Release Notes: Illume 6.1.24

Home / Developer / IT / DatStat Illume Release Notes / Release Notes: Illume 6.1.24

This applies to:

Illume 6.1

Search AcademySearch Academy
Contact UsContact Us

Release Date: January 16th, 2020

Improvements

  • To prevent HTML injection vulnerabilities, the following work was completed to make HTML in rendered data display as plain text:
    • Questions responses containing HTML within activities will not render the HTML when piping with the {value} or {response} tags.
    • Question prompts containing HTML within activities will not render the HTML when piping with the {prompt} tag.
    • Participant data containing HTML will not render the HTML when piping with the {UserData} tag.
    • HTML included in participant properties, such as first name and last name, will not render the HTML in data grids in Enterprise Manager, Discovery, and Data Change.
    • HTML included in participant properties, such as first name and last name, will not render on the page when viewing an individual participant’s record.
    • HTML entered as submission data responses, like in a text input question, will not be rendered in the results of queried submission data.
    • HTML entered as submission data, like in a text input question, will not be rendered when viewing an individual submission.
    • HTML entered as submission data, like in a text input question, will not be rendered while reviewing changes to data within Data Change.
    • Custom error messages with HTML entered will not render the HTML on display of the message.
  • The Power User role does not have access to API Keys, Sites, and System Extensions via direct URL link.
  • The system generates a new cookie once the user has authenticated.
  • The Login Page prevents open redirects to outside sites via targeted URL.
  • User-entered scripting is prevented via the ‘IFrameUrl’ parameter within the Enterprise Manager.
  • User-entered scripting is prevented via the ‘SourcePagel’ parameter within the Enterprise Manager.

Fixes

  • An internal server error appeared when a user pressed the Export Data Grid button in the Query Log view type.
  • The SDK user type was being omitted from the expired DatStat session clean up, causing performance issues as the number of expired sessions grew without being cleared.
  • Participants could be created without values for their required fields if the user creating the participant only had read-only access to those required fields.
  • When a survey utilized the loop feature, if the survey had a question before the loop, within the loop, then another after the loop, the variable after the loop was not listed and could not be changed via Data Change.
  • The audit log failed to load properly when conditions on a loop in the survey made the prompts in the inner loop no longer visible after they had been responded to.
  • Systems with large amounts of audit data (700k+ entries) would occasionally timeout when attempting to publish a new version of a survey.
    For example, a user may have seen an error when attempting to publish version 42 of a large survey, however they would not experience the same issue when publishing version 5 of a different survey on the same system.
  • Users were unable to access Data Change when the system was not also licensed for Data Queries.
  • Users with access to individual surveys instead of all on the system, on a system with over 500 surveys, were unable to view the surveys they had access to in Data Change if those surveys were not within the first 500 results.