Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-18005

eZ Survey: default multiple choice view template does not wash output

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Obsolete
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      Default extension/ezsurvey/design/standard/templates/survey/view/multiplechoice.tpl is vulnerable to HTML injection in its "Other" field because output is not washed.

      See attached patch.

      Steps to reproduce

      Enter HTML code into a text field or text area "Other" field of a multiple choice attribute on the user-facing page of a default survey.

        Attachments

          Activity

            People

            Assignee:
            unknown unknown
            Reporter:
            peterkeung Peter Keung
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated: