Fixed issue #07087: XSS security in statistics for admin

Dev: review #07085 : using included sanitize_helper function. Dev: maybe move sanitize_helper to Yii CFormatter http://www.yiiframework.com/doc/api/1.1/CFormatter
LimeSurvey · Dec 15, 2012 · ea2246a · ea2246a
1 parent 038433c
commit ea2246a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/application/controllers/PrintanswersController.php b/application/controllers/PrintanswersController.php
@@ -208,7 +208,7 @@ function actionView($surveyid, $printablexport='')
                 }
                 else
                 {
-                    $sPrintOutput .= "\t<tr class='printanswersquestion'><td>{$fname[0]} {$fname[1]}</td><td class='printanswersanswertext'>".htmlspecialchars($fname[2])."</td></tr>";
+                    $sPrintOutput .= "\t<tr class='printanswersquestion'><td>{$fname[0]} {$fname[1]}</td><td class='printanswersanswertext'>".sanitize_html_string($fname[2])."</td></tr>";
                 }
             }
         }

diff --git a/application/views/admin/export/statistics_browse_view.php b/application/views/admin/export/statistics_browse_view.php
@@ -44,9 +44,9 @@
     </a>
 </div>
 <div class='statisticscolumndata'>
-    <?php echo stripslashes($row['value']) ?>
+    <?php echo sanitize_html_string($row['value']) ?>
 </div>
 <div style='clear: both'></div>
 <?php
 }
-?>
+?>