View Issue Details

IDProjectCategoryView StatusLast Update
14972Bug reports_ Unknownpublic2020-02-21 14:52
Reportergfi_spiess Assigned To 
PriorityhighSeverityminor 
Status confirmedResolutionopen 
Product Version3.17.x 
Summary14972: Ampersand will be translated into "&amp"
Description

If survey participants add firstname, lastname or more attributes like company names with an ampersand (&), this will be translated for example into “&amp”.
This problem does not existfor Super-Admin, just by regular users.

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.5
I will donate to the project if issue is resolvedNo
Sync to Zoho Project
BrowserMozilla Firefox
Database & DB-VersionMS SQL 2012 SP4
Server OS (if known)Red Hat Enterprise Linux Server Release 7.4
Webserver software & version (if known)Apache/2.4.6
PHP VersionPHP 5.4.16

Relationships

related to 14113 feedbackcdorin Ampersands are changed to & 

Activities

gfi_spiess

gfi_spiess

2019-06-14 08:33

reporter  

datenausgabe.jpg (13,321 bytes)   
datenausgabe.jpg (13,321 bytes)   
Dateneingabe.jpg (23,250 bytes)   
Dateneingabe.jpg (23,250 bytes)   
Mazi

Mazi

2019-06-14 09:01

partner   ~52411

Are you sure about the PHP version being used? According to https://manual.limesurvey.org/Installation_-_LimeSurvey_CE#Make_sure_you_can_use_LimeSurvey_on_your_website Limesurvey 3.x requires PHP 5.5 or later, you mentioned PHP v5.4.

Mazi

Mazi

2019-06-14 09:03

partner   ~52412

@DenisChenu, could this be related to the XSS filter?

DenisChenu

DenisChenu

2019-06-14 09:13

developer   ~52413

@Mazi : i don't know … try to deactivate XSS and check …

Mazi

Mazi

2019-06-24 13:16

partner   ~52497

@cdorin, FYI, this is an issue reported by one of our customers.

cdorin

cdorin

2019-06-24 13:18

manager   ~52498

WIll also test it on multiple instances and assign it accordingly. Thanks for the tag

cdorin

cdorin

2019-06-24 14:15

manager   ~52501

It is related to the XSS filter. If disabled, everything is fine. If enabled, the "&amp" is displayed

DenisChenu

DenisChenu

2019-06-27 18:02

developer   ~52598

& is invalid in HTML …

DenisChenu

DenisChenu

2019-06-27 18:03

developer   ~52599

Question : maybe we can deactivate XSS protection on attribute value ? Someone find a reason why it's added ?

Attribute can be shown in Survey, but likle all user entered value if i don't make error ?

Must find it was added, maybe there are a security reason …

Mazi

Mazi

2019-08-21 13:55

partner   ~53217

Any chance to get this finally fixed at the next release?

DenisChenu

DenisChenu

2019-08-21 17:14

developer   ~53220

Line apply XSS : https://github.com/LimeSurvey/LimeSurvey/blob/0479e3ff93ff1473a25c71e83cc011920b072b4c/application/models/Token.php#L358
blame/parent/browse/blame/parent/browse (because scrutinizer …)

Fixed here : https://github.com/LimeSurvey/LimeSurvey/commit/160b48a95f8bc5b9ac21d02c38720ac12092d9ce

Added here : https://github.com/LimeSurvey/LimeSurvey/commit/aeead563c66883cc97a3e861ab1ce4e7fded9b97

Then linked with https://bugs.limesurvey.org/view.php?id=9840

I assign it to Carsten : in my opinion : XSS can be filtered in «out» : always encode token attribute in view, but not in in (when saved)

Mazi

Mazi

2019-09-02 16:19

partner   ~53391

@c_schmitz
@cdorin
@eddylackmann
...sorry to bother you, but again I was asked by the customer when a fix can be expected. Any news?

ollehar

ollehar

2020-01-31 13:37

administrator   ~55583

...sorry to bother you, but again I was asked by the customer when a fix can be expected. Any news?

