View Issue Details

This bug affects 1 person(s).
 12
IDProjectCategoryView StatusLast Update
14972Bug reports_ Unknownpublic2021-06-07 08:54
Reportergfi_spiess Assigned Toollehar  
PriorityhighSeverityminor 
Status feedbackResolutionopen 
Product Version3.17.x 
Summary14972: Ampersand will be translated into "&amp"
DescriptionIf survey participants add firstname, lastname or more attributes like company names with an ampersand (&), this will be translated for example into “&amp”.
This problem does not existfor Super-Admin, just by regular users.
TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)3.17.5
I will donate to the project if issue is resolvedNo
BrowserMozilla Firefox
Database & DB-VersionMS SQL 2012 SP4
Server OS (if known)Red Hat Enterprise Linux Server Release 7.4
Webserver software & version (if known)Apache/2.4.6
PHP VersionPHP 5.4.16

Relationships

related to 14113 closedc_schmitz Ampersands are changed to & 

Activities

gfi_spiess

gfi_spiess

2019-06-14 08:33

reporter  

datenausgabe.jpg (13,321 bytes)   
datenausgabe.jpg (13,321 bytes)   
Dateneingabe.jpg (23,250 bytes)   
Dateneingabe.jpg (23,250 bytes)   
Mazi

Mazi

2019-06-14 09:01

partner   ~52411

Are you sure about the PHP version being used? According to https://manual.limesurvey.org/Installation_-_LimeSurvey_CE#Make_sure_you_can_use_LimeSurvey_on_your_website Limesurvey 3.x requires PHP 5.5 or later, you mentioned PHP v5.4.
Mazi

Mazi

2019-06-14 09:03

partner   ~52412

Last edited: 2021-03-22 22:10

@DenisChenu, could this be related to the XSS filter?
DenisChenu

DenisChenu

2019-06-14 09:13

developer   ~52413

Last edited: 2021-03-22 22:10

@Mazi : i don't know … try to deactivate XSS and check …
Mazi

Mazi

2019-06-24 13:16

partner   ~52497

Last edited: 2021-03-22 22:10

@cdorin, FYI, this is an issue reported by one of our customers.
cdorin

cdorin

2019-06-24 13:18

manager   ~52498

Last edited: 2021-03-22 22:10

WIll also test it on multiple instances and assign it accordingly. Thanks for the tag
cdorin

cdorin

2019-06-24 14:15

manager   ~52501

Last edited: 2021-03-22 22:10

It is related to the XSS filter. If disabled, everything is fine. If enabled, the "&amp" is displayed
DenisChenu

DenisChenu

2019-06-27 18:02

developer   ~52598

Last edited: 2021-03-22 22:10

`&` is invalid in HTML …
DenisChenu

DenisChenu

2019-06-27 18:03

developer   ~52599

Last edited: 2021-03-22 22:10

Question : maybe we can deactivate XSS protection on attribute value ? Someone find a reason why it's added ?

Attribute can be shown in Survey, but likle all user entered value if i don't make error ?

Must find it was added, maybe there are a security reason …
Mazi

Mazi

2019-08-21 13:55

partner   ~53217

Last edited: 2021-03-22 22:10

Any chance to get this finally fixed at the next release?
DenisChenu

DenisChenu

2019-08-21 17:14

developer   ~53220

Last edited: 2021-03-22 22:10

Line apply XSS : https://github.com/LimeSurvey/LimeSurvey/blob/0479e3ff93ff1473a25c71e83cc011920b072b4c/application/models/Token.php#L358
blame/parent/browse/blame/parent/browse (because scrutinizer …)

Fixed here : https://github.com/LimeSurvey/LimeSurvey/commit/160b48a95f8bc5b9ac21d02c38720ac12092d9ce

Added here : https://github.com/LimeSurvey/LimeSurvey/commit/aeead563c66883cc97a3e861ab1ce4e7fded9b97

Then linked with https://bugs.limesurvey.org/view.php?id=9840

I assign it to Carsten : in my opinion : XSS can be filtered in «out» : always encode token attribute in view, but not in in (when saved)
Mazi

Mazi

2019-09-02 16:19

partner   ~53391

Last edited: 2021-03-22 22:10

@c_schmitz
@cdorin
@eddylackmann
...sorry to bother you, but again I was asked by the customer when a fix can be expected. Any news?
ollehar

ollehar

2020-01-31 13:37

administrator   ~55583

Last edited: 2021-03-22 22:10

> ...sorry to bother you, but again I was asked by the customer when a fix can be expected. Any news?

