View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update | 
|---|---|---|---|---|---|
| 16649 | Feature requests | Security | public | 2020-09-09 15:56 | 2021-03-08 23:11 | 
| Reporter | gabrieljenik | Assigned To | gabrieljenik | ||
| Priority | none | Severity | feature | ||
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 3.0 | ||||
| Summary | 16649: enable video in spite of active xss filtering - LSv4 | ||||
| Description | Dear LS-Developer, xss filtering is mandatoryfor us, but videos (self uploaded - YouTube is a no-go) in questions and help texts is the most requested feature at our organization. LimeSurvey uses HtmlPurifier for xss filtering via yii-framework and the wrapper class CHhtmlPurifier.php. Unfortunately the wrapper class uses the old way to configure HtmlPurifier via an array. To enable video tag (HTML5) we must use the config-object of HtmlPurifier. The trick is: 
 My approach was to change classes from the yii-framework only minimal and add the maximum changes to the core code of LimeSurvey. I tried to add a branch "xss_enable_video" to LimeSurvey/LimeSurvey to create a pull request afterwards, but $ git push --set-upstream origin xss_enable_video Hope, you can think about und maybe integrate it in LimeSurvey. Best wishes .. Iver | ||||
| Additional Information | development infrastructure: 
 Clone of 12560 | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| Bug heat | 264 | ||||
| Story point estimate | |||||
| Users affected % | |||||
| Hi, you can't directly branch in our repo. Usually, you would clone the LimeSurvey repo, make the change and then do a PR. | |
| ? | |
| Yeah, I am currently busy. Try it in the next 2 weeks. | |
| Has any progress been made on this? We are running in to the same issue. We have disabled xss filtering for now, but it's not ideal | |
| @c_schmitz, we just had the exact same support request at Limesurvey IRC, you helped that user a few days ago. Any way to improve this at LS 4? | |
| Unfortunately, it still does not work - not sure if I am doing smth wrong. Gabriel can you please double check the PR? | |
| Have just done a full retest. Please find attached the sample survey and the file. | |
|  | |
| Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30726 | |
| LimeSurvey: master 95491ea3 2020-11-13 16:28 Committer: GitHub Details Diff | New feature 16649: enable video in spite of active xss filtering (#1591) | Affected Issues 16649 | |
| add - application/core/LSYii_HtmlPurifier.php | Diff File | ||
| mod - application/core/LSYii_Validators.php | Diff File | ||
| mod - framework/web/widgets/CHtmlPurifier.php | Diff File | ||
| Date Modified | Username | Field | Change | 
|---|---|---|---|
| 2020-09-09 15:56 | gabrieljenik | New Issue | |
| 2020-09-09 15:56 | gabrieljenik | Status | new => assigned | 
| 2020-09-09 15:56 | gabrieljenik | Assigned To | => gabrieljenik | 
| 2020-09-09 15:56 | gabrieljenik | Issue generated from: 12560 | |
| 2020-09-09 15:56 | gabrieljenik | Note Added: 59753 | |
| 2020-09-09 15:56 | gabrieljenik | Note Added: 59754 | |
| 2020-09-09 15:56 | gabrieljenik | Note Added: 59755 | |
| 2020-09-09 15:56 | gabrieljenik | Note Added: 59756 | |
| 2020-09-09 15:56 | gabrieljenik | Note Added: 59757 | |
| 2020-09-09 15:56 | gabrieljenik | Relationship added | related to 12560 | 
| 2020-09-15 01:40 | gabrieljenik | Note Added: 59800 | |
| 2020-09-19 18:29 | cdorin | Note Added: 59884 | |
| 2020-09-21 15:40 | gabrieljenik | Note Added: 59906 | |
| 2020-09-21 15:42 | gabrieljenik | Note Added: 59908 | |
| 2020-09-21 15:42 | gabrieljenik | File Added: limesurvey_survey_126815.lss | |
| 2020-09-21 15:42 | gabrieljenik | File Added: mov_bbb.mp4 | |
| 2020-09-23 18:39 | arnaudj | Issue Monitored: arnaudj | |
| 2020-11-13 15:29 | gabrieljenik | Changeset attached | => LimeSurvey master 95491ea3 | 
| 2020-11-13 15:29 | gabrieljenik | Note Added: 60637 | |
| 2020-11-13 15:29 | gabrieljenik | Resolution | open => fixed | 
| 2021-03-08 23:11 | c_schmitz | Status | assigned => closed | 
| 2021-03-08 23:11 | c_schmitz | Fixed in Version | => 3.0 | 
| 2021-08-02 17:09 | guest | Bug heat | 262 => 264 | 





