06655: Unable to do integer comparaison in Expression manager for non super-admin user with XSSfiltering

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update
06655	Bug reports	Survey editing	public	2012-10-05 10:56	2012-10-16 10:35

Reporter	DenisChenu	Assigned To	c_schmitz
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.00+

Summary	06655: Unable to do integer comparaison in Expression manager for non super-admin user with XSSfiltering
Description	If you try to do some comparaison in a question with a not super-admin user, the < or > are filtered by htmlpurifier to & lt ; or & gt ;
Steps To Reproduce	Create a new user, not super admin (allow him to create survey) Set XSSfilte to true in LS param Connect with this new user Add a survey Add a group Add a question with: {if(1 < 2,"correct calculation","miscalculation")} The question text is translated to {if(1 & lt ; 2,"correct calculation","miscalculation")}
Additional Information	Already try with: htmlpurifier Filter.ExtractStyleBlocks.Escaping to false, but it's a bad way. I think non admin user need more control on question texmaybe. Another possibility is to replace & lt ; and & gt ; in Expression Manager.
Tags	No tags attached.

Bug heat	6
Complete LimeSurvey version number (& build)	121005
I will donate to the project if issue is resolved	No
Browser	not relevant
Database type & version	not relevant
Server OS (if known)	not relevant
Webserver software & version (if known)	not relevant
PHP Version	not relevant

c_schmitz 2012-10-09 22:53 administrator ~21147	I don't think it is possible to solve this with reasonable effort - rather we place an according hint in the documentation.

TMSWhite 2012-10-10 02:06 reporter ~21151	All Expression Manager operators that might be affected by XSS filtering have alternate spellings to avoid this problem: && ... and \|\| ... or ... gt < ... lt = ... ge <= ... le == ... eq

c_schmitz 2012-10-10 10:33 administrator ~21152	Horray!

DenisChenu 2012-10-11 12:49 developer ~21210	I think there are a problem with multi user installation. Super-admin make a {if(1 < 2,"My text","")} Survey work like a charme. Another user want to make some modification and put: {if(1 < 2,"My new text","")} Survey are breaked.

c_schmitz 2012-10-16 10:35 administrator ~21345	Superadmin always bypasses the XSS filter. So if a normal XSSfiltere admin user edits the question again, it breaks the formula.

Date Modified	Username	Field	Change
2012-10-05 10:56	DenisChenu	New Issue
2012-10-05 10:57	DenisChenu	Relationship added	child of 06592
2012-10-09 22:53	c_schmitz	Note Added: 21147
2012-10-10 02:06	TMSWhite	Note Added: 21151
2012-10-10 10:33	c_schmitz	Note Added: 21152
2012-10-10 10:33	c_schmitz	Status	new => closed
2012-10-10 10:33	c_schmitz	Assigned To	=> c_schmitz
2012-10-10 10:33	c_schmitz	Resolution	open => no change required
2012-10-11 12:49	DenisChenu	Note Added: 21210
2012-10-11 12:49	DenisChenu	Status	closed => feedback
2012-10-11 12:49	DenisChenu	Resolution	no change required => reopened
2012-10-16 10:35	c_schmitz	Note Added: 21345
2012-10-16 10:35	c_schmitz	Status	feedback => closed
2012-10-16 10:35	c_schmitz	Resolution	reopened => fixed
2019-11-01 17:25	c_schmitz	Category	Survey design => Survey editing