Survey: Stored XSS with TinyMCE

Signed-off-by: Releasemanager <webmaster@ilias.de>

Author: ZallaxDev

Modules/Survey/Editing/class.ilSurveyEditorGUI.php

@@ -16,6 +16,7 @@
  *
  *********************************************************************/
 
+use ILIAS\LegalDocuments\HTMLPurifier;
 use ILIAS\Survey\Editing\EditManager;
 use ILIAS\Survey\Editing\EditingGUIRequest;
 
@@ -1107,14 +1108,13 @@ public function saveHeadingObject(): void
 
         $form = $this->initHeadingForm($q_id);
         if ($form->checkInput()) {
-            $this->object->saveHeading(
-                ilUtil::stripSlashes(
-                    $form->getInput("heading"),
-                    true,
-                    ilObjAdvancedEditing::_getUsedHTMLTagsAsString("survey")
-                ),
-                $form->getInput("insertbefore")
-            );
+            $tags = ilObjAdvancedEditing::_getUsedHTMLTags("survey");
+            $purifier = new HTMLPurifier($tags);
+            $heading = $form->getInput("heading");
+
+            $heading = $purifier->purify($heading);
+
+            $this->object->saveHeading($heading, $form->getInput("insertbefore"));
             $this->ctrl->redirect($this, "questions");
         }
 

Modules/Survey/Settings/class.SettingsFormGUI.php

@@ -20,9 +20,11 @@
 
 namespace ILIAS\Survey\Settings;
 
+use ILIAS\LegalDocuments\HTMLPurifier;
 use ILIAS\Survey\InternalGUIService;
 use ILIAS\Survey\Mode\UIModifier;
 use ILIAS\Survey\InternalDomainService;
+use ilObjAdvancedEditing;
 
 /**
  * Settings form
@@ -893,8 +895,16 @@ public function saveForm(
         } else {
             $survey->setEndDate("");
         }
-        $survey->setIntroduction($form->getInput("introduction"));
-        $survey->setOutro($form->getInput("outro"));
+
+        $tags = ilObjAdvancedEditing::_getUsedHTMLTags("survey");
+        $purifier = new HTMLPurifier($tags);
+
+        $introduction = $form->getInput("introduction");
+        $introduction = $purifier->purify($introduction);
+        $survey->setIntroduction($introduction);
+        $outro = $form->getInput("outro");
+        $outro = $purifier->purify($outro);
+        $survey->setOutro($outro);
         $survey->setShowQuestionTitles((bool) $form->getInput("show_question_titles"));
         $survey->setPoolUsage((bool) $form->getInput("use_pool"));
 

Modules/SurveyQuestionPool/Questions/class.SurveyQuestionGUI.php

@@ -16,6 +16,7 @@
  *
  *********************************************************************/
 
+use ILIAS\LegalDocuments\HTMLPurifier;
 use ILIAS\SurveyQuestionPool\Editing\EditingGUIRequest;
 use ILIAS\SurveyQuestionPool\Editing\EditManager;
 
@@ -332,7 +333,14 @@ protected function saveForm(): bool
             $this->object->label = ($form->getInput("label"));
             $this->object->setAuthor($form->getInput("author"));
             $this->object->setDescription($form->getInput("description"));
-            $this->object->setQuestiontext($form->getInput("question"));
+
+            $tags = ilObjAdvancedEditing::_getUsedHTMLTags("survey");
+            $purifier = new HTMLPurifier($tags);
+            $question = $form->getInput("question");
+
+            $question = $purifier->purify($question);
+
+            $this->object->setQuestiontext($question);
             $this->object->setObligatory($form->getInput("obligatory"));
 
             $this->importEditFormValues($form);