View Issue Details

IDProjectCategoryView StatusLast Update
14681Bug reports[All Projects] Import/Exportpublic2019-04-01 15:12
ReporterdatamungerAssigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Product Version3.15.x 
Target VersionFixed in Version 
Summary14681: Attribute values beginning with a "<"-sign are omitted during SPSS export
Description

When using the functionality SPSS-export to export survey results, attributes are usually exported as string variables. If the string begins with a "<" (less-than) sign, the result is omitted for that case.

Steps To Reproduce

Create a survey with participant list, assign an attribute, give the attribute a string value beginning with "<", fill in the surveys, then export the responses for SPSS.

The .dat file will have empty cells where the "<" should be, and the resulting .sav file will show these cells as missing values.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.15.6+190108
I will donate to the project if issue is resolvedNo
Browserall browsers
Database & DB-Versionunknown
Server OS (if known)
Webserver software & version (if known)
PHP Versionunknown

Activities

DenisChenu

DenisChenu

2019-03-26 09:50

developer   ~51128

Usage of < in HTML is a bad idea : use &lt;

datamunger

datamunger

2019-03-27 15:21

reporter   ~51174

Thanks for the tip, @DenisChenu! I will be sure to pay attention to this.

But isn't part of the purpose of the Limesurvey Backend to transform "normal" user input into HTML Code?

As in, if I enter the character "<" into any web form as an end user, it should be transformed into as < for all intents and purposes, because that's the correct way to express the character in code.
If LimeSurvey doesn't do this transformation, which is a bug.

datamunger

datamunger

2019-03-27 15:39

reporter   ~51175

Case in point - it should be transformed into [html]<[/html]

datamunger

datamunger

2019-03-27 15:41

reporter   ~51176

[code]<[/code]

datamunger

datamunger

2019-03-27 15:42

reporter   ~51177

I give up. Any instructions on how to format, edit or delete notes in this board?

DenisChenu

DenisChenu

2019-03-27 16:04

developer   ~51178

But isn't part of the purpose of the Limesurvey Backend to transform "normal" user input into HTML Code?

Use a non super-admin account user : XSS security fix this.
I have a Feature request somewhere to enable XSS security for super-admin too.

datamunger

datamunger

2019-04-01 08:49

reporter   ~51231

OK, now that I understand that it is tied to the super-admin user, it actually makes more sense, thank you.
Could you point me towards your feature request? I can't seem to find by searching for "XSS" or "super-admin" it in the tracker.

datamunger

datamunger

2019-04-01 11:45

reporter   ~51235

So I've been tinkering with some dummy data, and it doesn't seem like we've really found the root of the problem yet.

I used a non-super-administrator account (actually I don't even have a super-admin account) and the problem remains. Any other ideas what could be the cause?

DenisChenu

DenisChenu

2019-04-01 11:49

developer   ~51236

You set answer to &lt; and it's don't fix the issue ? Let me check

datamunger

datamunger

2019-04-01 11:52

reporter   ~51237

Sorry, I wasn't clear. I was referring to this:

"But isn't part of the purpose of the Limesurvey Backend to transform "normal" user input into HTML Code?"
"Use a non super-admin account user : XSS security fix this."

I thought with a non super-admin, I would be able to use "<" normally, or did I misunderstand?

DenisChenu

DenisChenu

2019-04-01 11:56

developer   ~51238

Seems OK ? Else : please send an lss and the syntax file



limesurvey_survey_598327.lss (19,640 bytes)
survey_598327_SPSS_data_file.dat (57 bytes)
survey_598327_SPSS_syntax_file.sps (969 bytes)
DenisChenu

DenisChenu

2019-04-01 12:07

developer   ~51241

Last edited: 2019-04-01 12:07

View 2 revisions

You don't misunderstand, and just check with XSS security to ON and a non super-admin user < 10 is set to &lt; 10

datamunger

datamunger

2019-04-01 14:42

reporter   ~51244

OK, thanks!

This doesn't work for older surveys, but I sucessfully tested it with a dummy survey with my own account and will instruct my colleagues to test it with their accounts as well.

datamunger

datamunger

2019-04-01 15:10

reporter   ~51245

We'll be working with <code><</code> from now on, but thanks again for the input.
Please let me know if you can find the feature request for XSS-security for super-administrators.

datamunger

datamunger

2019-04-01 15:12

reporter   ~51246

We'll be working with your suggestion to substitute &lt;

Issue History

Date Modified Username Field Change
2019-03-22 17:56 datamunger New Issue
2019-03-22 17:56 datamunger Issue generated from: 14311
2019-03-26 09:50 DenisChenu Note Added: 51128
2019-03-27 15:21 datamunger Note Added: 51174
2019-03-27 15:39 datamunger Note Added: 51175
2019-03-27 15:41 datamunger Note Added: 51176
2019-03-27 15:42 datamunger Note Added: 51177
2019-03-27 16:04 DenisChenu Note Added: 51178
2019-04-01 08:49 datamunger Note Added: 51231
2019-04-01 11:45 datamunger Note Added: 51235
2019-04-01 11:49 DenisChenu Note Added: 51236
2019-04-01 11:52 datamunger Note Added: 51237
2019-04-01 11:56 DenisChenu File Added: limesurvey_survey_598327.lss
2019-04-01 11:56 DenisChenu File Added: survey_598327_SPSS_data_file.dat
2019-04-01 11:56 DenisChenu File Added: survey_598327_SPSS_syntax_file.sps
2019-04-01 11:56 DenisChenu Note Added: 51238
2019-04-01 11:56 DenisChenu Severity major => minor
2019-04-01 12:07 DenisChenu Note Added: 51241
2019-04-01 12:07 DenisChenu Note Edited: 51241 View Revisions
2019-04-01 14:42 datamunger Note Added: 51244
2019-04-01 15:10 datamunger Note Added: 51245
2019-04-01 15:12 datamunger Note Added: 51246