View Issue Details

IDProjectCategoryView StatusLast Update
14972Bug reports[All Projects] _ Unknownpublic2019-07-15 11:41
Reportergfi_spiessAssigned Tocdorin 
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary14972: Ampersand will be translated into "&amp"
Description

If survey participants add firstname, lastname or more attributes like company names with an ampersand (&), this will be translated for example into “&amp”.
This problem does not existfor Super-Admin, just by regular users.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.5
I will donate to the project if issue is resolvedNo
BrowserMozilla Firefox
Database & DB-VersionMS SQL 2012 SP4
Server OS (if known)Red Hat Enterprise Linux Server Release 7.4
Webserver software & version (if known)Apache/2.4.6
PHP VersionPHP 5.4.16

Activities

gfi_spiess

gfi_spiess

2019-06-14 08:33

reporter  

datenausgabe.jpg (13,321 bytes)
datenausgabe.jpg (13,321 bytes)
Dateneingabe.jpg (23,250 bytes)
Dateneingabe.jpg (23,250 bytes)
Mazi

Mazi

2019-06-14 09:01

partner   ~52411

Are you sure about the PHP version being used? According to https://manual.limesurvey.org/Installation_-_LimeSurvey_CE#Make_sure_you_can_use_LimeSurvey_on_your_website Limesurvey 3.x requires PHP 5.5 or later, you mentioned PHP v5.4.

Mazi

Mazi

2019-06-14 09:03

partner   ~52412

@DenisChenu, could this be related to the XSS filter?

DenisChenu

DenisChenu

2019-06-14 09:13

developer   ~52413

@Mazi : i don't know … try to deactivate XSS and check …

Mazi

Mazi

2019-06-24 13:16

partner   ~52497

@cdorin, FYI, this is an issue reported by one of our customers.

cdorin

cdorin

2019-06-24 13:18

manager   ~52498

WIll also test it on multiple instances and assign it accordingly. Thanks for the tag

cdorin

cdorin

2019-06-24 14:15

manager   ~52501

It is related to the XSS filter. If disabled, everything is fine. If enabled, the "&amp" is displayed

DenisChenu

DenisChenu

2019-06-27 18:02

developer   ~52598

& is invalid in HTML …

DenisChenu

DenisChenu

2019-06-27 18:03

developer   ~52599

Question : maybe we can deactivate XSS protection on attribute value ? Someone find a reason why it's added ?

Attribute can be shown in Survey, but likle all user entered value if i don't make error ?

Must find it was added, maybe there are a security reason …

Issue History

Date Modified Username Field Change
2019-06-14 08:33 gfi_spiess New Issue
2019-06-14 08:33 gfi_spiess File Added: datenausgabe.jpg
2019-06-14 08:33 gfi_spiess File Added: Dateneingabe.jpg
2019-06-14 09:00 Mazi Product Version 3.12.x => 3.17.x
2019-06-14 09:01 Mazi Note Added: 52411
2019-06-14 09:03 Mazi Note Added: 52412
2019-06-14 09:13 DenisChenu Note Added: 52413
2019-06-24 13:16 Mazi Note Added: 52497
2019-06-24 13:18 cdorin Note Added: 52498
2019-06-24 14:15 cdorin Note Added: 52501
2019-06-27 17:46 cdorin Assigned To => dominikvitt
2019-06-27 17:46 cdorin Status new => assigned
2019-06-27 18:02 DenisChenu Note Added: 52598
2019-06-27 18:03 DenisChenu Note Added: 52599
2019-07-15 11:41 dominikvitt Assigned To dominikvitt => cdorin