Permalink
Browse files

Fixed issue: XSS reflection in CPDB and global settings

  • Loading branch information...
1 parent 9938bcd commit d23fbbd6c8434169967cf8bd2c5a4a0b569c352a @c-schmitz c-schmitz committed Jul 2, 2014
@@ -835,7 +835,7 @@ function getParticipants_json($search = null)
*/
function getAttribute_json()
{
- $iParticipantId = Yii::app()->request->getQuery('pid');
+ $iParticipantId = strip_tags(Yii::app()->request->getQuery('pid'));
$records = ParticipantAttributeName::model()->getParticipantVisibleAttribute($iParticipantId);
$records = subval_sort($records, "attribute_name", "asc");
@@ -361,7 +361,7 @@
<?php $thisforce_ssl = getGlobalSetting('force_ssl');
$opt_force_ssl_on = $opt_force_ssl_off = $opt_force_ssl_neither = '';
- $warning_force_ssl = sprintf($clang->gT('Warning: Before turning on HTTPS,%s check if this link works.%s'),'<a href="https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'].'" title="'. $clang->gT('Test if your server has SSL enabled by clicking on this link.').'">','</a>')
+ $warning_force_ssl = sprintf($clang->gT('Warning: Before turning on HTTPS,%s check if this link works.%s'),'<a href="https://'.$_SERVER['HTTP_HOST'].$this->createUrl("admin/globalsettings/sa").'" title="'. $clang->gT('Test if your server has SSL enabled by clicking on this link.').'">','</a>')
.'<br/> '
. $clang->gT("If the link does not work and you turn on HTTPS, LimeSurvey will break and you won't be able to access it.");
switch($thisforce_ssl)

0 comments on commit d23fbbd

Please sign in to comment.