Skip to content

Commit 83e994c

Browse files
jmontoyaajmontoyaa
committed
Survey: add remove_xss
1 parent 08b1ae8 commit 83e994c

File tree

5 files changed

+29
-25
lines changed

5 files changed

+29
-25
lines changed

main/survey/ch_yesno.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ public function render(FormValidator $form, $questionData = [], $answers = null)
6262
if (is_array($questionData['options'])) {
6363
$class = 'radio-inline';
6464
$labelClass = 'radio-inline';
65-
if ('vertical' == $questionData['display']) {
65+
if ('vertical' === $questionData['display']) {
6666
$class = 'radio-vertical';
6767
}
6868

main/survey/fillsurvey.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -807,7 +807,7 @@
807807
$questions[$sort]['survey_question'] = $row['survey_question'];
808808
$questions[$sort]['display'] = $row['display'];
809809
$questions[$sort]['type'] = $row['type'];
810-
$questions[$sort]['options'][$row['question_option_id']] = $row['option_text'];
810+
$questions[$sort]['options'][$row['question_option_id']] = Security::remove_XSS($row['option_text']);
811811
$questions[$sort]['maximum_score'] = $row['max_value'];
812812
$questions[$sort]['sort'] = $sort;
813813
$questions[$sort]['is_required'] = $allowRequiredSurveyQuestions && $row['is_required'];

main/survey/preview.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -149,10 +149,10 @@
149149
$sort = $row['sort'];
150150
$questions[$sort]['question_id'] = $row['question_id'];
151151
$questions[$sort]['survey_id'] = $row['survey_id'];
152-
$questions[$sort]['survey_question'] = $row['survey_question'];
152+
$questions[$sort]['survey_question'] = Security::remove_XSS($row['survey_question']);
153153
$questions[$sort]['display'] = $row['display'];
154154
$questions[$sort]['type'] = $row['type'];
155-
$questions[$sort]['options'][$row['question_option_id']] = $row['option_text'];
155+
$questions[$sort]['options'][$row['question_option_id']] = Security::remove_XSS($row['option_text']);
156156
$questions[$sort]['maximum_score'] = $row['max_value'];
157157
$questions[$sort]['parent_id'] = isset($row['parent_id']) ? $row['parent_id'] : 0;
158158
$questions[$sort]['parent_option_id'] = isset($row['parent_option_id']) ? $row['parent_option_id'] : 0;

main/survey/survey.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -314,9 +314,9 @@
314314

315315
if ($survey_data['survey_type'] != 3) {
316316
if (api_strlen($row['survey_question']) > 100) {
317-
echo api_substr(strip_tags($row['survey_question']), 0, 100).' ... ';
317+
echo Security::remove_XSS(api_substr(strip_tags($row['survey_question']), 0, 100)).' ... ';
318318
} else {
319-
echo $row['survey_question'];
319+
echo Security::remove_XSS($row['survey_question']);
320320
}
321321
} else {
322322
$parts = explode('@@', $row['survey_question']);

main/survey/surveyUtil.class.php

Lines changed: 23 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -418,11 +418,11 @@ public static function displayUserReportAnswers($userId, $survey_data, $addMessa
418418
if ($row['type'] != 'pagebreak') {
419419
$questions[$row['sort']]['question_id'] = $row['question_id'];
420420
$questions[$row['sort']]['survey_id'] = $row['survey_id'];
421-
$questions[$row['sort']]['survey_question'] = $row['survey_question'];
421+
$questions[$row['sort']]['survey_question'] = Security::remove_XSS($row['survey_question']);
422422
$questions[$row['sort']]['display'] = $row['display'];
423423
$questions[$row['sort']]['type'] = $row['type'];
424424
$questions[$row['sort']]['maximum_score'] = $row['max_value'];
425-
$questions[$row['sort']]['options'][$row['question_option_id']] = $row['option_text'];
425+
$questions[$row['sort']]['options'][$row['question_option_id']] = Security::remove_XSS($row['option_text']);
426426
}
427427
}
428428

