View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
16853Bug reportsSurvey participants (Tokens)public2020-11-23 12:222021-01-21 13:36
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.25.0 
Fixed in Version3.25.6 
Summary16853: Inconsistent filter behaviour when create token
DescriptionThere are a complete inconsistent behavior on token filter in firstname, lastname and attribute

Sometime : allow tag, sometimes not
Steps To ReproduceAs super admin

1. Via CPDB : tag is allowed in CPDB, when assign user to survey : no filter (or model rules)
     1. Create user with : `Last name: em` `Via CPDB strong` for firstname
     2. Add participant to survey
     3. Check participant list
2. Via register
     1. Launch survey
     2. Add participant to survey `Last name: em` `Via register strong` for firstname
     3. Check participant list
3. Via import
     1. Import tokens_641657.csv
     2. Check participant list

And now : edit any of this participant : all tag was deleted ....
Additional InformationThe issue :
1. Usage of flattenTex in GUI : https://github.com/LimeSurvey/LimeSurvey/blob/0d467f9db35e4279614a001e2142a8f91f97b94e/application/controllers/admin/tokens.php#L544
2. Usage of LSYii_Validators in model

My proposed solution : use only model->rules.

Without XSS system : always clean up HTML with [HtmlPurifier](https://github.com/LimeSurvey/LimeSurvey/blob/3.x-LTS/application/core/LSYii_HtmlPurifier.php) or a complete flat way.

If complete flat : need a javascript validation or an HTML5 validation : no filter without inform.


LSA attached to see
TagsNo tags attached.
Complete LimeSurvey version number (& build)3.25.0 git
I will donate to the project if issue is resolvedNo
Browsernot relevant ?
Database & DB-Versionnot relevant?
Server OS (if known)not relevant ?
Webserver software & version (if known)not relevant ?
PHP Versionnot relevant ?

Activities

DenisChenu

DenisChenu

2020-11-23 12:22

developer  

survey_archive_641657.lsa (5,103 bytes)
tokens_641657.csv (102 bytes)    
firstname,lastname,email
Via import <strong>strong</strong>,Last name: <em>em</em>,import@example.org
tokens_641657.csv (102 bytes)   
Capture d’écran du 2020-11-23 11-58-33.png (17,647 bytes)   
Capture d’écran du 2020-11-23 11-58-33.png (17,647 bytes)   
Capture d’écran du 2020-11-23 11-58-46.png (23,671 bytes)   
Capture d’écran du 2020-11-23 11-58-46.png (23,671 bytes)   
Capture d’écran du 2020-11-23 12-22-17.png (48,944 bytes)   
Capture d’écran du 2020-11-23 12-22-17.png (48,944 bytes)   
DenisChenu

DenisChenu

2020-11-23 14:46

developer   ~60738

About removing all tags : https://gfycat.com/fr/slimyvalidjavalina
DenisChenu

DenisChenu

2020-11-24 19:17

developer   ~60751

- Same behaviour than RC or import : tag allowed, XSS for superamdin : https://github.com/LimeSurvey/LimeSurvey/pull/1665
- Same behaviour tha token admlin GUI : disallow tag and XSS : https://github.com/LimeSurvey/LimeSurvey/pull/1666

I think i prefer disallow tag and XSS for all user.
DenisChenu

DenisChenu

2021-01-13 17:47

developer   ~61535

Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30847
DenisChenu

DenisChenu

2021-01-14 19:11

developer   ~61550

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30849
gabrieljenik

gabrieljenik

2021-01-15 19:05

manager   ~61564

Last edited: 2021-01-15 19:05

View 2 revisions

 Added a PR https://github.com/LimeSurvey/LimeSurvey/pull/1721/files
Seems something was wrong
Not sure I made it right. I just removed some 500 errors
DenisChenu

DenisChenu

2021-01-16 10:47

developer   ~61567

Arg … i cherry-pick … i check again master
lime_release_bot

lime_release_bot

2021-01-18 11:05

administrator   ~61578

Fixed in Release 3.25.8+210118
DenisChenu

DenisChenu

2021-01-21 13:36

developer   ~61624

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30907

Related Changesets

LimeSurvey: 3.x-LTS c12c9d46

2021-01-13 17:47:27

DenisChenu


Committer: GitHub Details Diff 		Fixed issue 16853: Inconsistent filter behaviour when create token (#1666)

