View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 2
IDProjectCategoryView StatusDate SubmittedLast Update
08260Bug reportsTheme editorpublic2013-10-11 08:302013-11-25 15:39
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.05 RC 
Target Version2.05+Fixed in Version2.05+ 
Summary08260: Can not use own script on question text
Description

If XSS if disable or be super-admin: some user can use own script in question text.

For exemple:
My question text
<script>myOwnFunction({QID})</script>

Where myOwnFunction is in template.js.

It's OK on 2.00 but broken in 2.05.
In 2.00 : template.js are in head, but at end of body in 2.05 : broke javascript

Steps To Reproduce

Put own function in template.js
function myOwnFunction(qId){
console.log(qId);
}

And try to use on question text.

Additional Information

The problem is i set POS_END for template.js, POS_BEGIN seems OK too because then : all other script are in HEAD and template.js at begin of BODY.

But this break citronade template.
I can update citronade, but it broke personnal template based on citronade (or using same trick).

Did we choose to have a risk to broke user template ?

See topic on Yii forum :
http://www.yiiframework.com/forum/index.php/topic/47829-cclientscriptpos-begin-and-conditionnal-comment-on-body/page__p__223737#entry223737

TagsNo tags attached.
Bug heat2
Complete LimeSurvey version number (& build)131011
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

Relationship GraphDependency Graph
parent of 08346 closedDenisChenu Javascript error in SkeletonQuest Template 

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2013-11-25 15:39

administrator   ~27386

2.05RC7 released.

Related Changesets

LimeSurvey: 2.05 5901b9ea

2013-10-22 16:51:32

DenisChenu

Details Diff 		Dev: New feature 08247: allow deactivate Javascript autocorrection of numerical values
Dev: Added LSvar object in template, maybe elsewhere is better, but already have needed script
Dev: add setJsVar for LEMradix, numRegex and intRegex
Dev: Start issue 08260: Can not use own script on question text : find another way ?		 Affected Issues
08260
mod - application/config/config-defaults.php Diff File
mod - application/helpers/SurveyRuntimeHelper.php Diff File
mod - application/helpers/expressions/em_manager_helper.php Diff File
mod - application/helpers/replacements_helper.php Diff File
mod - scripts/survey_runtime.js Diff File
mod - templates/citronade/startpage.pstpl Diff File

Issue History

Date Modified Username Field Change
2013-10-11 08:30 DenisChenu New Issue
2013-10-22 18:52 DenisChenu Changeset attached => LimeSurvey 2.05 5901b9ea
2013-10-22 18:52 DenisChenu Assigned To => DenisChenu
2013-10-22 18:52 DenisChenu Status new => assigned
2013-11-05 16:40 DenisChenu Status assigned => resolved
2013-11-05 16:40 DenisChenu Fixed in Version => 2.05 RC
2013-11-05 16:40 DenisChenu Resolution open => fixed
2013-11-07 12:31 DenisChenu Relationship added parent of 08346
2013-11-22 11:27 c_schmitz Fixed in Version 2.05 RC => 2.05+
2013-11-22 11:28 c_schmitz Target Version => 2.05+
2013-11-25 15:39 c_schmitz Note Added: 27386
2013-11-25 15:39 c_schmitz Status resolved => closed
2015-12-11 14:40 c_schmitz Category Templates => Theme editor