View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
12463Bug reportsSurvey editingpublic2017-06-12 17:16
Reportersickpig Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.65.x 
Fixed in Version2.65.x 
Summary12463: "Quick add.." replace function does not work anymore
Description

For all questions where you could use the the above function (single list, array, etc etc) every time you get an alert error saying that an error happened in the ajax request...

this an example of the URL LS fails to fetch via ajax

https://survey.example.com/index.php/admin/questions/sa/getSubquestionRowQuickAdd?surveyid=666252&gid=527&qid={{quid_placeholder}}&codes=[%221%22]&scale_id=0&type=subquestion&position=&first=true&language=it

Steps To Reproduce

Install the latest version of lime survey
add an array question
try to define the sub question, via the "quick add..." function in the "edit subquestions"

Additional Information

I have git bisected the limesurvey repo and the commit that introduced the issue is this one:

commit 68815bf6acf995363fb260ff395bc620882d741d
Author: Denis Chenu <courriel@shnoulle.net>
Date: Tue May 30 19:31:47 2017 +0200

Fixed issue #12434: [security] Reflected XSS (Thanks to mrbreaker) (#709)

Fixed issue #12433: [security] Reflected XSS (Thanks to mrbreaker)
Dev: fix it and test it before using it, in Survey_Common_Action

reverting this change fix the problem. But of course something that we don't want to do due the security implications

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)Version 2.65.3
I will donate to the project if issue is resolvedNo
Browserchrome
Database type & versionpostgresql 9.5.7
Server OS (if known)Ubuntu Linux 16.04
Webserver software & version (if known)Apache 2.4.7
PHP Version7.0.18

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2017-06-09 12:06

developer   ~43862

Maybe some isset VS empty. I thing we don't have to send empty param ( sid//gid for example).

DenisChenu

DenisChenu

2017-06-09 18:35

developer   ~43864

Ouo, you tell me the issue : {{quid_placeholder}} :/

DenisChenu

DenisChenu

2017-06-09 19:03

developer   ~43865

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=22947

DenisChenu

DenisChenu

2017-06-09 19:40

developer   ~43866

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=22948

c_schmitz

c_schmitz

2017-06-12 17:16

administrator   ~43878

Version 2.65.4 (build 170612) released.

Related Changesets

LimeSurvey: master 74eb67f4

2017-06-09 18:59:36

DenisChenu

Details Diff
Fixed issue 12463: "Quick add.." replace function does not work anymore
Dev: qid is not used here, but fix it
Affected Issues
12463
mod - scripts/admin/subquestions.js Diff File

LimeSurvey: master a45e4aa6

2017-06-09 19:38:52

DenisChenu

Details Diff
Dev: really fix 12463: "Quick add.."
Dev: maybe accept new[0-9] for qid/gid/sid ?
Dev: this force to create a new one ?
Affected Issues
12463
mod - application/controllers/admin/questions.php Diff File

Issue History

Date Modified Username Field Change
2017-06-09 11:44 sickpig New Issue
2017-06-09 12:04 DenisChenu Assigned To => DenisChenu
2017-06-09 12:04 DenisChenu Status new => assigned
2017-06-09 12:06 DenisChenu Note Added: 43862
2017-06-09 18:35 DenisChenu Note Added: 43864
2017-06-09 19:03 DenisChenu Changeset attached => LimeSurvey master 74eb67f4
2017-06-09 19:03 DenisChenu Note Added: 43865
2017-06-09 19:03 DenisChenu Resolution open => fixed
2017-06-09 19:40 DenisChenu Changeset attached => LimeSurvey master a45e4aa6
2017-06-09 19:40 DenisChenu Note Added: 43866
2017-06-09 19:41 DenisChenu Status assigned => resolved
2017-06-09 19:41 DenisChenu Fixed in Version => 2.65.x
2017-06-12 17:16 c_schmitz Note Added: 43878
2017-06-12 17:16 c_schmitz Status resolved => closed
2019-11-01 17:25 c_schmitz Category Survey design => Survey editing