Release Date: January 16th, 2020
Improvements
- To prevent HTML injection vulnerabilities, the following work was completed to make HTML in rendered data display as plain text:
- Questions responses containing HTML within activities will not render the HTML when piping with the {value} or {response} tags.
- Question prompts containing HTML within activities will not render the HTML when piping with the {prompt} tag.
- Participant data containing HTML will not render the HTML when piping with the {UserData} tag.
- HTML included in participant properties, such as first name and last name, will not render the HTML in data grids in Enterprise Manager, Discovery, and Data Change.
- HTML included in participant properties, such as first name and last name, will not render on the page when viewing an individual participant’s record.
- HTML entered as submission data responses, like in a text input question, will not be rendered in the results of queried submission data.
- HTML entered as submission data, like in a text input question, will not be rendered when viewing an individual submission.
- HTML entered as submission data, like in a text input question, will not be rendered while reviewing changes to data within Data Change.
- Custom error messages with HTML entered will not render the HTML on display of the message.
- The Power User role does not have access to API Keys, Sites, and System Extensions via direct URL link.
- The system generates a new cookie once the user has authenticated.
- The Login Page prevents open redirects to outside sites via targeted URL.
- User-entered scripting is prevented via the ‘IFrameUrl’ parameter within the Enterprise Manager.
- User-entered scripting is prevented via the ‘SourcePagel’ parameter within the Enterprise Manager.