It is "fixed". Just disable the XSS filtering.
ollehar

ollehar

2020-01-31 13:38

administrator   ~55584

Last edited: 2021-03-22 22:10

We can't have both XSS filtering and leaving ampersand as-is. I argue this is already fixed, since the customer's desired behaviour is achieved if XSS filtering is disabled.
Mazi

Mazi

2020-01-31 14:59

partner   ~55590

Last edited: 2021-03-22 22:10

@ollehar, from my point of view there is not really a solution. This is a larger company with many LS users, Most of them are no super admins but need to be able to enter names with special characters like "&" at the participant screen.
What can they do if switching of XSS is no option for security reasons?
ollehar

ollehar

2020-01-31 15:20

administrator   ~55592

Last edited: 2021-03-22 22:10

> What can they do if switching of XSS is no option for security reasons?

Can't have both the cake and eat it. :|

Maybe we can limit HTML escaping to '<' and '>'? If that would be enough to limit XSS.
ollehar

ollehar

2020-01-31 15:21

administrator   ~55593

Last edited: 2021-03-22 22:10

Here's a thread about it: https://stackoverflow.com/questions/39214564/why-ampersand-should-be-escaped-because-of-xss-injection

Happy reading!
jelo

jelo

2020-01-31 15:51

partner   ~55597

Last edited: 2021-03-22 22:10

Escaping & is correct. But how is showing &amp as the content instead of & relating to the stackoverflow article?
Escaping correctly doesn't result is showing & as &amp inside a web application.

The XSS filter is not used and complains about that "feature" is low. Most users are working with XSS filter off. Most Limesurvey installations have only 1-2 users, which are mostly having a user role, which never expose them to the XSS-filter.
Mazi

Mazi

2020-02-07 13:10

partner   ~55804

Last edited: 2021-03-22 22:10

@ollhar, isn't this actually a matter of properly showing escaped "&" characters?
If not, can we try to exclude "&" from XSS?

Forgive my missing kniowledge about the escaping details and the like. I only follow up on the customer's request but it would be weird to not be able to enter "Olle & Team" as a token name or attribute detail.
ollehar

ollehar

2020-02-11 15:15

administrator   ~55865

Last edited: 2021-03-22 22:10

@CDorin Can you put priority on this? Or discuss it with Carsten during sprint planning.
jelo

jelo

2020-02-11 15:34

partner   ~55866

Last edited: 2021-03-22 22:10

To proclaim the only superadmins can entering "&" into fields is a way, but how can anyone take that serious?
I recommend to activate the XSS filter for superadmins for one week in LimeSurvey. The amount of feedback will be big ;-)

The htmlfilter is removing &. Which should not be the case.
DenisChenu

DenisChenu

2020-02-11 15:42

developer   ~55867

Last edited: 2021-03-22 22:10

View 2 revisions

html filter replace & by & amp; . Because when you show it insie html page it must be & amp ...

The question is more : did firstname and lastname (and attributes) must be HTML fitered ?

But : with {FIRSTNAME} {LASTNAME} : possible XSS.

> I recommend to activate the XSS filter for superadmins for one week in LimeSurvey. The amount of feedback will be big ;-)

I already have sample user access on some instance, and we can do a lot ....

**Question** Why exactly it's an issue ? When you **really** need & in lastname ?

jelo

jelo

2020-02-11 15:54

partner   ~55868

Last edited: 2021-03-22 22:10

The "&" is part of many company names in Germany.
But I don't understand why a user have to explain why & should be a valid character for a Lastname field. Or any other field.
The developer has to explain, why "&" cannot be used in the field. I hope the solution is not to add a company field (where & is allowed).
DenisChenu

DenisChenu

2020-02-11 16:03

developer   ~55870

Last edited: 2021-03-22 22:10

Yes, and when a string with & are shown in HTML it's always & amp;
DenisChenu

DenisChenu

2020-02-11 16:04

developer   ~55871

Last edited: 2021-03-22 22:10

My opinion : the only issue is
- View in browse
- Send by email text.
jelo

jelo

2020-02-11 16:53

partner   ~55872

Last edited: 2021-03-22 22:10

To sum up:
Ollehar: No issue: XSS works as intended
DenisChenu; the only issue is...." View in browse" / "Send by email text"

Correct, the issue hasn't changed since 2019-06-14.
Displaying the entered content (here &) everywhere like it was entered is the expected behavior.
And that is not working during browsing data, sending e-mail and perhaps when displaying name inside the survey.
I don't have these issues, cause I don't use the XSS filter at all. So it might work correctly in the survey.
DenisChenu

DenisChenu

2020-02-11 17:13

developer   ~55874

Last edited: 2021-03-22 22:10

> perhaps when displaying name inside the survey.

