View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
16853Bug reportsSurvey participants (Tokens)public2020-11-23 12:222022-01-19 09:20
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.25.0 
Fixed in Version3.25.6 
Summary16853: Inconsistent filter behaviour when create token
Description

There are a complete inconsistent behavior on token filter in firstname, lastname and attribute

Sometime : allow tag, sometimes not

Steps To Reproduce

As super admin

  1. Via CPDB : tag is allowed in CPDB, when assign user to survey : no filter (or model rules)
    1. Create user with : Last name: <em>em</em> Via CPDB <strong>strong</strong> for firstname
    2. Add participant to survey
    3. Check participant list
  2. Via register
    1. Launch survey
    2. Add participant to survey Last name: <em>em</em> Via register <strong>strong</strong> for firstname
    3. Check participant list
  3. Via import
    1. Import tokens_641657.csv
    2. Check participant list

And now : edit any of this participant : all tag was deleted ....

Additional Information

The issue :

  1. Usage of flattenTex in GUI : https://github.com/LimeSurvey/LimeSurvey/blob/0d467f9db35e4279614a001e2142a8f91f97b94e/application/controllers/admin/tokens.php#L544
  2. Usage of LSYii_Validators in model

My proposed solution : use only model->rules.

Without XSS system : always clean up HTML with HtmlPurifier or a complete flat way.

If complete flat : need a javascript validation or an HTML5 validation : no filter without inform.

LSA attached to see

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)3.25.0 git
I will donate to the project if issue is resolvedNo
Browsernot relevant ?
Database type & versionnot relevant?
Server OS (if known)not relevant ?
Webserver software & version (if known)not relevant ?
PHP Versionnot relevant ?

Relationships

Relationship GraphDependency Graph
parent of 17840 closedgabrieljenik Participant attribute with html LS 5.2.9 

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2020-11-23 12:22

developer  

survey_archive_641657.lsa (5,103 bytes)
tokens_641657.csv (102 bytes)    
firstname,lastname,email
Via import <strong>strong</strong>,Last name: <em>em</em>,import@example.org
tokens_641657.csv (102 bytes)   
Capture d’écran du 2020-11-23 11-58-33.png (17,647 bytes)   
Capture d’écran du 2020-11-23 11-58-33.png (17,647 bytes)   
Capture d’écran du 2020-11-23 11-58-46.png (23,671 bytes)   
Capture d’écran du 2020-11-23 11-58-46.png (23,671 bytes)   
Capture d’écran du 2020-11-23 12-22-17.png (48,944 bytes)   
Capture d’écran du 2020-11-23 12-22-17.png (48,944 bytes)   
DenisChenu

DenisChenu

2020-11-23 14:46

developer   ~60738

About removing all tags : https://gfycat.com/fr/slimyvalidjavalina
DenisChenu

DenisChenu

2020-11-24 19:17

developer   ~60751

I think i prefer disallow tag and XSS for all user.
DenisChenu

DenisChenu

2021-01-13 17:47

developer   ~61535

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=30847
DenisChenu

DenisChenu

2021-01-14 19:11

developer   ~61550

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=30849
gabrieljenik

gabrieljenik

2021-01-15 19:05

manager   ~61564

Last edited: 2021-01-15 19:05

Added a PR https://github.com/LimeSurvey/LimeSurvey/pull/1721/files
Seems something was wrong
Not sure I made it right. I just removed some 500 errors
DenisChenu

DenisChenu

2021-01-16 10:47

developer   ~61567

Arg … i cherry-pick … i check again master
lime_release_bot

lime_release_bot

2021-01-18 11:05

administrator   ~61578

Fixed in Release 3.25.8+210118
DenisChenu

DenisChenu

2021-01-21 13:36

developer   ~61624

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=30907

Related Changesets

LimeSurvey: 3.x-LTS c12c9d46

2021-01-13 17:47:27

DenisChenu


Committer: GitHub Details Diff 		Fixed issue 16853: Inconsistent filter behaviour when create token (#1666)

