View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 264
IDProjectCategoryView StatusDate SubmittedLast Update
16649Feature requestsSecuritypublic2020-09-09 15:562021-03-08 23:11
Reportergabrieljenik Assigned Togabrieljenik  
PrioritynoneSeverityfeature 
Status closedResolutionfixed 
Fixed in Version3.0 
Summary16649: enable video in spite of active xss filtering - LSv4
Description

Dear LS-Developer,

xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.

LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:

  1. change function getPurifier of CHtmlPurifier.php (line 113 - framework/web/widget) from proteced to public - so we can get to the configuration of the internal _purifier.
  2. add some code to LSYii_Validators.php (130ff - application/core) - see uploaded file

My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.

I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but

$ git push --set-upstream origin xss_enable_video
remote: Permission to LimeSurvey/LimeSurvey.git denied to jackewitz.
fatal: unable to access 'https://github.com/LimeSurvey/LimeSurvey.git/': The requested URL returned error: 403

Hope, you can think about und maybe integrate it in LimeSurvey.

Best wishes .. Iver

Additional Information

development infrastructure:

  • OS: Win10
  • docker environment

Clone of 12560
This is for LSv4

TagsNo tags attached.
Attached Files
LSYii_Validators.php (8,311 bytes)
Bug heat264
Story point estimate
Users affected %

Relationships

Relationship GraphDependency Graph
related to 12560 closedc_schmitz enable video in spite of active xss filtering 

Users monitoring this issue

arnaudj

Activities

c_schmitz

c_schmitz

2020-09-09 15:56

administrator   ~59753

Hi,

you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Can you do that please?
Please refer to this issue # in your PR.
c_schmitz

c_schmitz

2020-09-09 15:56

administrator   ~59754

?
jackewitz

jackewitz

2020-09-09 15:56

reporter   ~59755

Yeah, I am currently busy. Try it in the next 2 weeks.
Jelle_S

Jelle_S

2020-09-09 15:56

reporter   ~59756

Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal
Mazi

Mazi

2020-09-09 15:56

updater   ~59757

@c_schmitz, we just had the exact same support request at Limesurvey IRC, you helped that user a few days ago.

Any way to improve this at LS 4?
gabrieljenik

gabrieljenik

2020-09-15 01:40

manager   ~59800

PR: https://github.com/LimeSurvey/LimeSurvey/pull/1591
cdorin

cdorin

2020-09-19 18:29

reporter   ~59884

Unfortunately, it still does not work - not sure if I am doing smth wrong. Gabriel can you please double check the PR?
gabrieljenik

gabrieljenik

2020-09-21 15:40

manager   ~59906

Have just done a full retest.
Worked fine.

Please find attached the sample survey and the file.
I have gone to the question, saved it and still, the video tag was there.
gabrieljenik

gabrieljenik

2020-09-21 15:42

manager   ~59908

limesurvey_survey_126815.lss (19,325 bytes)
mov_bbb.mp4 (788,493 bytes)   
mov_bbb.mp4 (788,493 bytes)   
gabrieljenik

gabrieljenik

2020-11-13 15:29

manager   ~60637

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30726

Related Changesets

LimeSurvey: master 95491ea3

2020-11-13 16:28

gabrieljenik

Committer: GitHub


Details Diff		 New feature 16649: enable video in spite of active xss filtering (#1591) Affected Issues
16649
add - application/core/LSYii_HtmlPurifier.php Diff File
mod - application/core/LSYii_Validators.php Diff File
mod - framework/web/widgets/CHtmlPurifier.php Diff File

Issue History

Date Modified Username Field Change
2020-09-09 15:56 gabrieljenik New Issue
2020-09-09 15:56 gabrieljenik Status new => assigned
2020-09-09 15:56 gabrieljenik Assigned To => gabrieljenik
2020-09-09 15:56 gabrieljenik Issue generated from: 12560
2020-09-09 15:56 gabrieljenik Note Added: 59753
2020-09-09 15:56 gabrieljenik Note Added: 59754
2020-09-09 15:56 gabrieljenik Note Added: 59755
2020-09-09 15:56 gabrieljenik Note Added: 59756
2020-09-09 15:56 gabrieljenik Note Added: 59757
2020-09-09 15:56 gabrieljenik Relationship added related to 12560
2020-09-15 01:40 gabrieljenik Note Added: 59800
2020-09-19 18:29 cdorin Note Added: 59884
2020-09-21 15:40 gabrieljenik Note Added: 59906
2020-09-21 15:42 gabrieljenik Note Added: 59908
2020-09-21 15:42 gabrieljenik File Added: limesurvey_survey_126815.lss
2020-09-21 15:42 gabrieljenik File Added: mov_bbb.mp4
2020-09-23 18:39 arnaudj Issue Monitored: arnaudj
2020-11-13 15:29 gabrieljenik Changeset attached => LimeSurvey master 95491ea3
2020-11-13 15:29 gabrieljenik Note Added: 60637
2020-11-13 15:29 gabrieljenik Resolution open => fixed
2021-03-08 23:11 c_schmitz Status assigned => closed
2021-03-08 23:11 c_schmitz Fixed in Version => 3.0
2021-08-02 17:09 guest Bug heat 262 => 264