It is "fixed". Just disable the XSS filtering.

ollehar

ollehar

2020-01-31 13:38

administrator   ~55584

We can't have both XSS filtering and leaving ampersand as-is. I argue this is already fixed, since the customer's desired behaviour is achieved if XSS filtering is disabled.

Mazi

Mazi

2020-01-31 14:59

partner   ~55590

@ollehar, from my point of view there is not really a solution. This is a larger company with many LS users, Most of them are no super admins but need to be able to enter names with special characters like "&" at the participant screen.
What can they do if switching of XSS is no option for security reasons?

ollehar

ollehar

2020-01-31 15:20

administrator   ~55592

What can they do if switching of XSS is no option for security reasons?

Can't have both the cake and eat it. :|

Maybe we can limit HTML escaping to '<' and '>'? If that would be enough to limit XSS.

ollehar

ollehar

2020-01-31 15:21

administrator   ~55593

Here's a thread about it: https://stackoverflow.com/questions/39214564/why-ampersand-should-be-escaped-because-of-xss-injection

Happy reading!

jelo

jelo

2020-01-31 15:51

partner   ~55597

Escaping & is correct. But how is showing &amp as the content instead of & relating to the stackoverflow article?
Escaping correctly doesn't result is showing & as &amp inside a web application.

The XSS filter is not used and complains about that "feature" is low. Most users are working with XSS filter off. Most Limesurvey installations have only 1-2 users, which are mostly having a user role, which never expose them to the XSS-filter.

Mazi

Mazi

2020-02-07 13:10

partner   ~55804

@ollhar, isn't this actually a matter of properly showing escaped "&" characters?
If not, can we try to exclude "&" from XSS?

Forgive my missing kniowledge about the escaping details and the like. I only follow up on the customer's request but it would be weird to not be able to enter "Olle & Team" as a token name or attribute detail.

ollehar

ollehar

2020-02-11 15:15

administrator   ~55865

@CDorin Can you put priority on this? Or discuss it with Carsten during sprint planning.

jelo

jelo

2020-02-11 15:34

partner   ~55866

To proclaim the only superadmins can entering "&" into fields is a way, but how can anyone take that serious?
I recommend to activate the XSS filter for superadmins for one week in LimeSurvey. The amount of feedback will be big ;-)

The htmlfilter is removing &. Which should not be the case.

DenisChenu

DenisChenu

2020-02-11 15:42

developer   ~55867

Last edited: 2020-02-11 15:43

View 2 revisions

html filter replace & by & amp; . Because when you show it insie html page it must be & amp ...

The question is more : did firstname and lastname (and attributes) must be HTML fitered ?

But : with {FIRSTNAME} {LASTNAME} : possible XSS.

I recommend to activate the XSS filter for superadmins for one week in LimeSurvey. The amount of feedback will be big ;-)

I already have sample user access on some instance, and we can do a lot ....

Question Why exactly it's an issue ? When you really need & in lastname ?

jelo

jelo

2020-02-11 15:54

partner   ~55868

The "&" is part of many company names in Germany.
But I don't understand why a user have to explain why & should be a valid character for a Lastname field. Or any other field.
The developer has to explain, why "&" cannot be used in the field. I hope the solution is not to add a company field (where & is allowed).

DenisChenu

DenisChenu

2020-02-11 16:03

developer   ~55870

Yes, and when a string with & are shown in HTML it's always & amp;

DenisChenu

DenisChenu

2020-02-11 16:04

developer   ~55871

My opinion : the only issue is

  • View in browse
  • Send by email text.
jelo

jelo

2020-02-11 16:53

partner   ~55872

To sum up:
Ollehar: No issue: XSS works as intended
DenisChenu; the only issue is...." View in browse" / "Send by email text"

Correct, the issue hasn't changed since 2019-06-14.
Displaying the entered content (here &) everywhere like it was entered is the expected behavior.
And that is not working during browsing data, sending e-mail and perhaps when displaying name inside the survey.
I don't have these issues, cause I don't use the XSS filter at all. So it might work correctly in the survey.

