Fixed issue #9386: XSS issue related to survey deletion

LimeSurvey · Dec 18, 2014 · f901634 · f901634
1 parent 9b50b1b
commit f901634
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 10 deletions.
diff --git a/application/controllers/admin/surveyadmin.php b/application/controllers/admin/surveyadmin.php
@@ -705,13 +705,13 @@ public function getSurveys_json()
     * @param string $sa
     * @return void
     */
-    public function delete($iSurveyID, $delete = 'no')
+    public function delete($iSurveyID)
     {
         $aData = $aViewUrls = array();
         $aData['surveyid'] = $iSurveyID = (int) $iSurveyID;
         if (Permission::model()->hasSurveyPermission($iSurveyID, 'survey', 'delete'))
         {
-            if ($delete == 'yes')
+            if (Yii::app()->request->getPost("delete") == 'yes')
             {
                 $aData['issuperadmin'] = Permission::model()->hasGlobalPermission('superadmin','read');
                 $this->_deleteSurvey($iSurveyID);

diff --git a/application/views/admin/survey/deleteSurvey_view.php b/application/views/admin/survey/deleteSurvey_view.php
@@ -13,8 +13,8 @@
         </body></html>
         <?php return;
     }
-	else
-	{ ?>
+    else
+    { ?>
         <div class='warningheader'><?php eT("Warning"); ?></div><br />
         <strong><?php eT("You are about to delete this survey"); ?> (<?php echo $surveyid; ?>)</strong><br /><br />
         <?php eT("This process will delete this survey, and all related groups, questions answers and conditions."); ?><br /><br />
@@ -24,15 +24,18 @@
         if (tableExists("{{survey_{$surveyid}}}"))
         { ?>
             <br /><br /><?php eT("This survey is active and a responses table exists. If you delete this survey, these responses (and files) will be deleted. We recommend that you export the responses before deleting this survey."); ?><br /><br />
-        <?php }
+            <?php }
 
         if (tableExists("{{tokens_{$surveyid}}}"))
         { ?>
             <?php eT("This survey has an associated tokens table. If you delete this survey this tokens table will be deleted. We recommend that you export or backup these tokens before deleting this survey."); ?><br /><br />
-        <?php } ?>
+            <?php }
 
-        <p>
-        <input type='submit' value='<?php eT("Delete survey"); ?>' onclick="window.open('<?php echo $this->createUrl("admin/survey/sa/delete/surveyid/$surveyid/delete/yes"); ?>', '_top')" />
-        <input type='submit' value='<?php eT("Cancel"); ?>' onclick="window.open('<?php echo $this->createUrl("admin/survey/sa/view/surveyid/$surveyid"); ?>', '_top')" />
-    <?php } ?>
+        echo CHtml::beginForm($this->createUrl("admin/survey/sa/delete/surveyid/{$surveyid}"), 'post');?>
+        <input type='hidden' name='delete' value='yes'>
+        <input type='submit' value='<?php eT("Delete survey"); ?>'>
+        <input type='button' value='<?php eT("Cancel"); ?>' onclick="window.open('<?php echo $this->createUrl("admin/survey/sa/view/surveyid/$surveyid"); ?>', '_top')" />
+        <?php
+        echo CHtml::endForm();
+    } ?>
 </div><br />&nbsp;