View Issue Details

IDProjectCategoryView StatusLast Update
12560Feature requests[All Projects] Securitypublic2019-03-13 10:45
ReporterjackewitzAssigned Toc_schmitz 
PrioritynoneSeverityfeature 
Status assignedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary12560: enable video in spite of active xss filtering
Description

Dear LS-Developer,

xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.

LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:

  1. change function getPurifier of CHtmlPurifier.php (line 113 - framework/web/widget) from proteced to public - so we can get to the configuration of the internal _purifier.
  2. add some code to LSYii_Validators.php (130ff - application/core) - see uploaded file

My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.

I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but

$ git push --set-upstream origin xss_enable_video
remote: Permission to LimeSurvey/LimeSurvey.git denied to jackewitz.
fatal: unable to access 'https://github.com/LimeSurvey/LimeSurvey.git/': The requested URL returned error: 403

Hope, you can think about und maybe integrate it in LimeSurvey.

Best wishes .. Iver

Additional Information

development infrastructure:

  • OS: Win10
  • docker environment
TagsNo tags attached.

Activities

jackewitz

jackewitz

2017-08-01 16:11

reporter  

LSYii_Validators.php (8,311 bytes)
c_schmitz

c_schmitz

2017-09-22 15:55

administrator   ~44450

Hi,

you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Can you do that please?
Please refer to this issue # in your PR.

c_schmitz

c_schmitz

2017-09-27 08:59

administrator   ~44485

?

jackewitz

jackewitz

2017-09-27 09:03

reporter   ~44486

Yeah, I am currently busy. Try it in the next 2 weeks.

Jelle_S

Jelle_S

2019-03-13 10:36

reporter   ~50941

Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal

Issue History

Date Modified Username Field Change
2017-08-01 16:11 jackewitz New Issue
2017-08-01 16:11 jackewitz File Added: LSYii_Validators.php
2017-09-22 15:55 c_schmitz Assigned To => c_schmitz
2017-09-22 15:55 c_schmitz Status new => feedback
2017-09-22 15:55 c_schmitz Note Added: 44450
2017-09-27 08:59 c_schmitz Note Added: 44485
2017-09-27 09:03 jackewitz Note Added: 44486
2017-09-27 09:03 jackewitz Status feedback => assigned
2019-03-13 10:36 Jelle_S Note Added: 50941