View Issue Details

IDProjectCategoryView StatusLast Update
12560Feature requestsSecuritypublic2020-09-23 18:41
Reporterjackewitz Assigned Togabrieljenik  
PrioritynoneSeverityfeature 
Status assignedResolutionopen 
Summary12560: enable video in spite of active xss filtering
Description

Dear LS-Developer,

xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.

LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:

  1. change function getPurifier of CHtmlPurifier.php (line 113 - framework/web/widget) from proteced to public - so we can get to the configuration of the internal _purifier.
  2. add some code to LSYii_Validators.php (130ff - application/core) - see uploaded file

My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.

I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but

$ git push --set-upstream origin xss_enable_video
remote: Permission to LimeSurvey/LimeSurvey.git denied to jackewitz.
fatal: unable to access 'https://github.com/LimeSurvey/LimeSurvey.git/': The requested URL returned error: 403

Hope, you can think about und maybe integrate it in LimeSurvey.

Best wishes .. Iver

Additional Information

development infrastructure:

  • OS: Win10
  • docker environment
TagsNo tags attached.

Relationships

related to 16649 assignedgabrieljenik enable video in spite of active xss filtering - LSv4 

Activities

jackewitz

jackewitz

2017-08-01 16:11

reporter  

LSYii_Validators.php (8,311 bytes)
c_schmitz

c_schmitz

2017-09-22 15:55

administrator   ~44450

Hi,

you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Can you do that please?
Please refer to this issue # in your PR.

c_schmitz

c_schmitz

2017-09-27 08:59

administrator   ~44485

?

jackewitz

jackewitz

2017-09-27 09:03

reporter   ~44486

Yeah, I am currently busy. Try it in the next 2 weeks.

Jelle_S

Jelle_S

2019-03-13 10:36

reporter   ~50941

Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal

Mazi

Mazi

2019-12-05 21:25

partner   ~54959

@c_schmitz, we just had the exact same support request at Limesurvey IRC, you helped that user a few days ago.

Any way to improve this at LS 4?

gabrieljenik

gabrieljenik

2020-09-11 21:44

developer   ~59779

Integrated the code.
https://github.com/LimeSurvey/LimeSurvey/pull/1589

gabrieljenik

gabrieljenik

2020-09-11 21:45

developer   ~59780

After this is tested and accepted, I will continue with the LS4 implementation

Issue History

Date Modified Username Field Change
2017-08-01 16:11 jackewitz New Issue
2017-08-01 16:11 jackewitz File Added: LSYii_Validators.php
2017-09-22 15:55 c_schmitz Assigned To => c_schmitz
2017-09-22 15:55 c_schmitz Status new => feedback
2017-09-22 15:55 c_schmitz Note Added: 44450
2017-09-27 08:59 c_schmitz Note Added: 44485
2017-09-27 09:03 jackewitz Note Added: 44486
2017-09-27 09:03 jackewitz Status feedback => assigned
2019-03-13 10:36 Jelle_S Note Added: 50941
2019-12-05 21:25 Mazi Note Added: 54959
2020-09-09 15:47 cdorin Assigned To c_schmitz => gabrieljenik
2020-09-09 15:56 gabrieljenik Issue cloned: 16649
2020-09-09 15:56 gabrieljenik Relationship added related to 16649
2020-09-11 21:44 gabrieljenik Note Added: 59779
2020-09-11 21:45 gabrieljenik Note Added: 59780