I think there are more potential issue without XSS when displaying in a HTML page (or an HTML email)
c_schmitz

c_schmitz

2020-02-12 11:58

administrator   ~55894

Last edited: 2021-03-22 22:10

I don't see a way to fix this - even displaying it correctly is a problem.
Because we don't know who is sending the email or looking at the participants list - was it the XSS-filtered user who entered it in the first place or a superadmin? Is the ampersand supposed to be there or not, etc.

Maybe a solution for affected people would be to have the XSS filter as a user-based setting.
DenisChenu

DenisChenu

2020-02-12 11:59

developer   ~55895

Last edited: 2021-03-22 22:10

> Maybe a solution for affected people would be to have the XSS filter as a user-based setting.

It can not be a setting for user : since it's a security settings : it must be an user rights setting.
jelo

jelo

2020-02-12 12:05

partner   ~55896

Last edited: 2021-03-22 22:10

@c-schmitz: Even displaying is a problem?
Someone is entering a company name into a field and save it. That name contains "&" as part of the name.
And to display that name correctly with escaped & in HTML is impossible for LimeSurvey?

It's same as here in Mantis. I type & into this Notefield.
DenisChenu

DenisChenu

2020-02-12 12:05

developer   ~55897

Last edited: 2021-03-22 22:10

The are **NO issue ** when sending email in HTML format
Neither in HTML view or txt view

There are **NO issue ** with {TOKEN:LASTNAME} usage

See the screenshots ...
DenisChenu

DenisChenu

2020-02-12 12:08

developer   ~55898

Last edited: 2021-03-22 22:10

Only real issue : when sending email as text (Survey setting : Use HTML format for token emails: to NO)
c_schmitz

c_schmitz

2020-02-12 12:08

administrator   ~55899

Last edited: 2021-03-22 22:10

View 2 revisions

Another way to fix it would be to see participants data generally as unsafe. That would mean we would XSS-filter it always on output. In the administration this is already done. For the survey taking part this could be also done. It will just be a problem for people who store data with HTML in their participants fields and want to show it in the survey (it would be no problem for E-mails). Question is if users do that (I bet there are) and how many they are.

DenisChenu

DenisChenu

2020-02-12 12:10

developer   ~55900

Last edited: 2021-03-22 22:10

@jelo
> And to display that name correctly with escaped & in HTML is impossible for LimeSurvey?

is **totally false** ! Please test before writing something : in fact & **NEED** to be escaped to be displayed in HTML

See the screenshot at https://bugs.limesurvey.org/view.php?id=14972#c55897
c_schmitz

c_schmitz

2020-02-12 12:10

administrator   ~55901

Last edited: 2021-03-22 22:10

Yes, I meant a user-based permission.
DenisChenu

DenisChenu

2020-02-12 12:11

developer   ~55902

Last edited: 2021-03-22 22:10

> It will just be a problem for people who store data with HTML in their participants fields.

Why not, but if user have XSS enabled : it must be filtered ......

The only issue is "Use HTML format for token emails: to NO"
c_schmitz

c_schmitz

2020-02-12 12:13

administrator   ~55903

Last edited: 2021-03-22 22:10

> And to display that name correctly with escaped & in HTML is impossible for LimeSurvey?

Yes, it is. To show it you would have to HTML decode it first, which means that you could introduce XSS in the administration. This is not just about the ampersand here, but about all critical characters.
c_schmitz

c_schmitz

2020-02-12 12:33

administrator   ~55904

Last edited: 2021-06-07 08:54

View 8 revisions

OK, so three measures here:

* Implement XSS filter user permission
* Change existing global permission to have the following options 'Force to Yes (Default)', 'User-based', 'Force to No', while the old On/off will map to the "Force to yes" and "Force to No."
* Remove XSS filter on input/import for participant data and generally filter participant data instead on output (survey taking, invitations/reminders) - no exceptions!

(Todo: I am not sure about that last point because someone out there is probably using participant data attributes to store URLs and such - also do not know who entered the data in the first place)



These are significant changes, can only be implemented in 4.x.
DenisChenu

DenisChenu

2020-02-12 12:37

developer   ~55906

Last edited: 2021-03-22 22:10

> filter participant data instead on output (survey taking)

Must be when sending html email too ....
jelo

jelo

2020-02-12 12:37

partner   ~55907

Last edited: 2021-03-22 22:10

1. I currently trust the screenshots from the ticket starter. If you all tell me they are faked, fine.
2. In the screenshot I see a &amp instead of a &. And you tell me that is like you want LimeSurvey to behave?
datenausgabeModfied.jpg (13,839 bytes)   
datenausgabeModfied.jpg (13,839 bytes)   
DenisChenu

DenisChenu

2020-02-12 12:39

developer   ~55908

Last edited: 2021-03-22 22:10

It's only on the list ... This is not a real issue ...
And in this part : we **must** encode HTML else anybody can do anything with your account.
c_schmitz

c_schmitz

2020-02-12 12:45

administrator   ~55909

Last edited: 2021-03-22 22:10

View 2 revisions

> Must be when sending html email too ....

