View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|12560||Feature requests||[All Projects] Security||public||2017-08-01 16:11||2019-03-13 10:45|
|Target Version||Fixed in Version|
|Summary||12560: enable video in spite of active xss filtering|
xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.
LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:
My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.
I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but
$ git push --set-upstream origin xss_enable_video
Hope, you can think about und maybe integrate it in LimeSurvey.
Best wishes .. Iver
|Tags||No tags attached.|
LSYii_Validators.php (8,311 bytes)
you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Yeah, I am currently busy. Try it in the next 2 weeks.
Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal
|2017-08-01 16:11||jackewitz||New Issue|
|2017-08-01 16:11||jackewitz||File Added: LSYii_Validators.php|
|2017-09-22 15:55||c_schmitz||Assigned To||=> c_schmitz|
|2017-09-22 15:55||c_schmitz||Status||new => feedback|
|2017-09-22 15:55||c_schmitz||Note Added: 44450|
|2017-09-27 08:59||c_schmitz||Note Added: 44485|
|2017-09-27 09:03||jackewitz||Note Added: 44486|
|2017-09-27 09:03||jackewitz||Status||feedback => assigned|
|2019-03-13 10:36||Jelle_S||Note Added: 50941|