View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
06655Bug reportsSurvey editingpublic2012-10-05 10:562012-10-16 10:35
ReporterDenisChenu Assigned Toc_schmitz  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.00+ 
Summary06655: Unable to do integer comparaison in Expression manager for non super-admin user with XSSfiltering
Description

If you try to do some comparaison in a question with a not super-admin user, the < or > are filtered by htmlpurifier to & lt ; or & gt ;

Steps To Reproduce

Create a new user, not super admin (allow him to create survey)
Set XSSfilte to true in LS param
Connect with this new user
Add a survey
Add a group
Add a question with:

{if(1 < 2,"correct calculation","miscalculation")}

The question text is translated to

{if(1 & lt ; 2,"correct calculation","miscalculation")}

Additional Information

Already try with:
htmlpurifier Filter.ExtractStyleBlocks.Escaping to false, but it's a bad way.

I think non admin user need more control on question texmaybe.

Another possibility is to replace & lt ; and & gt ; in Expression Manager.

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)121005
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

Relationship GraphDependency Graph
child of 06592 closedDenisChenu Import of question with equation converts special characters to HTML entitities 

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2012-10-09 22:53

administrator   ~21147

I don't think it is possible to solve this with reasonable effort - rather we place an according hint in the documentation.
TMSWhite

TMSWhite

2012-10-10 02:06

reporter   ~21151

All Expression Manager operators that might be affected by XSS filtering have alternate spellings to avoid this problem:

&& ... and
|| ... or

... gt
< ... lt
= ... ge
<= ... le
== ... eq
c_schmitz

c_schmitz

2012-10-10 10:33

administrator   ~21152

Horray!
DenisChenu

DenisChenu

2012-10-11 12:49

developer   ~21210

I think there are a problem with multi user installation.

Super-admin make a
{if(1 < 2,"My text","")}

Survey work like a charme.

Another user want to make some modification and put:
{if(1 < 2,"My new text","")}

Survey are breaked.
c_schmitz

c_schmitz

2012-10-16 10:35

administrator   ~21345

Superadmin always bypasses the XSS filter.
So if a normal XSSfiltere admin user edits the question again, it breaks the formula.

Issue History

Date Modified Username Field Change
2012-10-05 10:56 DenisChenu New Issue
2012-10-05 10:57 DenisChenu Relationship added child of 06592
2012-10-09 22:53 c_schmitz Note Added: 21147
2012-10-10 02:06 TMSWhite Note Added: 21151
2012-10-10 10:33 c_schmitz Note Added: 21152
2012-10-10 10:33 c_schmitz Status new => closed
2012-10-10 10:33 c_schmitz Assigned To => c_schmitz
2012-10-10 10:33 c_schmitz Resolution open => no change required
2012-10-11 12:49 DenisChenu Note Added: 21210
2012-10-11 12:49 DenisChenu Status closed => feedback
2012-10-11 12:49 DenisChenu Resolution no change required => reopened
2012-10-16 10:35 c_schmitz Note Added: 21345
2012-10-16 10:35 c_schmitz Status feedback => closed
2012-10-16 10:35 c_schmitz Resolution reopened => fixed
2019-11-01 17:25 c_schmitz Category Survey design => Survey editing