View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
17699Bug reportsExpression Managerpublic2022-04-22 14:56
ReporterDenisChenu Assigned Togabrieljenik  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.25.20 
Summary17699: Question validation with < or > broke with last update (XSS activated)
Description

before 3.27.20+211012 : any user can use Q01 < Q02 (or 1 > 2) in Question validation equation
But after : > is replace by & gt ; when save … this can broke live survey

Steps To Reproduce

Steps to reproduce

Connect with a non super admin and XSS enable instance
Import included survey
Test with 3.27.20 or up

Do same thing with 3.27.19

Expected result

Like 3.27.19 : it work (vfalidation was not updated)

Actual result

XSS broke validation

TagsNo tags attached.
Attached Files
limesurvey_survey_gtlt_validation.lss (13,654 bytes)   
<?xml version="1.0" encoding="UTF-8"?>
<document>
 <LimeSurveyDocType>Survey</LimeSurveyDocType>
 <DBVersion>365</DBVersion>
 <languages>
  <language>en</language>
 </languages>
 <groups>
  <fields>
   <fieldname>gid</fieldname>
   <fieldname>sid</fieldname>
   <fieldname>group_name</fieldname>
   <fieldname>group_order</fieldname>
   <fieldname>description</fieldname>
   <fieldname>language</fieldname>
   <fieldname>randomization_group</fieldname>
   <fieldname>grelevance</fieldname>
  </fields>
  <rows>
   <row>
    <gid><![CDATA[321]]></gid>
    <sid><![CDATA[732591]]></sid>
    <group_name><![CDATA[My first question group]]></group_name>
    <group_order><![CDATA[1]]></group_order>
    <description/>
    <language><![CDATA[en]]></language>
    <randomization_group/>
    <grelevance><![CDATA[1]]></grelevance>
   </row>
  </rows>
 </groups>
 <questions>
  <fields>
   <fieldname>qid</fieldname>
   <fieldname>parent_qid</fieldname>
   <fieldname>sid</fieldname>
   <fieldname>gid</fieldname>
   <fieldname>type</fieldname>
   <fieldname>title</fieldname>
   <fieldname>question</fieldname>
   <fieldname>preg</fieldname>
   <fieldname>help</fieldname>
   <fieldname>other</fieldname>
   <fieldname>mandatory</fieldname>
   <fieldname>question_order</fieldname>
   <fieldname>language</fieldname>
   <fieldname>scale_id</fieldname>
   <fieldname>same_default</fieldname>
   <fieldname>relevance</fieldname>
   <fieldname>modulename</fieldname>
  </fields>
  <rows>
   <row>
    <qid><![CDATA[5259]]></qid>
    <parent_qid><![CDATA[0]]></parent_qid>
    <sid><![CDATA[732591]]></sid>
    <gid><![CDATA[321]]></gid>
    <type><![CDATA[N]]></type>
    <title><![CDATA[Q00]]></title>
    <question><![CDATA[A first example question. Please answer this question:]]></question>
    <preg/>
    <help/>
    <other><![CDATA[N]]></other>
    <mandatory><![CDATA[N]]></mandatory>
    <question_order><![CDATA[1]]></question_order>
    <language><![CDATA[en]]></language>
    <scale_id><![CDATA[0]]></scale_id>
    <same_default><![CDATA[0]]></same_default>
    <relevance><![CDATA[1]]></relevance>
    <modulename/>
   </row>
  </rows>
 </questions>
 <question_attributes>
  <fields>
   <fieldname>qid</fieldname>
   <fieldname>attribute</fieldname>
   <fieldname>value</fieldname>
   <fieldname>language</fieldname>
  </fields>
  <rows>
   <row>
    <qid><![CDATA[5259]]></qid>
    <attribute><![CDATA[em_validation_q]]></attribute>
    <value><![CDATA[self > 5]]></value>
   </row>
   <row>
    <qid><![CDATA[5259]]></qid>
    <attribute><![CDATA[em_validation_q_tip]]></attribute>
    <value><![CDATA[It must be more than 5]]></value>
    <language><![CDATA[en]]></language>
   </row>
  </rows>
 </question_attributes>
 <surveys>
  <fields>
   <fieldname>sid</fieldname>
   <fieldname>gsid</fieldname>
   <fieldname>admin</fieldname>
   <fieldname>expires</fieldname>
   <fieldname>startdate</fieldname>
   <fieldname>adminemail</fieldname>
   <fieldname>anonymized</fieldname>
   <fieldname>faxto</fieldname>
   <fieldname>format</fieldname>
   <fieldname>savetimings</fieldname>
   <fieldname>template</fieldname>
   <fieldname>language</fieldname>
   <fieldname>additional_languages</fieldname>
   <fieldname>datestamp</fieldname>
   <fieldname>usecookie</fieldname>
   <fieldname>allowregister</fieldname>
   <fieldname>allowsave</fieldname>
   <fieldname>autonumber_start</fieldname>
