Fixed issue #09260: XSS in browse response

Fixed issue : Only answer code are shown
Dev: better view for browse table : please never update wrapper width : it's AWFULL with little tab

application/controllers/admin/responses.php

@@ -455,7 +455,10 @@ function browse($iSurveyID)
     */
     public function getResponses_json($iSurveyID)
     {
-
+        if(!Permission::model()->hasSurveyPermission($iSurveyID,'responses','read'))
+        {
+            Yii::app()->end();
+        }
         $aData = $this->_getData($iSurveyID);
 
         extract($aData);
@@ -549,21 +552,14 @@ public function getResponses_json($iSurveyID)
             $aSurveyEntry[] = empty($row['submitdate'])?'N':'Y';
             $aSurveyEntry[] = $row['id'];
             $aSurveyEntry[] = $row['startlanguage'];
-            $aSurveyEntry[] = $row[$fnames[2][0]];
-            $aSurveyEntry[] = $row[$fnames[3][0]];
-
             foreach ($row as $row_index => $row_value) {
-
                 // Ignore these fields
                 if (in_array($row_index, array('id', 'submitdate', 'lastpage', 'startlanguage', 'startdate', 'datestamp'))) {
                     continue;
                 }
-
-                $aSurveyEntry[] = $row_value;
-
+                $aSurveyEntry[] = strip_tags(stripJavaScript(getExtendedAnswer($iSurveyID, $row_index, $row_value, $oBrowseLanguage)));
             }
 
-
             $all_rows[] = array('id' => $row['id'], 'cell' =>  $aSurveyEntry);
 
         }

scripts/admin/browse.js

@@ -11,24 +11,6 @@
 *
 */
 
-/* Tooltip only on mouseenter and only if there are no title
- * This allow to set tooltip only when needed
- */
-$(document).on("mouseenter",".browsetable thead th:not([title])",function(){
-  $(this).attr('title',$(this).find(".questiontext").text());
-  $(this).tooltip({ tooltipClass: "tooltip-text" });//,track: true allow to update always tooltip, but seems really annoying
-});
-$(document).on("mouseenter",".browsetable tbody td:not([title])",function(){
-  if($(this).text().length>20)// 20 seem a good value, maybe less (10 ?)
-  {
-    $(this).attr('title',$(this).text());
-    $(this).tooltip({ tooltipClass: "tooltip-text" });
-  }
-  else
-  {
-    $(this).attr('title',"");// Don't do this again
-  }
-});
 $(document).ready(function(){
     $('ul.sf-menu').superfish({
         speed:'fast'

scripts/admin/listresponse.js

@@ -99,7 +99,7 @@ $(document)
 						url : jsonUrl,
 						// editurl : editUrl,
 						datatype : "json",
-						mtype : "post",
+						mtype : "POST",
 						colNames : colNames,
 						colModel : returnColModel(),
 						toppager : true,
@@ -118,7 +118,10 @@ $(document)
 						multiselect : true,
 						loadonce : true,
 						pager : "#pager",
-						caption : sCaption
+						caption : sCaption,
+						loadComplete: function(){
+						 $("#displayresponses").tooltip({ tooltipClass: "tooltip-text" });
+						}
 					});
 					jQuery("#displayresponses").jqGrid(
 							'navGrid',
@@ -213,10 +216,6 @@ $(document)
 						minHeight : 100
 					});
 
-					$('.wrapper').width($('#displayresponses').width() * 1.006);
-					$('.footer').width(
-							($('#displayresponses').width() * 1.006) - 10);
-
 					/* Trigger the inline search when the access list changes */
 					$('#gs_completed_select').change(
 							function() {

styles/adminstyle.css

@@ -203,7 +203,7 @@ clear: none !important;
     width: auto;
     overflow: hidden;
 }
-
+.ui-jqgrid,.ui-jqgrid-view,.ui-jqgrid-titlebar,.ui-jqgrid-toppager,.ui-jqgrid-pager{min-width:100%;max-width:100%;border-right-width:0;border-left-width:0}
 legend { line-height: normal; }
 
 /* export tooltips */