View Issue Details

IDProjectCategoryView StatusLast Update
12560Feature requests[All Projects] Securitypublic2019-03-13 10:45
Reporterjackewitz Assigned Toc_schmitz  
Status assignedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary12560: enable video in spite of active xss filtering

Dear LS-Developer,

xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.

LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:

  1. change function getPurifier of CHtmlPurifier.php (line 113 - framework/web/widget) from proteced to public - so we can get to the configuration of the internal _purifier.
  2. add some code to LSYii_Validators.php (130ff - application/core) - see uploaded file

My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.

I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but

$ git push --set-upstream origin xss_enable_video
remote: Permission to LimeSurvey/LimeSurvey.git denied to jackewitz.
fatal: unable to access '': The requested URL returned error: 403

Hope, you can think about und maybe integrate it in LimeSurvey.

Best wishes .. Iver

Additional Information

development infrastructure:

  • OS: Win10
  • docker environment
TagsNo tags attached.




2017-08-01 16:11


LSYii_Validators.php (8,311 bytes)


2017-09-22 15:55

administrator   ~44450


you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Can you do that please?
Please refer to this issue # in your PR.



2017-09-27 08:59

administrator   ~44485




2017-09-27 09:03

reporter   ~44486

Yeah, I am currently busy. Try it in the next 2 weeks.



2019-03-13 10:36

reporter   ~50941

Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal

Issue History

Date Modified Username Field Change
2017-08-01 16:11 jackewitz New Issue
2017-08-01 16:11 jackewitz File Added: LSYii_Validators.php
2017-09-22 15:55 c_schmitz Assigned To => c_schmitz
2017-09-22 15:55 c_schmitz Status new => feedback
2017-09-22 15:55 c_schmitz Note Added: 44450
2017-09-27 08:59 c_schmitz Note Added: 44485
2017-09-27 09:03 jackewitz Note Added: 44486
2017-09-27 09:03 jackewitz Status feedback => assigned
2019-03-13 10:36 Jelle_S Note Added: 50941