View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
04533Bug reportsSurvey participants (Tokens)public2010-09-08 17:27
Reportermdekker Assigned Tomdekker  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version1.90+ 
Fixed in Version1.91beta 
Summary04533: Tokens with hyphen cause error when exit & clearall is used
Description

If you use tokens with a hypen in them you get a session error after hitting the exit & clear all button.

Additional Information

The exit & clear all button has a link that has the hyphen removed from the token. This is caused by the sanitize_xss_string function.

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)9061
I will donate to the project if issue is resolved
Browser
Database type & versiondna
Server OS (if known)dna
Webserver software & version (if known)dna
PHP Versiondna

Users monitoring this issue

There are no users monitoring this issue.

Activities

mdekker

mdekker

2010-08-16 12:07

reporter   ~12634

(pasted from chatlog)

[9:59] <mdekker> Carsten, I have a problem with tokens that include a hyphen -
[9:59] <mdekker> It works all over, but the exit & clear all button
[10:00] <mdekker> does sanitize_xss_string instead of sanitize token, and that function strips the dash
[10:00] <mdekker> I don't know much about xss, but the articels I read say the - is not a dangerous character
[10:00] <mdekker> so we have some options:
[10:01] <mdekker> 1. change the call to use sanitize token instead of sanitize xss string
[10:01] <mdekker> 2. update sanitize xss string to not strip a hyphen
[10:02] <mdekker> 3. make hyphen forbidden for tokens (
[10:02] <mdekker> i prefer option 1 or 2 as 3 has a big impact on the application
[10:02] <mdekker> and since it is security related... i leave the decision to you :)

c_schmitz

c_schmitz

2010-08-16 22:57

administrator   ~12639

Token with hyphens are colliding with Short-URLs too, so they should be generally forbidden.

c_schmitz

c_schmitz

2010-08-16 22:58

administrator   ~12640

Last edited: 2010-08-16 22:59

Btw, to get noticed in IRC always write my IRC name (c_schmitz). That way my IRC window starts flashing and your line gets highlighted. So I can answer right away.

mdekker

mdekker

2010-09-01 14:46

reporter   ~12734

Fixed in svn 9100

c_schmitz

c_schmitz

2010-09-08 17:27

administrator   ~12790

Fix was released in 1.90+ version.

Issue History

Date Modified Username Field Change
2010-08-16 12:00 mdekker New Issue
2010-08-16 12:00 mdekker Assigned To => mdekker
2010-08-16 12:00 mdekker Status new => assigned
2010-08-16 12:07 mdekker Note Added: 12634
2010-08-16 12:07 mdekker Assigned To mdekker => c_schmitz
2010-08-16 12:07 mdekker Status assigned => feedback
2010-08-16 22:57 c_schmitz Note Added: 12639
2010-08-16 22:57 c_schmitz Assigned To c_schmitz => mdekker
2010-08-16 22:57 c_schmitz Status feedback => assigned
2010-08-16 22:58 c_schmitz Note Added: 12640
2010-08-16 22:59 c_schmitz Note Edited: 12640
2010-09-01 14:46 mdekker Note Added: 12734
2010-09-01 14:46 mdekker Status assigned => resolved
2010-09-01 14:46 mdekker Fixed in Version => 1.91beta
2010-09-01 14:46 mdekker Resolution open => fixed
2010-09-08 17:27 c_schmitz Note Added: 12790
2010-09-08 17:27 c_schmitz Status resolved => closed
2016-12-08 10:39 c_schmitz Category Tokens => Survey participants (Tokens)