View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
16853 | Bug reports | Survey participants (Tokens) | public | 2020-11-23 12:22 | 2021-01-21 13:36 |
Reporter | DenisChenu | Assigned To | DenisChenu | ||
Priority | none | Severity | minor | ||
Status | closed | Resolution | fixed | ||
Product Version | 3.25.0 | ||||
Fixed in Version | 3.25.6 | ||||
Summary | 16853: Inconsistent filter behaviour when create token | ||||
Description | There are a complete inconsistent behavior on token filter in firstname, lastname and attribute Sometime : allow tag, sometimes not | ||||
Steps To Reproduce | As super admin
And now : edit any of this participant : all tag was deleted .... | ||||
Additional Information | The issue :
My proposed solution : use only model->rules. Without XSS system : always clean up HTML with HtmlPurifier or a complete flat way. If complete flat : need a javascript validation or an HTML5 validation : no filter without inform. LSA attached to see | ||||
Tags | No tags attached. | ||||
Complete LimeSurvey version number (& build) | 3.25.0 git | ||||
I will donate to the project if issue is resolved | No | ||||
Sync to Zoho Project | |||||
Browser | not relevant ? | ||||
Database & DB-Version | not relevant? | ||||
Server OS (if known) | not relevant ? | ||||
Webserver software & version (if known) | not relevant ? | ||||
PHP Version | not relevant ? | ||||
tokens_641657.csv (102 bytes)
firstname,lastname,email Via import <strong>strong</strong>,Last name: <em>em</em>,import@example.org |
|
About removing all tags : https://gfycat.com/fr/slimyvalidjavalina |
|
I think i prefer disallow tag and XSS for all user. |
|
Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30847 |
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30849 |
|
Added a PR https://github.com/LimeSurvey/LimeSurvey/pull/1721/files |
|
Arg … i cherry-pick … i check again master |
|
Fixed in Release 3.25.8+210118 |
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30907 |
|
LimeSurvey: 3.x-LTS c12c9d46 2021-01-13 17:47:27 Committer: GitHub Details Diff |
Fixed issue 16853: Inconsistent filter behaviour when create token (#1666) Dev: remove flattenText in controller Dev: add some rules, leave LSYii_Validators Dev: use filter_var / FILTER_SANITIZE_STRING for attribute |
Affected Issues 16853 |
|
mod - application/controllers/admin/tokens.php | Diff File | ||
mod - application/models/Token.php | Diff File | ||
mod - application/models/TokenDynamic.php | Diff File | ||
LimeSurvey: master af64ca0c 2021-01-14 19:11:21 Details Diff |
Fixed issue 16853: Inconsistent filter behaviour when create token Fixed issue [security] #16884: LimeSurvey registration emails can be abused (thanks to winfried) Dev: remove flattenText in controller Dev: add some rules, leave LSYii_Validators Dev: use filter_var / FILTER_SANITIZE_STRING for attribute # Conflicts: # application/controllers/admin/tokens.php |
Affected Issues 16853 |
|
mod - application/controllers/admin/tokens.php | Diff File | ||
mod - application/models/Token.php | Diff File | ||
mod - application/models/TokenDynamic.php | Diff File | ||
LimeSurvey: master e3c517f6 2021-01-14 19:14:17 Details Diff |
Fixed issue 16853: Inconsistent filter behaviour when create token Fixed issue [security] #16884: LimeSurvey registration emails can be abused (thanks to winfried) Dev: remove flattenText in controller Dev: add some rules, leave LSYii_Validators Dev: use filter_var / FILTER_SANITIZE_STRING for attribute # Conflicts: # application/controllers/admin/tokens.php # Conflicts: # application/controllers/admin/tokens.php |
Affected Issues 16853 |
|
mod - application/controllers/admin/tokens.php | Diff File | ||
mod - application/models/Token.php | Diff File | ||
mod - application/models/TokenDynamic.php | Diff File |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-11-23 12:22 | DenisChenu | New Issue | |
2020-11-23 12:22 | DenisChenu | File Added: survey_archive_641657.lsa | |
2020-11-23 12:22 | DenisChenu | File Added: tokens_641657.csv | |
2020-11-23 12:22 | DenisChenu | File Added: Capture d’écran du 2020-11-23 11-58-33.png | |
2020-11-23 12:22 | DenisChenu | File Added: Capture d’écran du 2020-11-23 11-58-46.png | |
2020-11-23 12:22 | DenisChenu | File Added: Capture d’écran du 2020-11-23 12-22-17.png | |
2020-11-23 14:40 | ollehar | Product Version | => 3.25.0 |
2020-11-23 14:46 | DenisChenu | Note Added: 60738 | |
2020-11-24 18:11 | DenisChenu | Assigned To | => DenisChenu |
2020-11-24 18:11 | DenisChenu | Status | new => assigned |
2020-11-24 19:17 | DenisChenu | Assigned To | DenisChenu => cdorin |
2020-11-24 19:17 | DenisChenu | Status | assigned => testing |
2020-11-24 19:17 | DenisChenu | Note Added: 60751 | |
2021-01-13 17:47 | DenisChenu | Changeset attached | => LimeSurvey 3.x-LTS c12c9d46 |
2021-01-13 17:47 | DenisChenu | Note Added: 61535 | |
2021-01-13 17:47 | DenisChenu | Assigned To | cdorin => DenisChenu |
2021-01-13 17:47 | DenisChenu | Resolution | open => fixed |
2021-01-14 19:11 | DenisChenu | Changeset attached | => LimeSurvey master af64ca0c |
2021-01-14 19:11 | DenisChenu | Note Added: 61550 | |
2021-01-14 19:15 | DenisChenu | Status | testing => resolved |
2021-01-14 19:15 | DenisChenu | Fixed in Version | => 3.25.6 |
2021-01-15 19:05 | gabrieljenik | Note Added: 61564 | |
2021-01-15 19:05 | gabrieljenik | Note Edited: 61564 | View Revisions |
2021-01-16 10:47 | DenisChenu | Note Added: 61567 | |
2021-01-18 11:05 | lime_release_bot | Note Added: 61578 | |
2021-01-18 11:05 | lime_release_bot | Status | resolved => closed |
2021-01-21 13:36 | DenisChenu | Changeset attached | => LimeSurvey master e3c517f6 |
2021-01-21 13:36 | DenisChenu | Note Added: 61624 |