View Issue Details

IDProjectCategoryView StatusLast Update
16208Bug reportsSurvey takingpublic2020-05-06 13:07
Reporternicolasgoudard Assigned ToDenisChenu  
PriorityurgentSeveritycrash 
Status resolvedResolutionfixed 
Product Version4.2.0 
Fixed in Version4.2.2 
Summary16208: serious escape bug in Multiple choice with comments (P)
Description

Hello . I use want report bug on Limesurvey Version 4.2.0+200422

In the field type "Multiple choice with comments (P)" there is a serious bug
When the users type a single quote in the comments field, every characters after the quote are lost and not registered in the database !!
It is an escape problem

Best regards

Steps To Reproduce

Add field type "Multiple choice with comments (P)"
Execute the survey
Fill the comment field including a simple quote
Check the results in the database

Tagsanswers, data types, error!, escapes, quote, subquestion
Complete LimeSurvey version number (& build)Limesurvey Version 4.2.0+200422
I will donate to the project if issue is resolvedNo
Browserall
Database & DB-VersionMariadb
Server OS (if known)
Webserver software & version (if known)
PHP Version7

Activities

ollehar

ollehar

2020-04-30 10:25

administrator   ~57485

This should be solved, and needs a regression test as well.

nicolasgoudard

nicolasgoudard

2020-04-30 11:31

reporter   ~57489

It does not work only when the user update his own survey and introduce a quote in updating the comment. For new answers (insert) there is not bug.

ollehar

ollehar

2020-04-30 14:29

administrator   ~57495

Ah.

DenisChenu

DenisChenu

2020-04-30 14:33

developer   ~57497

@nicolasgoudard : only when reload by token ? Or move previous/move next too ?

DenisChenu

DenisChenu

2020-04-30 14:34

developer   ~57498

@ollehar : i take a look, i assign it to me (or not) before end of this afternoon.

DenisChenu

DenisChenu

2020-04-30 18:37

developer   ~57507

OK : question encoding must be done by twig or by code ?

My opinion : by twig , never by code

nicolasgoudard

nicolasgoudard

2020-04-30 18:48

reporter   ~57508

I have checked again : in really, the bug happened when select from database before display, not in insert or update.
Scenario : when reload by token (clink on the link received by email) : the string is not well escaped before displayed (miss characters after the quote, including the quote), , so when you move previous or next, the string is not the good anymore in the database, after update.
sorry if I not speak English good, I hope you understand what I mean .

DenisChenu

DenisChenu

2020-04-30 18:52

developer   ~57509

Then :https://github.com/LimeSurvey/LimeSurvey/pull/1414

Need Dev discussion (in my opinion) and to be documented for Question Theme dev.

@tparner : Maybe maybe you have an opinion ? Value encoded or not ?

DenisChenu

DenisChenu

2020-04-30 19:45

developer   ~57510

@nicolasgoudard : no need reloading :)

Previous do the trick

Peek 30-04-2020 19-44.gif (124,982 bytes)
DenisChenu

DenisChenu

2020-05-06 12:59

developer   ~57576

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29960

cdorin

cdorin

2020-05-06 13:04

manager   ~57577

Thank you, Denis !

DenisChenu

DenisChenu

2020-05-06 13:07

developer   ~57578

Can not update https://manualv4.limesurvey.org/Question_themes about text encoded.

DenisChenu

DenisChenu

2020-05-06 13:07

developer   ~57579

@cdorin : can you check the manual ?

DenisChenu

DenisChenu

2020-05-06 13:07

developer   ~57580

Dev: don't fix the param for previous questiontheme compatibility

Related Changesets

LimeSurvey: master c66766fc

2020-05-06 12:58:58

DenisChenu

Details Diff
Fixed issue 16208: escape in Multiple choice with comments
Dev: Encode in renderClass
Dev: don't fix the param for previous questiontheme compatibility
Dev: CHtml::encode are htmlspecialchars($dispVal, ENT_QUOTES,Yii::app()->charset)
Dev: then good replacer
Affected Issues
16208
mod - application/core/QuestionTypes/MultipleChoiceWithComments/RenderMultipleChoiceWithComments.php Diff File

Issue History

Date Modified Username Field Change
2020-04-29 21:59 nicolasgoudard New Issue
2020-04-29 22:09 nicolasgoudard Tag Attached: quote
2020-04-29 22:09 nicolasgoudard Tag Attached: escapes
2020-04-29 22:09 nicolasgoudard Tag Attached: error!
2020-04-29 22:09 nicolasgoudard Tag Attached: data types
2020-04-29 22:09 nicolasgoudard Tag Attached: answers
2020-04-29 22:09 nicolasgoudard Tag Attached: subquestion
2020-04-30 10:24 ollehar Priority none => urgent
2020-04-30 10:24 ollehar Severity partial_block => crash
2020-04-30 10:25 ollehar Note Added: 57485
2020-04-30 11:31 nicolasgoudard Note Added: 57489
2020-04-30 14:29 ollehar Note Added: 57495
2020-04-30 14:33 DenisChenu Note Added: 57497
2020-04-30 14:34 DenisChenu Note Added: 57498
2020-04-30 18:37 DenisChenu Note Added: 57507
2020-04-30 18:48 nicolasgoudard Note Added: 57508
2020-04-30 18:52 DenisChenu Note Added: 57509
2020-04-30 19:45 DenisChenu Note Added: 57510
2020-04-30 19:45 DenisChenu File Added: Peek 30-04-2020 19-44.gif
2020-04-30 19:45 DenisChenu File Added: limesurvey_survey_multipleWithComment.lss
2020-05-06 12:59 DenisChenu Changeset attached => LimeSurvey master c66766fc
2020-05-06 12:59 DenisChenu Note Added: 57576
2020-05-06 12:59 DenisChenu Assigned To => DenisChenu
2020-05-06 12:59 DenisChenu Resolution open => fixed
2020-05-06 13:04 DenisChenu Status new => resolved
2020-05-06 13:04 DenisChenu Fixed in Version => 4.2.2
2020-05-06 13:04 cdorin Note Added: 57577
2020-05-06 13:07 DenisChenu Note Added: 57578
2020-05-06 13:07 DenisChenu Note Added: 57579
2020-05-06 13:07 DenisChenu Note Added: 57580