| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 16853 | Bug reports | Survey participants (Tokens) | public | 2020-11-23 12:22 | 2023-06-20 17:49 |
| Reporter | DenisChenu | Assigned To | c_schmitz | ||
| Priority | high | Severity | minor | ||
| Status | closed | Resolution | fixed | ||
| Product Version | 3.25.0 | ||||
| Fixed in Version | 3.25.6 | ||||
| Summary | 16853: Inconsistent filter behaviour when create token | ||||
| Description | There are a complete inconsistent behavior on token filter in firstname, lastname and attribute Sometime : allow tag, sometimes not | ||||
| Steps To Reproduce | As super admin
And now : edit any of this participant : all tag was deleted .... | ||||
| Additional Information | The issue :
My proposed solution : use only model->rules. Without XSS system : always clean up HTML with HtmlPurifier or a complete flat way. If complete flat : need a javascript validation or an HTML5 validation : no filter without inform. LSA attached to see | ||||
| Tags | No tags attached. | ||||
| Bug heat | 8 | ||||
| Complete LimeSurvey version number (& build) | 5.0.0 | ||||
| I will donate to the project if issue is resolved | No | ||||
| Browser | not relevant ? | ||||
| Database type & version | not relevant? | ||||
| Server OS (if known) | not relevant ? | ||||
| Webserver software & version (if known) | not relevant ? | ||||
| PHP Version | not relevant ? | ||||
 |
About removing all tags : https://gfycat.com/fr/slimyvalidjavalina |
|
|
I think i prefer disallow tag and XSS for all user. |
|
|
Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30847 |
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30849 |
 |
Added a PR https://github.com/LimeSurvey/LimeSurvey/pull/1721/files |
|
|
Arg … i cherry-pick … i check again master |
 |
Fixed in Release 3.25.8+210118 |
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30907 |
 |
Why would a superadmin not be allowed to use tags in token atributes? Can we please fix that so it is allowed, at least for the custom attributes. |
|
|
We have a discussion about this … maybe on zoho ? Because it was , before the update : disallowed totally. The alternate commit … |
|
|
PS : see https://bugs.limesurvey.org/view.php?id=16884 … |
|
|
The scenario would only be for superadmins, nobody else. |
|
|
Why superadmin ? |
|
|
Any admin can use email send to add bad value. We must avoid it for registering only. |
|
|
PS : since this commit i use bbcode when i need tag in attribute s⋅… |
|
|
master : https://github.com/LimeSurvey/LimeSurvey/pull/2627 |
|
|
Got lost here. I guess html entities should be encoded on the DB, right? |
|
|
No… 1st issue : if you import CSV : no filter was done (you can save <script>alert("XSS")</script>, but when you edit you loose all HTML tag. When user register he can add HTML tag, but when edit via GUI : deleted. But Carsten reopen issue because need to allow tag for admin user
|
|
|
What does it mean to |
|
|
tag : HTML tag, i don't understand what is your problem here ? Tag :
Yes, but must disallow XSS for simple admin.
We Always ALLOW html tag for question text or help … |
|
|
https://manual.limesurvey.org/Global_settings/en#Security |
|
|
But yes : HTML tag allowed … for simple user in token attributes. Tag != XSS I really don't understand here … |
|
|
You are right sorry. <script> tags are filtered! My bad. |
|
|
;) Maybe more clear like this :
|
|
|
Why disallow HTML for admin ? It's already merged in 3.X … And see : https://github.com/LimeSurvey/LimeSurvey/pull/2627#pullrequestreview-1121944581 for master … |
|
|
And https://github.com/LimeSurvey/LimeSurvey/pull/2627/files#r981147912 |
|
|
My mistake |
|
|
Should this also apply for participants added directly to the survey (not through CPDB?) ? |
|
|
Also, when participants are transferred from the CPDB to the survey, the tags are filtered. |
|
|
I check with remote_co,ntrol : it work without any issue
No : it's OK … See screencast … |
|
|
|
|
|
This is the test case run:
OH, ok. I was testing on the first name and last name as that was on the reproduction steps. |
|
|
No : original issue was about whole : fitsname/lastname/attrute_X was not filtered when register, but only when edit via GUI. But @c_schmitz reopen the issue to allow superadmin to add tag on attributes : then it's the new PR … |
|
|
OK, I was trying to collaborate with the testing, but not sure I can add a lot more here. Just to clarify, after my testing the participant on the CPDB and the participant on the survey had different first_name and last name. That was not expected (at least not by me :) ). |
|
|
Clearly another issue … Must chek too if CPDB allow XSS for simple admin. But : clearly : another issue to report … |
|
|
Both PRs were merged now. |
