Skip to content

Commit

Permalink
Survey: add remove_xss
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmontoyaa
jmontoyaa committed Aug 5, 2021
1 parent 08b1ae8 commit 83e994c
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 25 deletions.
2 changes: 1 addition & 1 deletion main/survey/ch_yesno.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ public function render(FormValidator $form, $questionData = [], $answers = null)
if (is_array($questionData['options'])) {
$class = 'radio-inline';
$labelClass = 'radio-inline';
if ('vertical' == $questionData['display']) {
if ('vertical' === $questionData['display']) {
$class = 'radio-vertical';
}

Expand Down
2 changes: 1 addition & 1 deletion main/survey/fillsurvey.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -807,7 +807,7 @@
$questions[$sort]['survey_question'] = $row['survey_question'];
$questions[$sort]['display'] = $row['display'];
$questions[$sort]['type'] = $row['type'];
$questions[$sort]['options'][$row['question_option_id']] = $row['option_text'];
$questions[$sort]['options'][$row['question_option_id']] = Security::remove_XSS($row['option_text']);
$questions[$sort]['maximum_score'] = $row['max_value'];
$questions[$sort]['sort'] = $sort;
$questions[$sort]['is_required'] = $allowRequiredSurveyQuestions && $row['is_required'];
Expand Down
4 changes: 2 additions & 2 deletions main/survey/preview.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,10 +149,10 @@
$sort = $row['sort'];
$questions[$sort]['question_id'] = $row['question_id'];
$questions[$sort]['survey_id'] = $row['survey_id'];
$questions[$sort]['survey_question'] = $row['survey_question'];
$questions[$sort]['survey_question'] = Security::remove_XSS($row['survey_question']);
$questions[$sort]['display'] = $row['display'];
$questions[$sort]['type'] = $row['type'];
$questions[$sort]['options'][$row['question_option_id']] = $row['option_text'];
$questions[$sort]['options'][$row['question_option_id']] = Security::remove_XSS($row['option_text']);
$questions[$sort]['maximum_score'] = $row['max_value'];
$questions[$sort]['parent_id'] = isset($row['parent_id']) ? $row['parent_id'] : 0;
$questions[$sort]['parent_option_id'] = isset($row['parent_option_id']) ? $row['parent_option_id'] : 0;
Expand Down
4 changes: 2 additions & 2 deletions main/survey/survey.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -314,9 +314,9 @@

if ($survey_data['survey_type'] != 3) {
if (api_strlen($row['survey_question']) > 100) {
echo api_substr(strip_tags($row['survey_question']), 0, 100).' ... ';
echo Security::remove_XSS(api_substr(strip_tags($row['survey_question']), 0, 100)).' ... ';
} else {
echo $row['survey_question'];
echo Security::remove_XSS($row['survey_question']);
}
} else {
$parts = explode('@@', $row['survey_question']);
Expand Down
42 changes: 23 additions & 19 deletions main/survey/surveyUtil.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -418,11 +418,11 @@ public static function displayUserReportAnswers($userId, $survey_data, $addMessa
if ($row['type'] != 'pagebreak') {
$questions[$row['sort']]['question_id'] = $row['question_id'];
$questions[$row['sort']]['survey_id'] = $row['survey_id'];
$questions[$row['sort']]['survey_question'] = $row['survey_question'];
$questions[$row['sort']]['survey_question'] = Security::remove_XSS($row['survey_question']);
$questions[$row['sort']]['display'] = $row['display'];
$questions[$row['sort']]['type'] = $row['type'];
$questions[$row['sort']]['maximum_score'] = $row['max_value'];
$questions[$row['sort']]['options'][$row['question_option_id']] = $row['option_text'];
$questions[$row['sort']]['options'][$row['question_option_id']] = Security::remove_XSS($row['option_text']);
}
}

Expand Down Expand Up @@ -615,7 +615,7 @@ public static function display_question_report($survey_data)
$row = 0;
foreach ($data as $label => $item) {
$table->setCellContents($row, 0, $label);
$table->setCellContents($row, 1, $item);
$table->setCellContents($row, 1, Security::remove_XSS($item));
$row++;
}

Expand Down Expand Up @@ -670,7 +670,7 @@ public static function display_question_report($survey_data)
$questionId = (int) $question['question_id'];

echo '<div class="title-question">';
echo strip_tags(isset($question['survey_question']) ? $question['survey_question'] : null);
echo Security::remove_XSS(strip_tags(isset($question['survey_question']) ? $question['survey_question'] : null));
echo '</div>';

if ('score' === $question['type']) {
Expand Down Expand Up @@ -729,6 +729,8 @@ public static function display_question_report($survey_data)
foreach ($options as $option) {
$optionText = strip_tags($option['option_text']);
$optionText = html_entity_decode($optionText);
$optionText = Security::remove_XSS($optionText);

$votes = 0;
if (isset($data[$option['question_option_id']]['total'])) {
$votes = $data[$option['question_option_id']]['total'];
Expand All @@ -752,7 +754,7 @@ public static function display_question_report($survey_data)

