 |
tokens_641657.csv (102 bytes) Capture d’écran du 2020-11-23 11-58-33.png (17,647 bytes) Capture d’écran du 2020-11-23 11-58-46.png (23,671 bytes) Capture d’écran du 2020-11-23 12-22-17.png (48,944 bytes) |
|
|
About removing all tags : https://gfycat.com/fr/slimyvalidjavalina |
|
|
I think i prefer disallow tag and XSS for all user. |
|
|
Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30847 |
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30849 |
 |
Added a PR https://github.com/LimeSurvey/LimeSurvey/pull/1721/files |
|
|
Arg … i cherry-pick … i check again master |
 |
Fixed in Release 3.25.8+210118 |
|
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30907 |
 |
Why would a superadmin not be allowed to use tags in token atributes? Can we please fix that so it is allowed, at least for the custom attributes. |
|
|
We have a discussion about this … maybe on zoho ? Because it was , before the update : disallowed totally. The alternate commit … |
|
|
PS : see https://bugs.limesurvey.org/view.php?id=16884 … |
|
|
The scenario would only be for superadmins, nobody else. |
|
|
Why superadmin ? |
|
|
Any admin can use email send to add bad value. We must avoid it for registering only. |
|
|
PS : since this commit i use bbcode when i need tag in attribute s⋅… |
|
|
master : https://github.com/LimeSurvey/LimeSurvey/pull/2627 |
|
|
Got lost here. I guess html entities should be encoded on the DB, right? |
|
|
No… 1st issue : if you import CSV : no filter was done (you can save <script>alert("XSS")</script>, but when you edit you loose all HTML tag. When user register he can add HTML tag, but when edit via GUI : deleted. But Carsten reopen issue because need to allow tag for admin user
|
|
|
What does it mean to |
|
|
tag : HTML tag, i don't understand what is your problem here ? Tag :
Yes, but must disallow XSS for simple admin.
We Always ALLOW html tag for question text or help … |
|
|
https://manual.limesurvey.org/Global_settings/en#Security |
|
|
But yes : HTML tag allowed … for simple user in token attributes. Tag != XSS I really don't understand here … |
|
|
You are right sorry. <script> tags are filtered! My bad. |
|
|
;) Maybe more clear like this :
|
|
|
Why disallow HTML for admin ? It's already merged in 3.X … And see : https://github.com/LimeSurvey/LimeSurvey/pull/2627#pullrequestreview-1121944581 for master … |
|
|
And https://github.com/LimeSurvey/LimeSurvey/pull/2627/files#r981147912 |
|
|
My mistake |
|
|
Should this also apply for participants added directly to the survey (not through CPDB?) ? |
|
|
Also, when participants are transferred from the CPDB to the survey, the tags are filtered. |
|
|
I check with remote_co,ntrol : it work without any issue
No : it's OK … See screencast … |
|
|
|
|
|
This is the test case run:
OH, ok. I was testing on the first name and last name as that was on the reproduction steps. |
|
|
No : original issue was about whole : fitsname/lastname/attrute_X was not filtered when register, but only when edit via GUI. But @c_schmitz reopen the issue to allow superadmin to add tag on attributes : then it's the new PR … |
|
|
OK, I was trying to collaborate with the testing, but not sure I can add a lot more here. Just to clarify, after my testing the participant on the CPDB and the participant on the survey had different first_name and last name. That was not expected (at least not by me :) ). |
|
|
Clearly another issue … Must chek too if CPDB allow XSS for simple admin. But : clearly : another issue to report … |
|
|
Both PRs were merged now. |
- Anonymous
