Fixed issue #19368: [security] Simple admin can add XSS on adminemail (…

…#3705)
LimeSurvey · Jan 30, 2024 · fb69f3f · fb69f3f
1 parent 81570a8
commit fb69f3f
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/application/models/Survey.php b/application/models/Survey.php
@@ -499,7 +499,9 @@ public function rules()
             array('admin', 'LSYii_Validators'),
             array('admin', 'length', 'min' => 1, 'max' => 50),
             array('adminemail', 'filter', 'filter' => 'trim'),
+            array('adminemail', 'LSYii_Validators'),
             array('bounce_email', 'filter', 'filter' => 'trim'),
+            array('bounce_email', 'LSYii_Validators'),
             //array('bounce_email', 'LSYii_EmailIDNAValidator', 'allowEmpty'=>true),
             array('active', 'in', 'range' => array('Y', 'N'), 'allowEmpty' => true),
             array('gsid', 'numerical', 'min' => '0', 'allowEmpty' => true),

diff --git a/themes/survey/vanilla/views/layout_errors.twig b/themes/survey/vanilla/views/layout_errors.twig
@@ -70,7 +70,7 @@
                         {{gT("For further information please contact %s:")|format (aSurveyInfo.admin)}}
                         {% if aSurveyInfo.adminemail %}
                             <br>
-                            <a href='mailto:{{ aSurveyInfo.adminemail }}'>{{ aSurveyInfo.adminemail }}</a>
+                            <a href='mailto:{{ aSurveyInfo.adminemail|url_encode }}'>{{ aSurveyInfo.adminemail }}</a>
                         {% endif %}
                     {% endif %}
                 </p>