DenisChenu

DenisChenu

2020-02-11 17:13

developer   ~55874

perhaps when displaying name inside the survey.

I think there are more potential issue without XSS when displaying in a HTML page (or an HTML email)

c_schmitz

c_schmitz

2020-02-12 11:58

administrator   ~55894

I don't see a way to fix this - even displaying it correctly is a problem.
Because we don't know who is sending the email or looking at the participants list - was it the XSS-filtered user who entered it in the first place or a superadmin? Is the ampersand supposed to be there or not, etc.

Maybe a solution for affected people would be to have the XSS filter as a user-based setting.

DenisChenu

DenisChenu

2020-02-12 11:59

developer   ~55895

Maybe a solution for affected people would be to have the XSS filter as a user-based setting.

It can not be a setting for user : since it's a security settings : it must be an user rights setting.

jelo

jelo

2020-02-12 12:05

partner   ~55896

@c-schmitz: Even displaying is a problem?
Someone is entering a company name into a field and save it. That name contains "&" as part of the name.
And to display that name correctly with escaped & in HTML is impossible for LimeSurvey?

It's same as here in Mantis. I type & into this Notefield.

DenisChenu

DenisChenu

2020-02-12 12:05

developer   ~55897

The are NO issue when sending email in HTML format
Neither in HTML view or txt view

There are NO issue with {TOKEN:LASTNAME} usage

See the screenshots ...

DenisChenu

DenisChenu

2020-02-12 12:08

developer   ~55898

Only real issue : when sending email as text (Survey setting : Use HTML format for token emails: to NO)

c_schmitz

c_schmitz

2020-02-12 12:08

administrator   ~55899

Last edited: 2020-02-12 12:29

View 2 revisions

Another way to fix it would be to see participants data generally as unsafe. That would mean we would XSS-filter it always on output. In the administration this is already done. For the survey taking part this could be also done. It will just be a problem for people who store data with HTML in their participants fields and want to show it in the survey (it would be no problem for E-mails). Question is if users do that (I bet there are) and how many they are.

DenisChenu

DenisChenu

2020-02-12 12:10

developer   ~55900

@jelo

And to display that name correctly with escaped & in HTML is impossible for LimeSurvey?

is totally false ! Please test before writing something : in fact & NEED to be escaped to be displayed in HTML

See the screenshot at https://bugs.limesurvey.org/view.php?id=14972#c55897

c_schmitz

c_schmitz

2020-02-12 12:10

administrator   ~55901

Yes, I meant a user-based permission.

DenisChenu

DenisChenu

2020-02-12 12:11

developer   ~55902

It will just be a problem for people who store data with HTML in their participants fields.

Why not, but if user have XSS enabled : it must be filtered ......

The only issue is "Use HTML format for token emails: to NO"

c_schmitz

c_schmitz

2020-02-12 12:13

administrator   ~55903

And to display that name correctly with escaped & in HTML is impossible for LimeSurvey?

Yes, it is. To show it you would have to HTML decode it first, which means that you could introduce XSS in the administration. This is not just about the ampersand here, but about all critical characters.

c_schmitz

c_schmitz

2020-02-12 12:33

administrator   ~55904

Last edited: 2020-02-12 12:44

View 4 revisions

Ok, so three measures here:

  • Implement XSS filter user permission
  • Change existing global permission to 'Force to Yes (Default), User-based, Force to No', while the old On/off will map to the Yes/no.
  • Remove XSS filter on input/import for participant data and generally filter participant data instead on output (survey taking) - no exceptions!

These are big changes, can only be implemented in 4.x.

DenisChenu

DenisChenu

2020-02-12 12:37

developer   ~55906

filter participant data instead on output (survey taking)

Must be when sending html email too ....

jelo

jelo

2020-02-12 12:37

partner   ~55907

  1. I currently trust the screenshots from the ticket starter. If you all tell me they are faked, fine.
  2. In the screenshot I see a &amp instead of a &. And you tell me that is like you want LimeSurvey to behave?
datenausgabeModfied.jpg (13,839 bytes)   
datenausgabeModfied.jpg (13,839 bytes)   
DenisChenu

DenisChenu

2020-02-12 12:39

developer   ~55908

It's only on the list ... This is not a real issue ...
And in this part : we must encode HTML else anybody can do anything with your account.

c_schmitz

c_schmitz

2020-02-12 12:45

administrator   ~55909

Last edited: 2020-02-12 12:46

View 2 revisions

Must be when sending html email too ....

