Fixed issue #07085: Cross Site Scripting (XSS) in printing page

Dev: just htmlentities
LimeSurvey · Dec 14, 2012 · df6e77c · df6e77c
1 parent 1ddb416
commit df6e77c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/application/controllers/PrintanswersController.php b/application/controllers/PrintanswersController.php
@@ -172,7 +172,7 @@ function actionView($surveyid,$printableexport=FALSE)
                 }
                 else
                 {
-                    $printoutput .= "\t<tr class='printanswersquestionhead'><td  colspan='2'>{$fname[0]}</td></tr>\n";
+                    $printoutput .= "\t<tr class='printanswersquestionhead'><td colspan='2'>{$fname[0]}</td></tr>\n";
                 }
             }
             elseif ($sFieldname=='submitdate')
@@ -199,7 +199,7 @@ function actionView($surveyid,$printableexport=FALSE)
                 }
                 else
                 {
-                    $printoutput .= "\t<tr class='printanswersquestion'><td>{$fname[0]} {$fname[1]}</td><td class='printanswersanswertext'>{$fname[2]}</td></tr>";
+                    $printoutput .= "\t<tr class='printanswersquestion'><td>{$fname[0]} {$fname[1]}</td><td class='printanswersanswertext'>".htmlspecialchars($fname[2])."</td></tr>";
                 }
             }
         }