View Issue Details

IDProjectCategoryView StatusLast Update
12560Feature requestsSecuritypublic2020-11-13 19:36
Reporterjackewitz Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status assignedResolutionfixed 
Summary12560: enable video in spite of active xss filtering
Description

Dear LS-Developer,

xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization.

LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is:

  1. change function getPurifier of CHtmlPurifier.php (line 113 - framework/web/widget) from proteced to public - so we can get to the configuration of the internal _purifier.
  2. add some code to LSYii_Validators.php (130ff - application/core) - see uploaded file

My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey.

I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but

$ git push --set-upstream origin xss_enable_video
remote: Permission to LimeSurvey/LimeSurvey.git denied to jackewitz.
fatal: unable to access 'https://github.com/LimeSurvey/LimeSurvey.git/': The requested URL returned error: 403

Hope, you can think about und maybe integrate it in LimeSurvey.

Best wishes .. Iver

Additional Information

development infrastructure:

  • OS: Win10
  • docker environment
TagsNo tags attached.

Relationships

related to 16649 assignedgabrieljenik enable video in spite of active xss filtering - LSv4 

Activities

jackewitz

jackewitz

2017-08-01 16:11

reporter  

LSYii_Validators.php (8,311 bytes)
c_schmitz

c_schmitz

2017-09-22 15:55

administrator   ~44450

Hi,

you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR.
Can you do that please?
Please refer to this issue # in your PR.

c_schmitz

c_schmitz

2017-09-27 08:59

administrator   ~44485

?

jackewitz

jackewitz

2017-09-27 09:03

reporter   ~44486

Yeah, I am currently busy. Try it in the next 2 weeks.

Jelle_S

Jelle_S

2019-03-13 10:36

reporter   ~50941

Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal

Mazi

Mazi

2019-12-05 21:25

partner   ~54959

@c_schmitz, we just had the exact same support request at Limesurvey IRC, you helped that user a few days ago.

Any way to improve this at LS 4?

gabrieljenik

gabrieljenik

2020-09-11 21:44

developer   ~59779

Integrated the code.
https://github.com/LimeSurvey/LimeSurvey/pull/1589

gabrieljenik

gabrieljenik

2020-09-11 21:45

developer   ~59780

After this is tested and accepted, I will continue with the LS4 implementation

gabrieljenik

gabrieljenik

2020-11-12 09:01

developer   ~60622

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30723

gabrieljenik

gabrieljenik

2020-11-12 09:03

developer   ~60623

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30724

c_schmitz

c_schmitz

2020-11-13 15:28

administrator   ~60636

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30725

gabrieljenik

gabrieljenik

2020-11-13 19:36

developer   ~60638

What's up with this one? It is already done.

Related Changesets

LimeSurvey: 3.x-LTS 8493b59c

2020-11-12 09:01:18

gabrieljenik


Committer: GitHub Details Diff
New feature 12560: enable video in spite of active xss filtering (#1589)

Dev Added new configuration to the HtmlPurifier.
Dev Extended the standard HtmlPurifier so it exposes the config in a public method.
Affected Issues
12560
add - application/core/LSYii_HtmlPurifier.php Diff File
mod - application/core/LSYii_Validators.php Diff File

LimeSurvey: master 499ddee6

2020-11-12 09:01:18

gabrieljenik


Committer: c_schmitz Details Diff
New feature 12560: enable video in spite of active xss filtering (#1589)

Dev Added new configuration to the HtmlPurifier.
Dev Extended the standard HtmlPurifier so it exposes the config in a public method.
Affected Issues
12560
add - application/core/LSYii_HtmlPurifier.php Diff File
mod - application/core/LSYii_Validators.php Diff File

LimeSurvey: master 98b3190f

2020-11-13 15:28:14

c_schmitz

Details Diff
Revert "New feature 12560: enable video in spite of active xss filtering (#1589)"

This reverts commit 499ddee66bbe429364e9b481fa934f42ab1e0062.
Affected Issues
12560
rm - application/core/LSYii_HtmlPurifier.php Diff File
mod - application/core/LSYii_Validators.php Diff File

Issue History

Date Modified Username Field Change
2017-08-01 16:11 jackewitz New Issue
2017-08-01 16:11 jackewitz File Added: LSYii_Validators.php
2017-09-22 15:55 c_schmitz Assigned To => c_schmitz
2017-09-22 15:55 c_schmitz Status new => feedback
2017-09-22 15:55 c_schmitz Note Added: 44450
2017-09-27 08:59 c_schmitz Note Added: 44485
2017-09-27 09:03 jackewitz Note Added: 44486
2017-09-27 09:03 jackewitz Status feedback => assigned
2019-03-13 10:36 Jelle_S Note Added: 50941
2019-12-05 21:25 Mazi Note Added: 54959
2020-09-09 15:47 cdorin Assigned To c_schmitz => gabrieljenik
2020-09-09 15:56 gabrieljenik Issue cloned: 16649
2020-09-09 15:56 gabrieljenik Relationship added related to 16649
2020-09-11 21:44 gabrieljenik Note Added: 59779
2020-09-11 21:45 gabrieljenik Note Added: 59780
2020-11-12 09:01 gabrieljenik Changeset attached => LimeSurvey 3.x-LTS 8493b59c
2020-11-12 09:01 gabrieljenik Note Added: 60622
2020-11-12 09:01 gabrieljenik Resolution open => fixed
2020-11-12 09:03 c_schmitz Changeset attached => LimeSurvey master 499ddee6
2020-11-12 09:03 gabrieljenik Note Added: 60623
2020-11-13 15:28 c_schmitz Changeset attached => LimeSurvey master 98b3190f
2020-11-13 15:28 c_schmitz Note Added: 60636
2020-11-13 15:28 c_schmitz Assigned To gabrieljenik => c_schmitz
2020-11-13 19:36 gabrieljenik Note Added: 60638