@@ -615,7 +615,7 @@ public static function display_question_report($survey_data)
615615
$row = 0;
616616
foreach ($data as $label => $item) {
617617
$table->setCellContents($row, 0, $label);
618-
$table->setCellContents($row, 1, $item);
618+
$table->setCellContents($row, 1, Security::remove_XSS($item));
619619
$row++;
620620
}
621621

@@ -670,7 +670,7 @@ public static function display_question_report($survey_data)
670670
$questionId = (int) $question['question_id'];
671671

672672
echo '<div class="title-question">';
673-
echo strip_tags(isset($question['survey_question']) ? $question['survey_question'] : null);
673+
echo Security::remove_XSS(strip_tags(isset($question['survey_question']) ? $question['survey_question'] : null));
674674
echo '</div>';
675675

676676
if ('score' === $question['type']) {
@@ -729,6 +729,8 @@ public static function display_question_report($survey_data)
729729
foreach ($options as $option) {
730730
$optionText = strip_tags($option['option_text']);
731731
$optionText = html_entity_decode($optionText);
732+
$optionText = Security::remove_XSS($optionText);
733+
732734
$votes = 0;
733735
if (isset($data[$option['question_option_id']]['total'])) {
734736
$votes = $data[$option['question_option_id']]['total'];
@@ -752,7 +754,7 @@ public static function display_question_report($survey_data)
752754

753755
// Displaying the table: the content
754756
if (is_array($options)) {
755-
foreach ($options as $key => &$value) {
757+
foreach ($options as &$value) {
756758
if ('multiplechoiceother' === $question['type'] && 'other' === $value['option_text']) {
757759
$value['option_text'] = get_lang('SurveyOtherAnswer');
758760
}
@@ -773,7 +775,7 @@ public static function display_question_report($survey_data)
773775
$answers_number = $absolute_number / $number_of_answers[$option['question_id']] * 100;
774776
}
775777
echo '<tr>';
776-
echo '<td>'.$value['option_text'].'</td>';
778+
echo '<td>'.Security::remove_XSS($value['option_text']).'</td>';
777779
echo '<td>';
778780
if ($absolute_number != 0) {
779781
echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/reporting.php?action='.$action
@@ -1120,9 +1122,9 @@ class = "save"
11201122
in_array($row['question_id'], $_POST['questions_filter']))
11211123
) {
11221124
// We do not show comment and pagebreak question types
1123-
if ('pagebreak' != $row['type']) {
1125+
if ('pagebreak' !== $row['type']) {
11241126
$content .= ' <th';
1125-
if ($row['number_of_options'] > 0 && 'percentage' != $row['type']) {
1127+
if ($row['number_of_options'] > 0 && 'percentage' !== $row['type']) {
11261128
$content .= ' colspan="'.$row['number_of_options'].'"';
11271129
}
11281130
$content .= '>';
@@ -1132,7 +1134,7 @@ class = "save"
11321134
type="checkbox"
11331135
name="questions_filter[]" value="'.$row['question_id'].'" checked="checked"/>';
11341136
}
1135-
$content .= $row['survey_question'];
1137+
$content .= Security::remove_XSS($row['survey_question']);
11361138
$content .= '</label>';
11371139
$content .= '</th>';
11381140
}
@@ -1189,7 +1191,7 @@ class = "save"
11891191
(is_array($_POST['questions_filter']) && in_array($row['question_id'], $_POST['questions_filter']))
11901192
) {
11911193
// we do not show comment and pagebreak question types
1192-
if ('open' == $row['type'] || 'comment' == $row['type']) {
1194+
if ('open' === $row['type'] || 'comment' === $row['type']) {
11931195
$content .= '<th>&nbsp;-&nbsp;</th>';
11941196
$possible_answers[$row['question_id']][$row['question_option_id']] = $row['question_option_id'];
11951197
$display_percentage_header = 1;
@@ -1201,7 +1203,7 @@ class = "save"
12011203
$possible_answers[$row['question_id']][$row['question_option_id']] = $row['question_option_id'];
12021204
} elseif ($row['type'] !== 'pagebreak' && $row['type'] !== 'percentage') {
12031205
$content .= '<th>';
1204-
$content .= $row['option_text'];
1206+
$content .= Security::remove_XSS($row['option_text']);
12051207
$content .= '</th>';
12061208
$possible_answers[$row['question_id']][$row['question_option_id']] = $row['question_option_id'];
12071209
$display_percentage_header = 1;
@@ -2116,7 +2118,7 @@ public static function display_comparative_report()
21162118
$optionsX = ['----'];
21172119
$optionsY = ['----'];
21182120
$defaults = [];
2119-
foreach ($questions as $key => &$question) {
2121+
foreach ($questions as &$question) {
21202122
// Ignored tagged questions
21212123
if ($question) {
21222124
if (strpos($question['question'], '{{') !== false) {
@@ -2133,6 +2135,7 @@ public static function display_comparative_report()
21332135
if (isset($_GET['yaxis']) && $_GET['yaxis'] == $question['question_id']) {
21342136
$defaults['yaxis'] = $question['question_id'];
21352137
}
2138+
$question['question'] = Security::remove_XSS($question['question']);
21362139

