Relationship Graph

Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
16649Feature requestsSecuritypublic2021-03-08 23:11
Reportergabrieljenik Assigned Togabrieljenik  
PrioritynoneSeverityfeature 
Status closedResolutionfixed 
Fixed in Version3.0 
Summary16649: enable video in spite of active xss filtering - LSv4
DescriptionDear LS-Developer,

xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.

LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:

1. change function getPurifier of CHtmlPurifier.php (line 113 - framework/web/widget) from proteced to public - so we can get to the configuration of the internal _purifier.
2. add some code to LSYii_Validators.php (130ff - application/core) - see uploaded file

My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.

I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but

$ git push --set-upstream origin xss_enable_video
remote: Permission to LimeSurvey/LimeSurvey.git denied to jackewitz.
fatal: unable to access 'https://github.com/LimeSurvey/LimeSurvey.git/': The requested URL returned error: 403

Hope, you can think about und maybe integrate it in LimeSurvey.

Best wishes .. Iver
Additional Informationdevelopment infrastructure:

* OS: Win10
* docker environment

Clone of 12560
This is for LSv4
TagsNo tags attached.

Relationships

related to 12560 closedc_schmitz enable video in spite of active xss filtering 

Activities

jackewitz

jackewitz

2017-08-01 16:11

reporter  

LSYii_Validators.php (8,311 bytes)
c_schmitz

c_schmitz

2020-09-09 15:56

administrator   ~59753

Hi,

you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Can you do that please?
Please refer to this issue # in your PR.
c_schmitz

c_schmitz

2020-09-09 15:56

administrator   ~59754

?
jackewitz

jackewitz

2020-09-09 15:56

reporter   ~59755

Yeah, I am currently busy. Try it in the next 2 weeks.
Jelle_S

Jelle_S

2020-09-09 15:56

reporter   ~59756

Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal
Mazi

Mazi

2020-09-09 15:56

partner   ~59757

@c_schmitz, we just had the exact same support request at Limesurvey IRC, you helped that user a few days ago.

Any way to improve this at LS 4?
gabrieljenik

gabrieljenik

2020-09-15 01:40

manager   ~59800

PR: https://github.com/LimeSurvey/LimeSurvey/pull/1591
cdorin

cdorin

2020-09-19 18:29

manager   ~59884

Unfortunately, it still does not work - not sure if I am doing smth wrong. Gabriel can you please double check the PR?
gabrieljenik

gabrieljenik

2020-09-21 15:40

manager   ~59906

Have just done a full retest.
Worked fine.

Please find attached the sample survey and the file.
I have gone to the question, saved it and still, the video tag was there.
gabrieljenik

gabrieljenik

2020-09-21 15:42

manager   ~59908

mov_bbb.mp4 (788,493 bytes)   
gabrieljenik

gabrieljenik

2020-11-13 15:29

manager   ~60637

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30726

Related Changesets

LimeSurvey: master 95491ea3

2020-11-13 15:28:56

gabrieljenik


Committer: GitHub Details Diff
New feature 16649: enable video in spite of active xss filtering (#1591) Affected Issues
16649
add - application/core/LSYii_HtmlPurifier.php Diff File
mod - application/core/LSYii_Validators.php Diff File
mod - framework/web/widgets/CHtmlPurifier.php Diff File

Issue History

Date Modified Username Field Change
2020-09-09 15:56 gabrieljenik New Issue
2020-09-09 15:56 gabrieljenik Status new => assigned
2020-09-09 15:56 gabrieljenik Assigned To => gabrieljenik
2020-09-09 15:56 gabrieljenik Issue generated from: 12560
2020-09-09 15:56 gabrieljenik Note Added: 59753
2020-09-09 15:56 gabrieljenik Note Added: 59754
2020-09-09 15:56 gabrieljenik Note Added: 59755
2020-09-09 15:56 gabrieljenik Note Added: 59756
2020-09-09 15:56 gabrieljenik Note Added: 59757
2020-09-09 15:56 gabrieljenik Relationship added related to 12560
2020-09-15 01:40 gabrieljenik Note Added: 59800
2020-09-19 18:29 cdorin Note Added: 59884
2020-09-21 15:40 gabrieljenik Note Added: 59906
2020-09-21 15:42 gabrieljenik Note Added: 59908
2020-09-21 15:42 gabrieljenik File Added: limesurvey_survey_126815.lss
2020-09-21 15:42 gabrieljenik File Added: mov_bbb.mp4
2020-11-13 15:29 gabrieljenik Changeset attached => LimeSurvey master 95491ea3
2020-11-13 15:29 gabrieljenik Note Added: 60637
2020-11-13 15:29 gabrieljenik Resolution open => fixed
2021-03-08 23:11 c_schmitz Status assigned => closed
2021-03-08 23:11 c_schmitz Fixed in Version => 3.0