Dev: remove flattenText in controller
Dev: add some rules, leave LSYii_Validators
Dev: use filter_var / FILTER_SANITIZE_STRING for attribute		 Affected Issues
16853
mod - application/controllers/admin/tokens.php Diff File
mod - application/models/Token.php Diff File
mod - application/models/TokenDynamic.php Diff File

LimeSurvey: master af64ca0c

2021-01-14 19:11:21

DenisChenu

Details Diff 		Fixed issue 16853: Inconsistent filter behaviour when create token
Fixed issue [security] #16884: LimeSurvey registration emails can be abused (thanks to winfried)
Dev: remove flattenText in controller
Dev: add some rules, leave LSYii_Validators
Dev: use filter_var / FILTER_SANITIZE_STRING for attribute
# Conflicts:
# application/controllers/admin/tokens.php		 Affected Issues
16853
mod - application/controllers/admin/tokens.php Diff File
mod - application/models/Token.php Diff File
mod - application/models/TokenDynamic.php Diff File

LimeSurvey: master e3c517f6

2021-01-14 19:14:17

DenisChenu

Details Diff 		Fixed issue 16853: Inconsistent filter behaviour when create token
Fixed issue [security] #16884: LimeSurvey registration emails can be abused (thanks to winfried)
Dev: remove flattenText in controller
Dev: add some rules, leave LSYii_Validators
Dev: use filter_var / FILTER_SANITIZE_STRING for attribute
# Conflicts:
# application/controllers/admin/tokens.php

# Conflicts:
# application/controllers/admin/tokens.php		 Affected Issues
16853
mod - application/controllers/admin/tokens.php Diff File
mod - application/models/Token.php Diff File
mod - application/models/TokenDynamic.php Diff File

Issue History

Date Modified Username Field Change
2020-11-23 12:22 DenisChenu New Issue
2020-11-23 12:22 DenisChenu File Added: survey_archive_641657.lsa
2020-11-23 12:22 DenisChenu File Added: tokens_641657.csv
2020-11-23 12:22 DenisChenu File Added: Capture d’écran du 2020-11-23 11-58-33.png
2020-11-23 12:22 DenisChenu File Added: Capture d’écran du 2020-11-23 11-58-46.png
2020-11-23 12:22 DenisChenu File Added: Capture d’écran du 2020-11-23 12-22-17.png
2020-11-23 14:40 ollehar Product Version => 3.25.0
2020-11-23 14:46 DenisChenu Note Added: 60738
2020-11-24 18:11 DenisChenu Assigned To => DenisChenu
2020-11-24 18:11 DenisChenu Status new => assigned
2020-11-24 19:17 DenisChenu Assigned To DenisChenu => cdorin
2020-11-24 19:17 DenisChenu Status assigned => testing
2020-11-24 19:17 DenisChenu Note Added: 60751
2021-01-13 17:47 DenisChenu Changeset attached => LimeSurvey 3.x-LTS c12c9d46
2021-01-13 17:47 DenisChenu Note Added: 61535
2021-01-13 17:47 DenisChenu Assigned To cdorin => DenisChenu
2021-01-13 17:47 DenisChenu Resolution open => fixed
2021-01-14 19:11 DenisChenu Changeset attached => LimeSurvey master af64ca0c
2021-01-14 19:11 DenisChenu Note Added: 61550
2021-01-14 19:15 DenisChenu Status testing => resolved
2021-01-14 19:15 DenisChenu Fixed in Version => 3.25.6
2021-01-15 19:05 gabrieljenik Note Added: 61564
2021-01-15 19:05 gabrieljenik Note Edited: 61564 View Revisions
2021-01-16 10:47 DenisChenu Note Added: 61567
2021-01-18 11:05 lime_release_bot Note Added: 61578
2021-01-18 11:05 lime_release_bot Status resolved => closed
2021-01-21 13:36 DenisChenu Changeset attached => LimeSurvey master e3c517f6
2021-01-21 13:36 DenisChenu Note Added: 61624