View Issue Details

Jump to NotesJump to History
This issue affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
11194Bug reportsSurvey editingpublic2016-05-15 18:582016-05-25 21:15
ReporterDenisChenu Assigned ToLouisGac 
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version2.50.x 
Summary11194: Bad class can totally broke HTML
Description

cssclass attribute (and a lot of other attribute) is not filtered or encoded: any admin can easily broke HTML flow

Steps To Reproduce

Use for classname

  • " onMouseOver="alert('any admin can do it easily');" class="
  • " </div></div><script>

Or import inlcuded survey

Additional Information

At minima : we need to encode quote, but thinki we must completely filter all this settings.

TagsNo tags attached.
Attached Files
limesurvey_survey_cssclass.lss (13,565 bytes)
Bug heat6
Complete LimeSurvey version number (& build)160515
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

LouisGac

LouisGac

2016-05-17 10:33

developer   ~38589

Yep, why not, to prevent insertion of quotes by mistake.

I don't see it as a huge problem, since admin are supposed to be able to use their own js for question, or to add their own HTML for questions/suquestions/answers...
DenisChenu

DenisChenu

2016-05-17 10:34

developer   ~38590

Any admin : even with XSS security.

And a lot of survey admin don't really understand what they do.
LouisGac

LouisGac

2016-05-25 17:13

developer   ~38871

Carsten fixed it.
DenisChenu

DenisChenu

2016-05-25 17:28

developer   ~38875

When ? Because in last GIT : i still have same behaviour.

I think the better way seems to use
CHtml::encode in getQuestionReplacement and CHtml::(textField[texarea...) in each question/item views
LouisGac

LouisGac

2016-05-25 17:45

developer   ~38881

idk, he told me yesterday that he fixed it.
Personally, I'd just use addslashes.
DenisChenu

DenisChenu

2016-05-25 17:50

developer   ~38883

Last edited: 2016-05-25 17:50

htmlentities or addshlash . what to do ....

Where did you fix $dispVal and $tiwidth https://github.com/LimeSurvey/LimeSurvey/blob/master/application/views/survey/questions/shortfreetext/text/item.php#L39 ?

In qanda_helper ?
LouisGac

LouisGac

2016-05-25 18:04

developer   ~38884

yep
c_schmitz

c_schmitz

2016-05-25 21:15

administrator   ~38888

Version 2.50+ Build 160526 released

Issue History

Date Modified Username Field Change
2016-05-15 18:58 DenisChenu New Issue
2016-05-15 18:58 DenisChenu File Added: limesurvey_survey_cssclass.lss
2016-05-17 10:33 LouisGac Note Added: 38589
2016-05-17 10:34 DenisChenu Note Added: 38590
2016-05-25 17:13 LouisGac Note Added: 38871
2016-05-25 17:13 LouisGac Status new => resolved
2016-05-25 17:13 LouisGac Resolution open => fixed
2016-05-25 17:13 LouisGac Assigned To => LouisGac
2016-05-25 17:28 DenisChenu Note Added: 38875
2016-05-25 17:45 LouisGac Note Added: 38881
2016-05-25 17:50 DenisChenu Note Added: 38883
2016-05-25 17:50 DenisChenu Note Edited: 38883
2016-05-25 18:04 LouisGac Note Added: 38884
2016-05-25 21:15 c_schmitz Note Added: 38888
2016-05-25 21:15 c_schmitz Status resolved => closed
2019-11-01 17:25 c_schmitz Category Survey design => Survey editing