Sure, for HTML email it should also be automatically encoded.

c_schmitz

c_schmitz

2020-02-12 12:49

administrator   ~55910

@jelo The screenshots are not faked, but the problem is deeper than you currently seem to realize.

jelo

jelo

2020-02-12 13:09

partner   ~55911

The funny thing is, that my understanding or misunderstanding is not important.
The only important thing is the official reasoning of LimeSurvey for that behavior (Entering &, displaying &amp).

Now I read: "It's only on the list ... This is not a real issue."
The whole ticket is about that the list is displaying the entered text wrong.

The real issue might be implementing a ZeroTrust model inside LimeSurvey without making the user experience zero too.
I second your idea with user permission. Placing XSS-protections settings in the Userpermssion profil is the shortcut solution.

c_schmitz

c_schmitz

2020-02-12 14:08

administrator   ~55912

@jelo Yes, and I understand your user story.
The measures I proposed above will completely take care of both user experience and security, so I am wondering why you keep implying that "that is like I want LimeSurvey to behave?"

jelo

jelo

2020-02-12 14:43

partner   ~55915

c_schmitz: There are more participants in this ticket than you. If you read all the notes the conclusion that it is intended behavior is not far fetched. To allow deactivating of XSS countermeasure to prevent showing &amp is not contradicting the intended behavior statement.

But as cdorin is the product owner and ticket owner he can surely be able to sum it up after the next sprint.
And since it is a userstory from a customer of Mazi, they need to be pleased. Not me, I don't use the participation list for mailings.

Thanks for your time.

DenisChenu

DenisChenu

2020-02-12 15:17

developer   ~55918

Now I read: "It's only on the list ... This is not a real issue."
The whole ticket is about that the list is displaying the entered text wrong.

This is for me @jelo, not for @c_schmitz or @cdorin or any LimeSurvey team.

And sorry : maybe the screenshot was about list, but text of issue are

14972: Ampersand will be translated into "&amp"
If survey participants add firstname, lastname or more attributes like company names with an ampersand (&), this will be translated for example into “&amp”.
This problem does not existfor Super-Admin, just by regular users.

It's not limited to list in the description.

And in https://bugs.limesurvey.org/view.php?id=14972#c55867, i ask

Question Why exactly it's an issue ? When you really need & in lastname ?

You really need & decoded in list ? Really needed ? No, i don't think ...

You really need to show "Your company are LimeSurvey & plugin" during survey : OK, no issue here. Encoded 1 is OK....

