .../admin/usergroup/usergroupbar_view.php     |  2 +-
 7 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
index 61a6043c8d2..0c87f5d32b7 100644
--- a/application/controllers/admin/tokens.php
+++ b/application/controllers/admin/tokens.php
@@ -2182,8 +2182,8 @@ public function tokenify($iSurveyId)
             $this->_renderWrappedTemplate('token', array('message' => array(
             'title' => gT("Create tokens"),
             'message' => gT("Clicking 'Yes' will generate tokens for all those in this token list that have not been issued one. Continue?")."<br /><br />\n"
-            . "<input class='btn btn-default btn-lg' type='submit' value='"
-            . gT("Yes")."' onclick=\"".convertGETtoPOST($this->getController()->createUrl("admin/tokens/sa/tokenify/surveyid/$iSurveyId", array('ok'=>'Y')))."\" />\n"
+            . "<button class='btn btn-default btn-lg' type='submit' value='"
+            . gT("Yes")."' onclick='".convertGETtoPOST($this->getController()->createUrl("admin/tokens/sa/tokenify/surveyid/$iSurveyId", array('ok'=>'Y')))."' >".gT("Yes")."</button>\n"
             . "<input class='btn btn-default  btn-lg' type='submit' value='"
             . gT("No")."' onclick=\"window.open('".$this->getController()->createUrl("admin/tokens/sa/index/surveyid/$iSurveyId")."', '_top')\" />\n"
             . "<br />\n"
diff --git a/application/helpers/common_helper.php b/application/helpers/common_helper.php
index 7292efd4825..f31477d24a4 100644
--- a/application/helpers/common_helper.php
+++ b/application/helpers/common_helper.php
@@ -314,7 +314,13 @@ function getGidNext($surveyid, $gid)
 }
 
 
-
+/**
+ * convertGETtoPOST a function to create a post Request from get parameters
+ * !!! This functions result has to be wrappen in singlequotes!
+ *
+ * @param String $url | The complete url with all parameters
+ * @return String | The onclick action for the element
+ */
 function convertGETtoPOST($url)
 {
     // This function must be deprecated and replaced by $.post
@@ -332,7 +338,7 @@ function convertGETtoPOST($url)
         $postArray[$paramname] = $value;
     }
 
-    $callscript = "window.LS.sendPost('".$calledscript."','".json_encode($postArray)."');";
+    $callscript = "window.LS.sendPost(\"".$calledscript."\",\"\",".json_encode($postArray).");";
 
     return $callscript;
 }
diff --git a/application/models/Question.php b/application/models/Question.php
index 35997c78643..3dd69529b30 100644
--- a/application/models/Question.php
+++ b/application/models/Question.php
@@ -823,10 +823,13 @@ public function getbuttons()
         $gid_search = Yii::app()->request->getParam('gid');
 
         if ($oSurvey->active != "Y" && Permission::model()->hasSurveyPermission($this->sid, 'surveycontent', 'delete')) {
-            $button .= '<a class="btn btn-default"  data-toggle="tooltip" title="'.gT("Delete").'" href="#" role="button"
-                        onclick="if (confirm(\' '.gT("Deleting  will also delete any answer options and subquestions it includes. Are you sure you want to continue?", "js").' \' )){ '.convertGETtoPOST(Yii::app()->createUrl("admin/questions/sa/delete/surveyid/$this->sid/qid/$this->qid/gid/$gid_search")).'} ">
-                            <span class="text-danger fa fa-trash"></span>
-                            </a>';
+            $button .= '<a class="btn btn-default"  data-toggle="tooltip" title="'.gT("Delete").'" href="#" role="button"'
+                ." onclick='$.bsconfirm(\"".gT("Deleting  will also delete any answer options and subquestions it includes. Are you sure you want to continue?","js")
+                            ."\", {\"confirm_ok\": \"".gT("Yes")."\", \"confirm_cancel\": \"".gT("No")."\"}, function() {"
+                            . convertGETtoPOST(Yii::app()->createUrl("admin/questions/sa/delete/", ["surveyid" => $this->sid, "qid" => $this->qid, "gid" => $gid_search]))
+                        ."});'>"                        
+                    .' <i class="text-danger fa fa-trash"></i>
+                </a>';
         }
 