Sure, for HTML email it should also be automatically encoded.

c_schmitz

c_schmitz

2020-02-12 12:49

administrator   ~55910

Last edited: 2021-03-22 22:10

@jelo The screenshots are not faked, but the problem is deeper than you currently seem to realize.
jelo

jelo

2020-02-12 13:09

partner   ~55911

Last edited: 2021-03-22 22:10

The funny thing is, that my understanding or misunderstanding is not important.
The only important thing is the official reasoning of LimeSurvey for that behavior (Entering &, displaying &amp).

Now I read: "It's only on the list ... This is not a real issue."
The whole ticket is about that the list is displaying the entered text wrong.

The real issue might be implementing a ZeroTrust model inside LimeSurvey without making the user experience zero too.
I second your idea with user permission. Placing XSS-protections settings in the Userpermssion profil is the shortcut solution.
c_schmitz

c_schmitz

2020-02-12 14:08

administrator   ~55912

Last edited: 2021-03-22 22:10

@jelo Yes, and I understand your user story.
The measures I proposed above will completely take care of both user experience and security, so I am wondering why you keep implying that "that is like I want LimeSurvey to behave?"
jelo

jelo

2020-02-12 14:43

partner   ~55915

Last edited: 2021-03-22 22:10

c_schmitz: There are more participants in this ticket than you. If you read all the notes the conclusion that it is intended behavior is not far fetched. To allow deactivating of XSS countermeasure to prevent showing &amp is not contradicting the intended behavior statement.

But as cdorin is the product owner and ticket owner he can surely be able to sum it up after the next sprint.
And since it is a userstory from a customer of Mazi, they need to be pleased. Not me, I don't use the participation list for mailings.

Thanks for your time.
DenisChenu

DenisChenu

2020-02-12 15:17

developer   ~55918

Last edited: 2021-03-22 22:10

> Now I read: "It's only on the list ... This is not a real issue."
> The whole ticket is about that the list is displaying the entered text wrong.

This is for me @jelo, not for @c_schmitz or @cdorin or any LimeSurvey team.

And sorry : maybe the screenshot was about list, but text of issue are

> 14972: Ampersand will be translated into "&amp"
> If survey participants add firstname, lastname or more attributes like company names with an ampersand (&), this will be translated for example into “&amp”.
> This problem does not existfor Super-Admin, just by regular users.

It's not limited to list in the description.

And in https://bugs.limesurvey.org/view.php?id=14972#c55867, i ask

> Question Why exactly it's an issue ? When you really need & in lastname ?

You really need & decoded in list ? Really needed ? No, i don't think ...

You really need to show "Your company are LimeSurvey & plugin" during survey : OK, **no issue** here. Encoded 1 is OK....
c_schmitz

c_schmitz

2020-02-12 15:47

administrator   ~55923

Last edited: 2021-03-22 22:10

View 2 revisions

Anyway, discussion is finished. Solutions is in 14972:55904

ollehar

ollehar

2021-03-04 17:54

administrator   ~62734

Last edited: 2021-03-22 22:10

Should I move this to new features? I believe I fixed a similar issue related to `'` earlier.

What's the priority?