c_schmitz

c_schmitz

2020-02-12 15:47

administrator   ~55923

Last edited: 2020-02-12 15:48

View 2 revisions

Anyway, discussion is finished. Solutions is in 14972:55904

Issue History

Date Modified Username Field Change
2019-06-14 08:33 gfi_spiess New Issue
2019-06-14 08:33 gfi_spiess File Added: datenausgabe.jpg
2019-06-14 08:33 gfi_spiess File Added: Dateneingabe.jpg
2019-06-14 09:00 Mazi Product Version 3.12.x => 3.17.x
2019-06-14 09:01 Mazi Note Added: 52411
2019-06-14 09:03 Mazi Note Added: 52412
2019-06-14 09:13 DenisChenu Note Added: 52413
2019-06-24 13:16 Mazi Note Added: 52497
2019-06-24 13:18 cdorin Note Added: 52498
2019-06-24 14:15 cdorin Note Added: 52501
2019-06-27 17:46 cdorin Assigned To => dominikvitt
2019-06-27 17:46 cdorin Status new => assigned
2019-06-27 18:02 DenisChenu Note Added: 52598
2019-06-27 18:03 DenisChenu Note Added: 52599
2019-07-15 11:41 dominikvitt Assigned To dominikvitt => cdorin
2019-08-08 17:16 cdorin Assigned To cdorin => eddylackmann
2019-08-21 13:55 Mazi Note Added: 53217
2019-08-21 17:14 DenisChenu Note Added: 53220
2019-09-02 16:19 Mazi Note Added: 53391
2020-01-31 10:03 Mazi Relationship added related to 14113
2020-01-31 12:56 ollehar Priority none => high
2020-01-31 13:37 ollehar Note Added: 55583
2020-01-31 13:38 ollehar Note Added: 55584
2020-01-31 13:44 ollehar Status assigned => feedback
2020-01-31 14:59 Mazi Note Added: 55590
2020-01-31 15:20 ollehar Note Added: 55592
2020-01-31 15:21 ollehar Note Added: 55593
2020-01-31 15:51 jelo Note Added: 55597
2020-02-07 13:10 Mazi Note Added: 55804
2020-02-11 15:15 ollehar Note Added: 55865
2020-02-11 15:34 jelo Note Added: 55866
2020-02-11 15:42 DenisChenu Note Added: 55867
2020-02-11 15:43 DenisChenu Note Edited: 55867 View Revisions
2020-02-11 15:54 jelo Note Added: 55868
2020-02-11 16:03 DenisChenu Note Added: 55870
2020-02-11 16:04 DenisChenu File Added: Capture d’écran du 2020-02-11 16-01-45.png
2020-02-11 16:04 DenisChenu File Added: Capture d’écran du 2020-02-11 16-02-03.png
2020-02-11 16:04 DenisChenu Note Added: 55871
2020-02-11 16:53 jelo Note Added: 55872
2020-02-11 17:13 DenisChenu Note Added: 55874
2020-02-12 11:58 c_schmitz Note Added: 55894
2020-02-12 11:59 DenisChenu Note Added: 55895
2020-02-12 12:05 jelo Note Added: 55896
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-01-28.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-01-52.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-02-14.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-02-28.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-04-10.png
2020-02-12 12:05 DenisChenu File Added: Capture d’écran du 2020-02-12 12-04-44.png
2020-02-12 12:05 DenisChenu Note Added: 55897
2020-02-12 12:08 DenisChenu Note Added: 55898
2020-02-12 12:08 c_schmitz Note Added: 55899
2020-02-12 12:10 DenisChenu Note Added: 55900
2020-02-12 12:10 c_schmitz Note Added: 55901
2020-02-12 12:11 DenisChenu Note Added: 55902
2020-02-12 12:13 c_schmitz Note Added: 55903
2020-02-12 12:29 c_schmitz Note Edited: 55899 View Revisions
2020-02-12 12:33 c_schmitz Note Added: 55904
2020-02-12 12:34 c_schmitz Assigned To eddylackmann => cdorin
2020-02-12 12:34 c_schmitz Status feedback => confirmed
2020-02-12 12:36 c_schmitz Note Edited: 55904 View Revisions
2020-02-12 12:36 c_schmitz Note Edited: 55904 View Revisions
2020-02-12 12:37 DenisChenu Note Added: 55906
2020-02-12 12:37 jelo File Added: datenausgabeModfied.jpg
2020-02-12 12:37 jelo Note Added: 55907
2020-02-12 12:39 DenisChenu Note Added: 55908
2020-02-12 12:44 c_schmitz Note Edited: 55904 View Revisions
2020-02-12 12:45 c_schmitz Note Added: 55909
2020-02-12 12:46 c_schmitz Note Edited: 55909 View Revisions
2020-02-12 12:49 c_schmitz Note Added: 55910
2020-02-12 13:09 jelo Note Added: 55911
2020-02-12 14:08 c_schmitz Note Added: 55912
2020-02-12 14:43 jelo Note Added: 55915
2020-02-12 15:17 DenisChenu Note Added: 55918
2020-02-12 15:47 c_schmitz Note Added: 55923
2020-02-12 15:48 c_schmitz Note Edited: 55923 View Revisions
2020-02-21 14:52 cdorin Assigned To cdorin =>