Dev: remove flattenText in controller
Dev: add some rules, leave LSYii_Validators
Dev: use filter_var / FILTER_SANITIZE_STRING for attribute		 Affected Issues
16853
mod - application/controllers/admin/tokens.php Diff File
mod - application/models/Token.php Diff File
mod - application/models/TokenDynamic.php Diff File

LimeSurvey: master af64ca0c

2021-01-14 19:11:21

DenisChenu

Details Diff 		Fixed issue 16853: Inconsistent filter behaviour when create token
Fixed issue [security] #16884: LimeSurvey registration emails can be abused (thanks to winfried)
Dev: remove flattenText in controller
Dev: add some rules, leave LSYii_Validators
Dev: use filter_var / FILTER_SANITIZE_STRING for attribute
# Conflicts:
# application/controllers/admin/tokens.php		 Affected Issues
16853
mod - application/controllers/admin/tokens.php Diff File
mod - application/models/Token.php Diff File
mod - application/models/TokenDynamic.php Diff File

LimeSurvey: master e3c517f6

2021-01-14 19:14:17

DenisChenu

Details Diff 		Fixed issue 16853: Inconsistent filter behaviour when create token
Fixed issue [security] #16884: LimeSurvey registration emails can be abused (thanks to winfried)
Dev: remove flattenText in controller
Dev: add some rules, leave LSYii_Validators
Dev: use filter_var / FILTER_SANITIZE_STRING for attribute
# Conflicts:
# application/controllers/admin/tokens.php

# Conflicts:
# application/controllers/admin/tokens.php		 Affected Issues
16853
mod - application/controllers/admin/tokens.php Diff File
mod - application/models/Token.php Diff File
mod - application/models/TokenDynamic.php Diff File

Issue History

Date Modified Username Field Change
2020-11-23 12:22 DenisChenu New Issue
2020-11-23 12:22 DenisChenu File Added: survey_archive_641657.lsa
2020-11-23 12:22 DenisChenu File Added: tokens_641657.csv
2020-11-23 12:22 DenisChenu File Added: Capture d’écran du 2020-11-23 11-58-33.png
2020-11-23 12:22 DenisChenu File Added: Capture d’écran du 2020-11-23 11-58-46.png
2020-11-23 12:22 DenisChenu File Added: Capture d’écran du 2020-11-23 12-22-17.png
2020-11-23 14:40 ollehar Product Version => 3.25.0
2020-11-23 14:46 DenisChenu Note Added: 60738
2020-11-24 18:11 DenisChenu Assigned To => DenisChenu
2020-11-24 18:11 DenisChenu Status new => assigned
2020-11-24 19:17 DenisChenu Assigned To DenisChenu => cdorin
2020-11-24 19:17 DenisChenu Status assigned => testing
2020-11-24 19:17 DenisChenu Note Added: 60751
2021-01-13 17:47 DenisChenu Changeset attached => LimeSurvey 3.x-LTS c12c9d46
2021-01-13 17:47 DenisChenu Note Added: 61535
2021-01-13 17:47 DenisChenu Assigned To cdorin => DenisChenu
2021-01-13 17:47 DenisChenu Resolution open => fixed
2021-01-14 19:11 DenisChenu Changeset attached => LimeSurvey master af64ca0c
2021-01-14 19:11 DenisChenu Note Added: 61550
2021-01-14 19:15 DenisChenu Status testing => resolved
2021-01-14 19:15 DenisChenu Fixed in Version => 3.25.6
2021-01-15 19:05 gabrieljenik Note Added: 61564
2021-01-15 19:05 gabrieljenik Note Edited: 61564
2021-01-16 10:47 DenisChenu Note Added: 61567
2021-01-18 11:05 lime_release_bot Note Added: 61578
2021-01-18 11:05 lime_release_bot Status resolved => closed
2021-01-21 13:36 DenisChenu Changeset attached => LimeSurvey master e3c517f6
2021-01-21 13:36 DenisChenu Note Added: 61624
2022-01-19 09:20 DenisChenu Relationship added parent of 17840