From 49f6a173b20c0632292333b24a919439f5d173b0 Mon Sep 17 00:00:00 2001 From: Denis Chenu Date: Mon, 14 Jan 2013 17:16:03 +0100 Subject: [PATCH] Fixed issue: #7160: Impossible submit page with some email validation Dev: sanitize_html_string replace -/+ .... by html entities, the use minimum for XSS security --- application/modules/CheckQuestion.php | 2 +- application/modules/CommentCheckQuestion.php | 2 +- application/modules/CommentListQuestion.php | 2 +- application/modules/ListQuestion.php | 2 +- application/modules/MultitextQuestion.php | 2 +- application/modules/TextArrayQuestion.php | 2 +- application/modules/TextQuestion.php | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/application/modules/CheckQuestion.php b/application/modules/CheckQuestion.php index 1e3ef31a12e..41547efb420 100644 --- a/application/modules/CheckQuestion.php +++ b/application/modules/CheckQuestion.php @@ -589,7 +589,7 @@ public function getVarAttributeLEM($sgqa,$value) { if (preg_match('/other$/',$sgqa)) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } else { diff --git a/application/modules/CommentCheckQuestion.php b/application/modules/CommentCheckQuestion.php index 31e1177e3b8..772588b509a 100644 --- a/application/modules/CommentCheckQuestion.php +++ b/application/modules/CommentCheckQuestion.php @@ -320,7 +320,7 @@ public function getVarAttributeLEM($sgqa,$value) { if (preg_match('/comment$/',$sgqa)) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } else { diff --git a/application/modules/CommentListQuestion.php b/application/modules/CommentListQuestion.php index b789bd79f36..430d8b90814 100644 --- a/application/modules/CommentListQuestion.php +++ b/application/modules/CommentListQuestion.php @@ -291,7 +291,7 @@ public function getVarAttributeLEM($sgqa,$value) { if (preg_match('/comment$/',$sgqa)) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } else { diff --git a/application/modules/ListQuestion.php b/application/modules/ListQuestion.php index f0e562fea8e..950aae753f8 100644 --- a/application/modules/ListQuestion.php +++ b/application/modules/ListQuestion.php @@ -600,7 +600,7 @@ public function getVarAttributeLEM($sgqa,$value) { if (preg_match('/other$/',$sgqa)) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } else { diff --git a/application/modules/MultitextQuestion.php b/application/modules/MultitextQuestion.php index 3a65a4c0bd7..53c9868fb35 100644 --- a/application/modules/MultitextQuestion.php +++ b/application/modules/MultitextQuestion.php @@ -421,7 +421,7 @@ public function questionProperties($prop = false) public function getVarAttributeLEM($sgqa,$value) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } } diff --git a/application/modules/TextArrayQuestion.php b/application/modules/TextArrayQuestion.php index a20c1d4af8a..7b710eeebf1 100644 --- a/application/modules/TextArrayQuestion.php +++ b/application/modules/TextArrayQuestion.php @@ -732,7 +732,7 @@ public function questionProperties($prop = false) public function getVarAttributeLEM($sgqa,$value) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } } diff --git a/application/modules/TextQuestion.php b/application/modules/TextQuestion.php index 1ad33b4e76e..25540ca0624 100644 --- a/application/modules/TextQuestion.php +++ b/application/modules/TextQuestion.php @@ -88,7 +88,7 @@ public function getTypeHelp($language) public function getVarAttributeLEM($sgqa,$value) { - return sanitize_html_string(parent::getVarAttributeLEM($sgqa,$value)); + return htmlspecialchars(parent::getVarAttributeLEM($sgqa,$value),ENT_NOQUOTES); } }