Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-18005

eZ Survey: default multiple choice view template does not wash output

    XMLWordPrintable

Details

    Description

      Default extension/ezsurvey/design/standard/templates/survey/view/multiplechoice.tpl is vulnerable to HTML injection in its "Other" field because output is not washed.

      See attached patch.

      Steps to reproduce

      Enter HTML code into a text field or text area "Other" field of a multiple choice attribute on the user-facing page of a default survey.

      Attachments

        1. ezsurvey_multiple_choice_wash_patch.diff
          3 kB

        Activity

          People

            unknown unknown
            3427b0be-ab4e-4614-8af1-1719f7f23944@accounts.ibexa.co Peter Keung
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated: