Fixed issue #13928: script (and tag) are not filtered or encoded if q…

…uestion is in same group Fixed issue #13928: script (and tag) are not filtered or encoded if question is in same group Dev: htmlentities only for user entered values Dev: some copy paste from .shown where user entered values are encoded Dev: some question not need to be encoded
LimeSurvey · Oct 15, 2018 · da0d8ac · da0d8ac
1 parent 03eb14b
commit da0d8ac
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/application/config/version.php b/application/config/version.php
@@ -16,5 +16,5 @@
 $config['dbversionnumber'] = 355;
 $config['buildnumber'] = '';
 $config['updatable'] = true;
-$config['assetsversionnumber'] = '30060';
+$config['assetsversionnumber'] = '30061';
 return $config;
diff --git a/assets/scripts/expressions/em_javascript.js b/assets/scripts/expressions/em_javascript.js
@@ -509,7 +509,9 @@ function LEMval(alias)
     var varName = alias;
     var suffix = 'code';    // the default
     var value = "";
-    if(typeof bNumRealValue == 'undefined'){bNumRealValue=false;} // Allow to update {QCODE} even with text
+    if(typeof bNumRealValue == 'undefined'){
+        bNumRealValue=false;
+    } // Allow to update {QCODE} even with text
 
     /* If passed a number, return that number */
     if (str == '') return '';
@@ -706,6 +708,49 @@ function LEMval(alias)
             if (value === '') {
                 return '';
             }
+            // Always htmlentities user entered values, see #13928
+            switch(attr.type)
+            {
+                case '!': //List - dropdown
+                case 'L': //LIST drop-down/radio-button list
+                case 'O': //LIST WITH COMMENT drop-down/radio-button list + textarea
+                case 'H': //ARRAY (Flexible) - Column Format
+                case 'F': //ARRAY (Flexible) - Row Format
+                case 'R': //RANKING STYLE
+                    if (attr.type == 'O' && varName.match(/comment$/)) {
+                        value = htmlentities(value);
+                    }
+                    else if ((attr.type == 'L' || attr.type == '!') && varName.match(/_other$/)) {
+                        value = htmlentities(value);
+                    }
+                    break;
+                case 'N': //NUMERICAL QUESTION TYPE
+                case 'K': //MULTIPLE NUMERICAL QUESTION
+                case 'Q': //MULTIPLE SHORT TEXT
+                case ';': //ARRAY (Multi Flexi) Text
+                case 'S': //SHORT FREE TEXT
+                case 'T': //LONG FREE TEXT
+                case 'U': //HUGE FREE TEXT
+                case 'D': //DATE
+                case '*': //Equation
+                case '|': //File Upload (unsure need to be htmlentities ?)
+                        value = htmlentities(value);
+                    break;
+                case 'M': //Multiple choice checkbox
+                case 'P': //Multiple choice with comments checkbox + text
+                    if (attr.type == 'P' && varName.match(/comment$/)) {
+                        value = htmlentities(value);
+                    }
+                    break;
+                case 'A': //ARRAY (5 POINT CHOICE) radio-buttons
+                case 'B': //ARRAY (10 POINT CHOICE) radio-buttons
+                case ':': //ARRAY (Multi Flexi) 1 to 10
+                case '5': //5 POINT CHOICE radio-buttons
+                case 'I': //Language Question
+                case 'X': //BOILERPLATE QUESTION
+                default:
+                    // Nothing to update
+            }
 
             if (suffix == 'value' || suffix == 'valueNAOK') {
                 // if in assessment mode, this returns the assessment value