Fixed issue #9386: XSS issue related to survey deletion

LimeSurvey · Dec 18, 2014 · c3e948f · c3e948f
1 parent 06addf2
commit c3e948f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/application/controllers/admin/surveyadmin.php b/application/controllers/admin/surveyadmin.php
@@ -711,15 +711,15 @@ public function getSurveys_json()
     * @param string $sa
     * @return void
     */
-    public function delete($iSurveyID, $delete = 'no')
+    public function delete($iSurveyID)
     {
         $aData = $aViewUrls = array();
         $aData['surveyid'] = $iSurveyID = (int) $iSurveyID;
         $clang = $this->getController()->lang;
 
         if (Permission::model()->hasSurveyPermission($iSurveyID, 'survey', 'delete'))
         {
-            if ($delete == 'yes')
+            if (Yii::app()->request->getPost("delete") == 'yes')
             {
                 $aData['issuperadmin'] = Permission::model()->hasGlobalPermission('superadmin','read');
                 $this->_deleteSurvey($iSurveyID);

diff --git a/application/views/admin/survey/deleteSurvey_view.php b/application/views/admin/survey/deleteSurvey_view.php
@@ -31,8 +31,11 @@
             <?php $clang->eT("This survey has an associated tokens table. If you delete this survey this tokens table will be deleted. We recommend that you export or backup these tokens before deleting this survey."); ?><br /><br />
         <?php } ?>
 
-        <p>
-        <input type='submit' value='<?php $clang->eT("Delete survey"); ?>' onclick="window.open('<?php echo $this->createUrl("admin/survey/sa/delete/surveyid/$surveyid/delete/yes"); ?>', '_top')" />
-        <input type='submit' value='<?php $clang->eT("Cancel"); ?>' onclick="window.open('<?php echo $this->createUrl("admin/survey/sa/view/surveyid/$surveyid"); ?>', '_top')" />
+        echo CHtml::beginForm($this->createUrl("admin/survey/sa/delete/surveyid/{$surveyid}"), 'post');?>
+        <input type='hidden' name='delete' value='yes'>
+        <input type='submit' value='<?php $clang->eT("Delete survey"); ?>'>
+        <input type='button' value='<?php $clang->eT("Cancel"); ?>' onclick="window.open('<?php echo $this->createUrl("admin/survey/sa/view/surveyid/$surveyid"); ?>', '_top')" />
+        <?php
+        echo CHtml::endForm();
     <?php } ?>
 </div><br />&nbsp;