Release Notes: Illume 6.0.19569

Home / Developer / IT / DatStat Illume Release Notes / Release Notes: Illume 6.0.19569

This applies to:

Illume 6.0

Search AcademySearch Academy
Contact UsContact Us

Release Date: January 16th, 2020

Improvements

  • To prevent HTML injection vulnerabilities, the following work was completed to make HTML in rendered data display as plain text:
    • Questions responses containing HTML within activities will not render the HTML when piping with the {value} or {response} tags.
    • Question prompts containing HTML within activities will not render the HTML when piping with the {prompt} tag.
    • Participant data containing HTML will not render the HTML when piping with the {UserData} tag.
    • HTML included in participant properties, such as first name and last name, will not render the HTML in data grids in Enterprise Manager, Discovery, and Data Change.
    • HTML included in participant properties, such as first name and last name, will not render on the page when viewing an individual participant’s record.
    • HTML entered as submission data responses, like in a text input question, will not be rendered in the results of queried submission data.
    • HTML entered as submission data, like in a text input question, will not be rendered when viewing an individual submission.
    • HTML entered as submission data, like in a text input question, will not be rendered while reviewing changes to data within Data Change.
    • Custom error messages with HTML entered will not render the HTML on display of the message.
  • The Power User role does not have access to API Keys, Sites, and System Extensions via direct URL link.
  • The system generates a new cookie once the user has authenticated.
  • The Login Page prevents open redirects to outside sites via targeted URL.
  • User-entered scripting is prevented via the ‘IFrameUrl’ parameter within the Enterprise Manager.
  • User-entered scripting is prevented via the ‘SourcePagel’ parameter within the Enterprise Manager.

Fixes

  • An internal server error appeared when a user pressed the Export Data Grid button in the Query Log view type.
  • The SDK user type was being omitted from the expired DatStat session clean up, causing performance issues as the number of expired sessions grew without being cleared.