Issue History

Date Modified Username Field Change
2019-06-14 08:33 gfi_spiess New Issue
2019-06-14 08:33 gfi_spiess File Added: datenausgabe.jpg
2019-06-14 08:33 gfi_spiess File Added: Dateneingabe.jpg
2019-06-14 09:00 Mazi Product Version 3.12.x => 3.17.x
2019-06-14 09:01 Mazi Note Added: 52411
2019-06-14 09:03 Mazi Note Added: 52412
2019-06-14 09:13 DenisChenu Note Added: 52413
2019-06-24 13:16 Mazi Note Added: 52497
2019-06-24 13:18 cdorin Note Added: 52498
2019-06-24 14:15 cdorin Note Added: 52501
2019-06-27 17:46 cdorin Assigned To => dominikvitt
2019-06-27 17:46 cdorin Status new => assigned
2019-06-27 18:02 DenisChenu Note Added: 52598
2019-06-27 18:03 DenisChenu Note Added: 52599
2019-07-15 11:41 dominikvitt Assigned To dominikvitt => cdorin
2019-08-08 17:16 cdorin Assigned To cdorin => eddylackmann
2019-08-21 13:55 Mazi Note Added: 53217
2019-08-21 17:14 DenisChenu Note Added: 53220
2019-09-02 16:19 Mazi Note Added: 53391
2020-01-31 10:03 Mazi Relationship added related to 14113
2020-01-31 12:56 ollehar Priority none => high
2020-01-31 13:37 ollehar Note Added: 55583
2020-01-31 13:38 ollehar Note Added: 55584
2020-01-31 13:44 ollehar Status assigned => feedback
2020-01-31 14:59 Mazi Note Added: 55590
2020-01-31 15:20 ollehar Note Added: 55592
2020-01-31 15:21 ollehar Note Added: 55593
2020-01-31 15:51 jelo Note Added: 55597
2020-02-07 13:10 Mazi Note Added: 55804
2020-02-11 15:15 ollehar Note Added: 55865
2020-02-11 15:34 jelo Note Added: 55866
2020-02-11 15:42 DenisChenu Note Added: 55867
2020-02-11 15:43 DenisChenu Note Edited: 55867 View Revisions
2020-02-11 15:54 jelo Note Added: 55868
2020-02-11 16:03 DenisChenu Note Added: 55870
2020-02-11 16:04 DenisChenu File Added: Capture d’écran du 2020-02-11 16-01-45.png
2020-02-11 16:04 DenisChenu File Added: Capture d’écran du 2020-02-11 16-02-03.png
2020-02-11 16:04 DenisChenu Note Added: 55871
2020-02-11 16:53 jelo Note Added: 55872
2020-02-11 17:13 DenisChenu Note Added: 55874
2020-02-12 11:58 c_schmitz Note Added: 55894
2020-02-12 11:59 DenisChenu Note Added: 55895
2020-02-12 12:05 jelo Note Added: 55896
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-01-28.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-01-52.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-02-14.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-02-28.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-04-10.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-04-44.png
2020-02-12 12:05 DenisChenu Note Added: 55897
2020-02-12 12:08 DenisChenu Note Added: 55898
2020-02-12 12:08 c_schmitz Note Added: 55899
2020-02-12 12:10 DenisChenu Note Added: 55900
2020-02-12 12:10 c_schmitz Note Added: 55901
2020-02-12 12:11 DenisChenu Note Added: 55902
2020-02-12 12:13 c_schmitz Note Added: 55903
2020-02-12 12:29 c_schmitz Note Edited: 55899 View Revisions
2020-02-12 12:33 c_schmitz Note Added: 55904
2020-02-12 12:34 c_schmitz Assigned To eddylackmann => cdorin
2020-02-12 12:34 c_schmitz Status feedback => confirmed
2020-02-12 12:36 c_schmitz Note Edited: 55904 View Revisions
2020-02-12 12:36 c_schmitz Note Edited: 55904 View Revisions
2020-02-12 12:37 DenisChenu Note Added: 55906
2020-02-12 12:37 jelo File Added: datenausgabeModfied.jpg
2020-02-12 12:37 jelo Note Added: 55907
2020-02-12 12:39 DenisChenu Note Added: 55908
2020-02-12 12:44 c_schmitz Note Edited: 55904 View Revisions
2020-02-12 12:45 c_schmitz Note Added: 55909
2020-02-12 12:46 c_schmitz Note Edited: 55909 View Revisions
2020-02-12 12:49 c_schmitz Note Added: 55910
2020-02-12 13:09 jelo Note Added: 55911
2020-02-12 14:08 c_schmitz Note Added: 55912
2020-02-12 14:43 jelo Note Added: 55915
2020-02-12 15:17 DenisChenu Note Added: 55918
2020-02-12 15:47 c_schmitz Note Added: 55923
2020-02-12 15:48 c_schmitz Note Edited: 55923 View Revisions
2020-02-21 14:52 cdorin Assigned To cdorin =>
2021-03-04 17:54 ollehar Note Added: 62734
2021-03-04 17:54 ollehar Assigned To => ollehar
2021-03-04 17:54 ollehar Status confirmed => feedback
2021-03-25 17:42 c_schmitz Note Edited: 55904 View Revisions
2021-03-25 17:42 c_schmitz Note Edited: 55904 View Revisions
2021-06-07 08:51 c_schmitz Note Edited: 55904 View Revisions
2021-06-07 08:54 c_schmitz Note Edited: 55904 View Revisions