LimeSurvey issue tracker
Registration

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
07781Bug reports[All Projects] Securitypublic2013-04-20 21:032013-04-23 09:09
Reporterubuntourist 
Assigned Toc_schmitz 
PriorityhighSeveritymajor 
StatusclosedResolutionnot fixable 
Product Version2.00+ 
Target VersionFixed in Version 
Summary07781: <video>, <source> and <track> tags stripped from questions
Description<video>, <source> and <track> tags inserted via the "Source" button in the question editor are replaced with a non-breakable space entity ( ) for all users except the super-administrator.

For the super-administrator, it misunderstands <source> tag and inserts additional copies of the tag.
Steps To ReproduceCreate a question as the site admin. Switch to "Source". Insert something like:

<video controls="controls"
       data-timeline-sources="/Video/ASL_Over_iPhone.vtt"
       height="432" width="768"
       poster="/images/image.jpg"
       preload="metadata">
<source src="/Video/ASL_Over_iPhone.webm" type="video/webm"></source>
<track default="default"
        kind="captions"
        label="English"
        src="/Video/ASL_Over_iPhone.vtt"
        srclang="en"></track>
</video>

It should "work" but add in bogus extra <source> tags.

Repeat the insert as another user. It should fail and give a

 

in place of the above.
Additional InformationAccording to tpartner in the forum, this is at least in part related to the global "Filter HTML for XSS" setting. I didn't know how to categorize, but based on that, I put it in "Security".
I will donate to the project if issue is resolved within 48 hrsYes
LimeSurvey build number OR git commit ID130406
BrowserGoogle Chrome (and others)
Database & DB-VersionPostgreSQL 8.4.13
Operating System (Server)Red Hat Enterprise Linux (RHEL) 6
Webserver software & versionApache 2.2.15
PHP Version5.3.3
Attached Files? file icon limesurvey_survey_563849.lss [^] (13,450 bytes) 2013-04-20 23:45

- Relationships

-  Notes
User avatar (25004)
ubuntourist (reporter)
2013-04-20 23:51

The misunderstanding of the <source> tag is apparently a separate issue, and I have filed a separate bug report for it.

(It still messes up, albeit slightly differently, when the "Filter HTML for XSS" is turned off, which allows normal users to enter the <video>, <source>, and <track> elements.)
User avatar (25055)
c_schmitz (administrator)
2013-04-23 09:09

As tpartner already said: It is not a bug but you can just deactivate 'Filter HTML for XSS' in global settings.

- Issue History
Date Modified Username Field Change
2013-04-20 21:03 ubuntourist New Issue
2013-04-20 23:45 ubuntourist File Added: limesurvey_survey_563849.lss
2013-04-20 23:51 ubuntourist Note Added: 25004
2013-04-23 09:09 c_schmitz Note Added: 25055
2013-04-23 09:09 c_schmitz Status new => closed
2013-04-23 09:09 c_schmitz Assigned To => c_schmitz
2013-04-23 09:09 c_schmitz Resolution open => not fixable


Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker