Fixed issue: [security] Minor XSS issue in plugin overview - reported…

… by Podalirius (podalirius.net/en/)
LimeSurvey · Apr 19, 2022 · f7b3561 · Shnoulle · Apr 20, 2022 · Shnoulle
1 parent bb5e069
commit f7b3561
Showing 1 changed file with 12 additions and 14 deletions.
diff --git a/application/views/admin/pluginmanager/uploadConfirm.php b/application/views/admin/pluginmanager/uploadConfirm.php
@@ -2,8 +2,7 @@
     <div class='pagetitle h3'><?php eT('Confirm uploaded plugin'); ?></div>
 
     <?php // Only show config summary if config could be found. ?>
-    <?php if (isset($config)): ?>
-
+    <?php if (isset($config)) : ?>
         <?php echo CHtml::form(
             Yii::app()->getController()->createUrl(
                 '/admin/pluginmanager',
@@ -16,14 +15,14 @@
 
             <input type="hidden" name="isUpdate" value="<?php echo json_encode($isUpdate); ?>" />
 
-            <?php if ($isUpdate): ?>
+            <?php if ($isUpdate) : ?>
                 <div class='alert alert-info'>
                     <p>
                         <i class='fa fa-info'></i>&nbsp;
                         <?php eT('The following plugin will be updated. Please click "Update" to update the plugin, or "Abort" to abort.'); ?>
                     </p>
                 </div>
-            <?php else: ?>
+            <?php else : ?>
                 <div class='alert alert-info'>
                     <p>
                         <i class='fa fa-info'></i>&nbsp;
@@ -35,33 +34,33 @@
             <!-- Name -->
             <div class="form-group col-sm-12">
                 <label class="col-sm-4 control-label"><?php eT("Name:"); ?></label>
-                <div class="col-sm-4"><?php echo $config->getName(); ?></div>
+                <div class="col-sm-4"><?=htmlentities($config->getName()); ?></div>
             </div>
 
             <!-- Description -->
             <div class="form-group col-sm-12">
                 <label class="col-sm-4 control-label"><?php eT("Description:"); ?></label>
-                <div class="col-sm-8"><?php echo $config->getDescription(); ?></div>
+                <div class="col-sm-8"><?=htmlentities($config->getDescription()); ?></div>
             </div>
 
             <!-- Version -->
             <div class="form-group col-sm-12">
                 <label class="col-sm-4 control-label"><?php eT("Version:"); ?></label>
-                <div class="col-sm-4"><?php echo $config->getVersion(); ?></div>
+                <div class="col-sm-4"><?=htmlentities($config->getVersion()); ?></div>
             </div>
 
             <!-- Author -->
             <div class="form-group col-sm-12">
                 <label class="col-sm-4 control-label"><?php eT("Author:"); ?></label>
-                <div class="col-sm-4"><?php echo $config->getAuthor(); ?></div>
+                <div class="col-sm-4"><?=htmlentities($config->getAuthor()); ?></div>
             </div>
 
             <!-- Compatible -->
             <div class="form-group col-sm-12">
                 <label class="col-sm-4 control-label"><?php eT("Compatible"); ?></label>
-                <?php if ($config->isCompatible()): ?>
+                <?php if ($config->isCompatible()) : ?>
                     <div class="col-sm-4"><span class="fa fa-check text-success"></span></div>
-                <?php else: ?>
+                <?php else : ?>
                     <div class="col-sm-4"><span class="fa fa-times text-warning"></span></div>
                 <?php endif; ?>
             </div>
@@ -70,9 +69,9 @@
             <div class="form-group col-sm-12">
                 <label class="col-sm-4 control-label"></label>
                 <div class="col-sm-4">
-                    <?php if ($isUpdate): ?>
+                    <?php if ($isUpdate) : ?>
                         <input type="submit" class="btn btn-success" value="<?php eT("Update");?>" />
-                    <?php else: ?>
+                    <?php else : ?>
                         <input type="submit" class="btn btn-success" value="<?php eT("Install");?>" />
                     <?php endif; ?>
                     <a href="<?php echo $abortUrl; ?>" class="btn btn-warning" data-dismiss="modal"><?php eT("Abort");?></a>
@@ -81,8 +80,7 @@
 
         </form>
 
-    <?php else: ?>
-
+    <?php else : ?>
         <div class='alert alert-warning'>
             <p>
             <i class='fa fa-warning'></i>&nbsp;