// Displaying the table: the content
if (is_array($options)) {
foreach ($options as $key => &$value) {
foreach ($options as &$value) {
if ('multiplechoiceother' === $question['type'] && 'other' === $value['option_text']) {
$value['option_text'] = get_lang('SurveyOtherAnswer');
}
Expand All @@ -773,7 +775,7 @@ public static function display_question_report($survey_data)
$answers_number = $absolute_number / $number_of_answers[$option['question_id']] * 100;
}
echo '<tr>';
echo '<td>'.$value['option_text'].'</td>';
echo '<td>'.Security::remove_XSS($value['option_text']).'</td>';
echo '<td>';
if ($absolute_number != 0) {
echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/reporting.php?action='.$action
Expand Down Expand Up @@ -1120,9 +1122,9 @@ class = "save"
in_array($row['question_id'], $_POST['questions_filter']))
) {
// We do not show comment and pagebreak question types
if ('pagebreak' != $row['type']) {
if ('pagebreak' !== $row['type']) {
$content .= ' <th';
if ($row['number_of_options'] > 0 && 'percentage' != $row['type']) {
if ($row['number_of_options'] > 0 && 'percentage' !== $row['type']) {
$content .= ' colspan="'.$row['number_of_options'].'"';
}
$content .= '>';
Expand All @@ -1132,7 +1134,7 @@ class = "save"
type="checkbox"
name="questions_filter[]" value="'.$row['question_id'].'" checked="checked"/>';
}
$content .= $row['survey_question'];
$content .= Security::remove_XSS($row['survey_question']);
$content .= '</label>';
$content .= '</th>';
}
Expand Down Expand Up @@ -1189,7 +1191,7 @@ class = "save"
(is_array($_POST['questions_filter']) && in_array($row['question_id'], $_POST['questions_filter']))
) {
// we do not show comment and pagebreak question types
if ('open' == $row['type'] || 'comment' == $row['type']) {
if ('open' === $row['type'] || 'comment' === $row['type']) {
$content .= '<th>&nbsp;-&nbsp;</th>';
$possible_answers[$row['question_id']][$row['question_option_id']] = $row['question_option_id'];
$display_percentage_header = 1;
Expand All @@ -1201,7 +1203,7 @@ class = "save"
$possible_answers[$row['question_id']][$row['question_option_id']] = $row['question_option_id'];
} elseif ($row['type'] !== 'pagebreak' && $row['type'] !== 'percentage') {
$content .= '<th>';
$content .= $row['option_text'];
$content .= Security::remove_XSS($row['option_text']);
$content .= '</th>';
$possible_answers[$row['question_id']][$row['question_option_id']] = $row['question_option_id'];
$display_percentage_header = 1;
Expand Down Expand Up @@ -2116,7 +2118,7 @@ public static function display_comparative_report()
$optionsX = ['----'];
$optionsY = ['----'];
$defaults = [];
foreach ($questions as $key => &$question) {
foreach ($questions as &$question) {
// Ignored tagged questions
if ($question) {
if (strpos($question['question'], '{{') !== false) {
Expand All @@ -2133,6 +2135,7 @@ public static function display_comparative_report()
if (isset($_GET['yaxis']) && $_GET['yaxis'] == $question['question_id']) {
$defaults['yaxis'] = $question['question_id'];
}
$question['question'] = Security::remove_XSS($question['question']);

$optionsX[$question['question_id']] = api_substr(strip_tags($question['question']), 0, 90);
$optionsY[$question['question_id']] = api_substr(strip_tags($question['question']), 0, 90);
Expand Down Expand Up @@ -2171,16 +2174,17 @@ public static function display_comparative_report()
if ($ii == 0) {
$tableHtml .= '<th>&nbsp;</th>';
} else {
if ($question_x['type'] == 'score') {
if ($question_x['type'] === 'score') {
for ($x = 1; $x <= $question_x['maximum_score']; $x++) {
$tableHtml .= '<th>'.$question_x['answers'][($ii - 1)].'<br />'.$x.'</th>';
$tableHtml .= '<th>'.Security::remove_XSS($question_x['answers'][($ii - 1)]).'<br />'.$x.'</th>';
}
$x = '';
} else {
$tableHtml .= '<th>'.$question_x['answers'][($ii - 1)].'</th>';
$tableHtml .= '<th>'.Security::remove_XSS($question_x['answers'][($ii - 1)]).'</th>';
}
$optionText = strip_tags($question_x['answers'][$ii - 1]);
$optionText = html_entity_decode($optionText);
$optionText = Security::remove_XSS($optionText);
array_push($xOptions, trim($optionText));
}
}
Expand All @@ -2198,7 +2202,7 @@ public static function display_comparative_report()
if ($question_x['type'] == 'score') {
for ($x = 1; $x <= $question_x['maximum_score']; $x++) {
if ($ii == 0) {
$tableHtml .= '<th>'.$question_y['answers'][($ij)].' '.$y.'</th>';
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][($ij)]).' '.$y.'</th>';
break;
} else {
$tableHtml .= '<td align="center">';
Expand All @@ -2224,7 +2228,7 @@ public static function display_comparative_report()
}
} else {
if ($ii == 0) {
$tableHtml .= '<th>'.$question_y['answers'][$ij].' '.$y.'</th>';
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][$ij]).' '.$y.'</th>';
} else {
$tableHtml .= '<td align="center">';
$votes = self::comparative_check(
Expand Down Expand Up @@ -2257,7 +2261,7 @@ public static function display_comparative_report()
if ($question_x['type'] === 'score') {
for ($x = 1; $x <= $question_x['maximum_score']; $x++) {
if ($ii == 0) {
$tableHtml .= '<th>'.$question_y['answers'][$ij].'</th>';
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][$ij]).'</th>';
break;
} else {
$tableHtml .= '<td align="center">';
Expand All @@ -2283,7 +2287,7 @@ public static function display_comparative_report()
}
} else {
if ($ii == 0) {
$tableHtml .= '<th>'.$question_y['answers'][($ij)].'</th>';
$tableHtml .= '<th>'.Security::remove_XSS($question_y['answers'][($ij)]).'</th>';
} else {
$tableHtml .= '<td align="center">';
$votes = self::comparative_check(
Expand Down

0 comments on commit 83e994c

Please sign in to comment.