Fixed issue [security] #17795: XSS in token browse (#2187)

Dev: filter and encode
LimeSurvey · Dec 22, 2021 · e8093fb · e8093fb
1 parent 1c92f5d
commit e8093fb
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/application/models/Token.php b/application/models/Token.php
@@ -428,12 +428,13 @@ public function rules()
             array('remindercount', 'numerical', 'integerOnly' => true, 'allowEmpty' => true),
             array('email', 'filter', 'filter' => 'trim'),
             array('email', 'LSYii_EmailIDNAValidator', 'allowEmpty' => true, 'allowMultiple' => true, 'except' => 'allowinvalidemail'),
+            array('emailstatus', 'default', 'value' => 'OK'),
+            array('emailstatus', 'filter', 'filter' => array(self::class, 'sanitizeAttribute')),
             array('usesleft', 'numerical', 'integerOnly' => true, 'allowEmpty' => true, 'min' => -2147483647, 'max' => 2147483647),
             array('mpid', 'numerical', 'integerOnly' => true, 'allowEmpty' => true),
             array('blacklisted', 'in', 'range' => array('Y', 'N'), 'allowEmpty' => true),
             array('validfrom', 'date','format' => ['yyyy-M-d H:m:s.???','yyyy-M-d H:m:s','yyyy-M-d H:m','yyyy-M-d'],'allowEmpty' => true),
             array('validuntil','date','format' => ['yyyy-M-d H:m:s.???','yyyy-M-d H:m:s','yyyy-M-d H:m','yyyy-M-d'],'allowEmpty' => true),
-            array('emailstatus', 'default', 'value' => 'OK'),
         );
         foreach (decodeTokenAttributes($this->survey->attributedescriptions) as $key => $info) {
             $aRules[] = array(

diff --git a/application/models/TokenDynamic.php b/application/models/TokenDynamic.php
@@ -589,9 +589,9 @@ private function getYesNoDateFormated($field)
     public function getEmailFormated()
     {
         if ($this->emailstatus == "bounced") {
-            return '<span class="text-warning"><strong> ' . $this->email . '</strong></span>';
+            return '<span class="text-warning"><strong> ' . CHtml::encode($this->email) . '</strong></span>';
         } else {
-            return $this->email;
+            return CHtml::encode($this->email);
         }
     }
 
@@ -601,9 +601,9 @@ public function getEmailFormated()
     public function getEmailstatusFormated()
     {
         if ($this->emailstatus == "bounced") {
-            return '<span class="text-warning"><strong> ' . $this->emailstatus . '</strong></span>';
+            return '<span class="text-warning"><strong> ' . CHtml::encode($this->emailstatus) . '</strong></span>';
         } else {
-            return $this->emailstatus;
+            return CHtml::encode($this->emailstatus);
         }
     }