Stored XSS Vulnerability in Dwsurvey Survey System
Official Website: https://www.diaowen.net/home
Official Demo Site: https://demo.diaowen.net/
Vulnerability Details
The Dwsurvey survey system is affected by a stored cross-site scripting (XSS) vulnerability.
Location 1: Survey Title
1.Create a new survey and set the "Survey Title" to the XSS payload:
.
2.Saved successfully.
The API for adding a new survey is:
https://demo.diaowen.net/api/dwsurvey/app/survey/add.do
The survey title field is surveyName.
Code Analysis:
It can be observed that surveyName is obtained directly from the frontend without any filtering.
When accessing the admin panel and selecting Survey Management, the page triggers the following request:
https://demo.diaowen.net/api/dwsurvey/admin/survey/list.do?pageSize=10¤t=1
By reviewing the JavaScript that triggers this request, the subsequent processing logic can be located.
The response from the backend API is obtained, and each survey record is inserted as a row in the table.
The surveyName value of each record is extracted without escaping HTML tags, and is directly inserted as a DOM node for preview display.
As a result, JavaScript is executed on the frontend.
A pop-up window appears, confirming the existence of a stored XSS vulnerability.
The backend code at /api/dwsurvey/admin/survey/list.do also shows no escaping or filtering.
Other locations also exhibit the same issue and can trigger the vulnerability. Some example screenshots are as follows.
Multiple functions, such as Design Survey and Preview Survey, share similar logic, so details are omitted here.
Location 2:
When adding a survey question, the same problem exists. If you input the XSS payload:

You need to intercept the request and modify the escaped < > characters in the surveyJsonText parameter.
As shown in the API code above, the value is also taken directly from the frontend without any escaping or filtering.
After saving successfully, viewing the preview again results in a pop-up window, demonstrating that the output is not sanitized, and the vulnerability persists.
Stored XSS Vulnerability in Dwsurvey Survey System
Official Website: https://www.diaowen.net/home
Official Demo Site: https://demo.diaowen.net/
Vulnerability Details
The Dwsurvey survey system is affected by a stored cross-site scripting (XSS) vulnerability.
Location 1: Survey Title
1.Create a new survey and set the "Survey Title" to the XSS payload:
.
2.Saved successfully.
The API for adding a new survey is:
https://demo.diaowen.net/api/dwsurvey/app/survey/add.do
The survey title field is surveyName.
Code Analysis:
It can be observed that surveyName is obtained directly from the frontend without any filtering.
When accessing the admin panel and selecting Survey Management, the page triggers the following request:
https://demo.diaowen.net/api/dwsurvey/admin/survey/list.do?pageSize=10¤t=1
By reviewing the JavaScript that triggers this request, the subsequent processing logic can be located.
The response from the backend API is obtained, and each survey record is inserted as a row in the table.
The surveyName value of each record is extracted without escaping HTML tags, and is directly inserted as a DOM node for preview display.
As a result, JavaScript is executed on the frontend.
A pop-up window appears, confirming the existence of a stored XSS vulnerability.
The backend code at /api/dwsurvey/admin/survey/list.do also shows no escaping or filtering.
Other locations also exhibit the same issue and can trigger the vulnerability. Some example screenshots are as follows.
Multiple functions, such as Design Survey and Preview Survey, share similar logic, so details are omitted here.
Location 2:
When adding a survey question, the same problem exists. If you input the XSS payload:
You need to intercept the request and modify the escaped < > characters in the surveyJsonText parameter.
As shown in the API code above, the value is also taken directly from the frontend without any escaping or filtering.
After saving successfully, viewing the preview again results in a pop-up window, demonstrating that the output is not sanitized, and the vulnerability persists.