21372140
$optionsX[$question['question_id']] = api_substr(strip_tags($question['question']), 0, 90);
21382141
$optionsY[$question['question_id']] = api_substr(strip_tags($question['question']), 0, 90);
@@ -2171,16 +2174,17 @@ public static function display_comparative_report()
21712174
if ($ii == 0) {
21722175
$tableHtml .= '<th>&nbsp;</th>';
21732176
} else {
2174-
if ($question_x['type'] == 'score') {
2177+
if ($question_x['type'] === 'score') {
21752178
for ($x = 1; $x <= $question_x['maximum_score']; $x++) {
2176-
$tableHtml .= '<th>'.$question_x['answers'][($ii - 1)].'<br />'.$x.'</th>';
2179+
$tableHtml .= '<th>'.Security::remove_XSS($question_x['answers'][($ii - 1)]).'<br />'.$x.'</th>';
21772180
}
21782181
$x = '';
21792182
} else {
2180-
$tableHtml .= '<th>'.$question_x['answers'][($ii - 1)].'</th>';
2183+
$tableHtml .= '<th>'.Security::remove_XSS($question_x['answers'][($ii - 1)]).'</th>';
21812184
}
21822185
$optionText = strip_tags($question_x['answers'][$ii - 1]);
21832186
$optionText = html_entity_decode($optionText);
2187+
$optionText = Security::remove_XSS($optionText);
21842188
array_push($xOptions, trim($optionText));
21852189
}
21862190
}
@@ -2198,7 +2202,7 @@ public static function display_comparative_report()
21982202
if ($question_x['type'] == 'score') {
21992203
for ($x = 1; $x <= $question_x['maximum_score']; $x++) {
22002204
if ($ii == 0) {
2201-
$tableHtml .= '<th>'.$question_y['answers'][($ij)].' '.$y.'</th>';
2205+
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][($ij)]).' '.$y.'</th>';
22022206
break;
22032207
} else {
22042208
$tableHtml .= '<td align="center">';
@@ -2224,7 +2228,7 @@ public static function display_comparative_report()
22242228
}
22252229
} else {
22262230
if ($ii == 0) {
2227-
$tableHtml .= '<th>'.$question_y['answers'][$ij].' '.$y.'</th>';
2231+
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][$ij]).' '.$y.'</th>';
22282232
} else {
22292233
$tableHtml .= '<td align="center">';
22302234
$votes = self::comparative_check(
@@ -2257,7 +2261,7 @@ public static function display_comparative_report()
22572261
if ($question_x['type'] === 'score') {
22582262
for ($x = 1; $x <= $question_x['maximum_score']; $x++) {
22592263
if ($ii == 0) {
2260-
$tableHtml .= '<th>'.$question_y['answers'][$ij].'</th>';
2264+
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][$ij]).'</th>';
22612265
break;
22622266
} else {
22632267
$tableHtml .= '<td align="center">';
@@ -2283,7 +2287,7 @@ public static function display_comparative_report()
22832287
}
22842288
} else {
22852289
if ($ii == 0) {
2286-
$tableHtml .= '<th>'.$question_y['answers'][($ij)].'</th>';
2290+
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][($ij)]).'</th>';
22872291
} else {
22882292
$tableHtml .= '<td align="center">';
22892293
$votes = self::comparative_check(

0 commit comments

Comments
 (0)