| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 15690 | Bug reports | Security | public | 2019-12-30 18:40 | 2020-02-03 14:53 |
| Reporter | DenisChenu | Assigned To | DenisChenu | ||
| Priority | none | Severity | partial_block | ||
| Status | closed | Resolution | fixed | ||
| Product Version | 4.0.0-RC13 | ||||
| Summary | 15690: User with XSS enable can add/update scripts | ||||
| Description | User with XSS enable can add script | ||||
| Steps To Reproduce | Create an non super admin user, create a survey Try | ||||
| Additional Information | This need to be checked This need to be fixed in import, with remote control etc … @cdrorin : after checking : you can assign it to me if this feature is OK too : https://bugs.limesurvey.org/view.php?id=15096#c54731 | ||||
| Tags | No tags attached. | ||||
| Bug heat | 256 | ||||
| Complete LimeSurvey version number (& build) | 4.0.0-RC13 | ||||
| I will donate to the project if issue is resolved | No | ||||
| Browser | not relevant | ||||
| Database type & version | not relevant | ||||
| Server OS (if known) | not relevant | ||||
| Webserver software & version (if known) | not relevant | ||||
| PHP Version | not relevant | ||||
 |
|
 |
How do I edit question->script? |
|
|
Found, setting in profile. |
|
|
Am I supposed to be able to run "alert('XSS')" in the admin interface via the script text field? |
|
|
This bug report is not idiot safe :( |
|
|
LimeSurvey dev are not idiot |
|
|
I've just proven you wrong. XD Why is alert("XSS"); a problem? It's not run anywhere in the admin interface, at least not as I can tell. |
|
|
Same for Cross-site-scripting in question text : the objective is to disable to add suspicous HTML inside public survey https://manual.limesurvey.org/Optional_settings#Security
If you want to disable XSS in question text => you want to totally disable user to add any script : it's not only my opinion (have client). Even superadmin must not be allowed top add XSS in admin. See https://github.com/LimeSurvey/LimeSurvey/commit/323c6f2f0bfdd6eb1c6fe7dea16b2af503806d2a#diff-813c0e5c1b7f9c5b0239989343f8f282 for example. |
|
|
OK, thanks for the info. |
|
|
Fix pushed to branch bug/15690-user-with-xss-filter-enabled-can-add-script. Please review. |
|
|
because alredy fixed in https://github.com/LimeSurvey/LimeSurvey/pull/1358 |
|
|
xss filtering must be moved to LSUser because related to user. I prefer usage of beforeSave than a rules. If it's a rules :
|
|
|
@ollehar : OK for before save ? We can not create a LSYii_NoChangeValidator : because Validator get only : attribute and value but not the model. And we need model. |
|
|
|
|
|
You can send the model as an argument to the validator. |
|
|
The validator also has $object, from which you can use get_class(). |
|
|
Not saying using validator is the best way, just saying it's probably possible. |
|
|
I create a global solution, working for script but surely for other LSYii_NoUpdateValidator.php |
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29355 |
 |
Fixed in Release 4.0.0+200116 |
