Skip to content

Commit df68cef

Browse files
jmontoyaajmontoyaa
committed
Survey: add remove_xss
1 parent 93c087f commit df68cef

File tree

2 files changed

+10
-7
lines changed

2 files changed

+10
-7
lines changed

main/survey/preview.php

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,22 +55,22 @@
5555
SurveyUtil::check_first_last_question($surveyId, false);
5656

5757
// Survey information
58-
echo '<div class="page-header"><h2>'.$survey_data['survey_title'].'</h2></div>';
58+
echo '<div class="page-header"><h2>'.Security::remove_XSS($survey_data['survey_title']).'</h2></div>';
5959
if (!empty($survey_data['survey_subtitle'])) {
60-
echo '<div id="survey_subtitle">'.$survey_data['survey_subtitle'].'</div>';
60+
echo '<div id="survey_subtitle">'.Security::remove_XSS($survey_data['survey_subtitle']).'</div>';
6161
}
6262

6363
// Displaying the survey introduction
6464
if (!isset($_GET['show'])) {
6565
if (!empty($survey_data['survey_introduction'])) {
66-
echo '<div class="survey_content">'.$survey_data['survey_introduction'].'</div>';
66+
echo '<div class="survey_content">'.Security::remove_XSS($survey_data['survey_introduction']).'</div>';
6767
}
6868
}
6969

7070
// Displaying the survey thanks message
7171
if (isset($_POST['finish_survey'])) {
7272
echo Display::return_message(get_lang('SurveyFinished'), 'confirm');
73-
echo $survey_data['survey_thanks'];
73+
echo Security::remove_XSS($survey_data['survey_thanks']);
7474
Display::display_footer();
7575
exit;
7676
}

main/survey/surveyUtil.class.php

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3472,6 +3472,8 @@ public static function get_survey_data(
34723472
$efv = new ExtraFieldValue('survey');
34733473
while ($survey = Database::fetch_array($res)) {
34743474
$array[0] = $survey[0];
3475+
$survey[1] = Security::remove_XSS($survey[1]);
3476+
34753477
if (self::checkHideEditionToolsByCode($survey['col2'])) {
34763478
$array[1] = $survey[1];
34773479
} else {
@@ -3711,6 +3713,8 @@ public static function getSurveyList($user_id)
37113713
continue;
37123714
}
37133715

3716+
$title = Security::remove_XSS($row['title']);
3717+
37143718
echo '<tr>';
37153719
if ($row['answered'] == 0) {
37163720
echo '<td>';
@@ -3723,7 +3727,7 @@ public static function getSurveyList($user_id)
37233727
);
37243728
echo '<a href="'.$url.'">
37253729
'.$icon
3726-
.$row['title']
3730+
.$title
37273731
.'</a></td>';
37283732
} else {
37293733
$isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
@@ -3748,7 +3752,7 @@ public static function getSurveyList($user_id)
37483752
'survey_id' => $row['survey_id'],
37493753
])
37503754
)
3751-
: $icon.PHP_EOL.$row['title'];
3755+
: $icon.PHP_EOL.$title;
37523756
echo '</td>';
37533757
}
37543758
echo '<td class="text-center">';
@@ -3762,7 +3766,6 @@ public static function getSurveyList($user_id)
37623766
echo '<td class="text-center">'.($efvMandatory['value'] ? get_lang('Yes') : get_lang('No')).'</td>';
37633767
}
37643768
echo '</tr>';
3765-
37663769
$surveyIds[] = $row['survey_id'];
37673770
}
37683771
echo '</tbody>';

0 commit comments

Comments
 (0)