         return $button;
diff --git a/application/views/admin/responses/browsemenubar_view.php b/application/views/admin/responses/browsemenubar_view.php
index 0be49a3796b..edfe265387d 100644
--- a/application/views/admin/responses/browsemenubar_view.php
+++ b/application/views/admin/responses/browsemenubar_view.php
@@ -229,7 +229,7 @@ class="btn btn-default selector--ConfirmModal">
                     </a>
                     <?php endif;?>
                     <?php if (Permission::model()->hasSurveyPermission($surveyid, 'responses', 'delete') && isset($rlanguage)): ?>
-                    <a class="btn btn-default" href='#' role="button" onclick="if (confirm('<?php eT("Are you sure you want to delete this entry?", "js"); ?>')) { <?php echo convertGETtoPOST($this->createUrl("admin/dataentry/sa/delete/id/$id/sid/$surveyid")); ?>}">
+                    <a class="btn btn-default" href='#' role="button" onclick='if (confirm("<?php eT("Are you sure you want to delete this entry?", "js"); ?>")) { <?php echo convertGETtoPOST($this->createUrl("admin/dataentry/sa/delete/", ['id' => $id, 'sid' => $surveyid])); ?>}">
                         <span class="fa fa-trash text-warning"></span>
                         <?php eT("Delete this entry"); ?>
                     </a>
diff --git a/application/views/admin/survey/_activation_feedback.php b/application/views/admin/survey/_activation_feedback.php
index fcf91172289..102717230b1 100644
--- a/application/views/admin/survey/_activation_feedback.php
+++ b/application/views/admin/survey/_activation_feedback.php
@@ -36,7 +36,7 @@
                             type="submit"
                             class="btn btn-default btn-lg limebutton"
                             value="<?php eT("Initialise participant table"); ?>"
-                            onclick="<?php echo $onclickAction;?>"
+                            onclick='<?php echo $onclickAction;?>'
                             />
                     </p>
                     <?php else:?>
diff --git a/application/views/admin/token/actions.php b/application/views/admin/token/actions.php
index c825be9cc8c..e61b146de5d 100644
--- a/application/views/admin/token/actions.php
+++ b/application/views/admin/token/actions.php
@@ -1,2 +1,21 @@
-<a class="ui-icon ui-icon-pencil" onclick="if (confirm('<?php eT("Are you sure you want to delete the selected entries?","js");?>')) { <?php echo convertGETtoPOST($this->createUrl("admin/tokens/sa/delete/$surveyid/")."?action=tokens&amp;sid={$surveyid}&amp;subaction=delete&amp;tokenids=$id&amp;limit={$limit}&amp;start={$start}&amp;order={$order}");?>}" title="<?php eT("Delete the selected entries");?>"></a>
+<?php
+    $onclickAction = "if (confirm("
+        .gT("Are you sure you want to delete the selected entries?","js")
+        ."\")) {"
+        .convertGETtoPOST(
+            $this->createUrl("admin/tokens/sa/delete/$surveyid/", 
+                [
+                    "action"   => "tokens", 
+                    "sid"      => $surveyid, 
+                    "subaction"=>"delete",
+                    "tokenids" => $id,
+                    "limit"    => $limit,
+                    "start"    => $start,
+                    "order"    => $order
+                ]
+            )
+        )."}";
+?>
+
+<a class="ui-icon ui-icon-pencil" onclick='<?=$onclickAction?>' title="<?php eT("Delete the selected entries");?>"></a>
 <a class="ui-icon"></a>
diff --git a/application/views/admin/usergroup/usergroupbar_view.php b/application/views/admin/usergroup/usergroupbar_view.php
index fa1a55933b4..3ea03251b72 100644
--- a/application/views/admin/usergroup/usergroupbar_view.php
+++ b/application/views/admin/usergroup/usergroupbar_view.php
@@ -32,7 +32,7 @@
 
             <!-- Delete current user group -->
             <?php if(isset($usergroupbar['edit']) &&  (Yii::app()->session['loginID'] == $userGroup->owner_id || Permission::model()->hasGlobalPermission('superadmin','read')) ):?>
-                <a class="btn btn-default" href='#' onclick="if (confirm('<?php eT("Are you sure you want to delete this entry?","js"); ?>')) { <?php echo convertGETtoPOST($this->createUrl('admin/usergroups/sa/delete/ugid/'.$userGroup->ugid)); ?>}">
+                <a class="btn btn-default" href='#' onclick='if (confirm("<?php eT("Are you sure you want to delete this entry?","js"); ?>")) { <?php echo convertGETtoPOST($this->createUrl('admin/usergroups/sa/delete/ugid/'.$userGroup->ugid)); ?>}'>
                     <span class="fa fa-trash text-success"></span>
                     <?php eT("Delete current user group"); ?>
                 </a>