   <fieldname>autoredirect</fieldname>
   <fieldname>allowprev</fieldname>
   <fieldname>printanswers</fieldname>
   <fieldname>ipaddr</fieldname>
   <fieldname>refurl</fieldname>
   <fieldname>showsurveypolicynotice</fieldname>
   <fieldname>publicstatistics</fieldname>
   <fieldname>publicgraphs</fieldname>
   <fieldname>listpublic</fieldname>
   <fieldname>htmlemail</fieldname>
   <fieldname>sendconfirmation</fieldname>
   <fieldname>tokenanswerspersistence</fieldname>
   <fieldname>assessments</fieldname>
   <fieldname>usecaptcha</fieldname>
   <fieldname>usetokens</fieldname>
   <fieldname>bounce_email</fieldname>
   <fieldname>attributedescriptions</fieldname>
   <fieldname>emailresponseto</fieldname>
   <fieldname>emailnotificationto</fieldname>
   <fieldname>tokenlength</fieldname>
   <fieldname>showxquestions</fieldname>
   <fieldname>showgroupinfo</fieldname>
   <fieldname>shownoanswer</fieldname>
   <fieldname>showqnumcode</fieldname>
   <fieldname>bouncetime</fieldname>
   <fieldname>bounceprocessing</fieldname>
   <fieldname>bounceaccounttype</fieldname>
   <fieldname>bounceaccounthost</fieldname>
   <fieldname>bounceaccountpass</fieldname>
   <fieldname>bounceaccountencryption</fieldname>
   <fieldname>bounceaccountuser</fieldname>
   <fieldname>showwelcome</fieldname>
   <fieldname>showprogress</fieldname>
   <fieldname>questionindex</fieldname>
   <fieldname>navigationdelay</fieldname>
   <fieldname>nokeyboard</fieldname>
   <fieldname>alloweditaftercompletion</fieldname>
   <fieldname>googleanalyticsstyle</fieldname>
   <fieldname>googleanalyticsapikey</fieldname>
  </fields>
  <rows>
   <row>
    <sid><![CDATA[732591]]></sid>
    <gsid><![CDATA[1]]></gsid>
    <admin><![CDATA[Denis Chenu]]></admin>
    <adminemail><![CDATA[denis@shnoulle.net]]></adminemail>
    <anonymized><![CDATA[N]]></anonymized>
    <faxto/>
    <format><![CDATA[G]]></format>
    <savetimings><![CDATA[N]]></savetimings>
    <template><![CDATA[vanilla]]></template>
    <language><![CDATA[en]]></language>
    <additional_languages/>
    <datestamp><![CDATA[N]]></datestamp>
    <usecookie><![CDATA[N]]></usecookie>
    <allowregister><![CDATA[N]]></allowregister>
    <allowsave><![CDATA[Y]]></allowsave>
    <autonumber_start><![CDATA[0]]></autonumber_start>
    <autoredirect><![CDATA[N]]></autoredirect>
    <allowprev><![CDATA[N]]></allowprev>
    <printanswers><![CDATA[N]]></printanswers>
    <ipaddr><![CDATA[N]]></ipaddr>
    <refurl><![CDATA[N]]></refurl>
    <showsurveypolicynotice><![CDATA[0]]></showsurveypolicynotice>
    <publicstatistics><![CDATA[N]]></publicstatistics>
    <publicgraphs><![CDATA[N]]></publicgraphs>
    <listpublic><![CDATA[N]]></listpublic>
    <htmlemail><![CDATA[Y]]></htmlemail>
    <sendconfirmation><![CDATA[Y]]></sendconfirmation>
    <tokenanswerspersistence><![CDATA[N]]></tokenanswerspersistence>
    <assessments><![CDATA[N]]></assessments>
    <usecaptcha><![CDATA[N]]></usecaptcha>
    <usetokens><![CDATA[N]]></usetokens>
    <bounce_email><![CDATA[denis@shnoulle.net]]></bounce_email>
    <emailresponseto/>
    <emailnotificationto/>
    <tokenlength><![CDATA[15]]></tokenlength>
    <showxquestions><![CDATA[Y]]></showxquestions>
    <showgroupinfo><![CDATA[B]]></showgroupinfo>
    <shownoanswer><![CDATA[N]]></shownoanswer>
    <showqnumcode><![CDATA[X]]></showqnumcode>
    <bounceprocessing><![CDATA[N]]></bounceprocessing>
    <showwelcome><![CDATA[Y]]></showwelcome>
    <showprogress><![CDATA[Y]]></showprogress>
    <questionindex><![CDATA[0]]></questionindex>
    <navigationdelay><![CDATA[0]]></navigationdelay>
    <nokeyboard><![CDATA[N]]></nokeyboard>
    <alloweditaftercompletion><![CDATA[N]]></alloweditaftercompletion>
   </row>
  </rows>
 </surveys>
 <surveys_languagesettings>
  <fields>
   <fieldname>surveyls_survey_id</fieldname>
   <fieldname>surveyls_language</fieldname>
   <fieldname>surveyls_title</fieldname>
   <fieldname>surveyls_description</fieldname>
   <fieldname>surveyls_welcometext</fieldname>
   <fieldname>surveyls_endtext</fieldname>
   <fieldname>surveyls_policy_notice</fieldname>
   <fieldname>surveyls_policy_error</fieldname>
   <fieldname>surveyls_policy_notice_label</fieldname>
   <fieldname>surveyls_url</fieldname>
   <fieldname>surveyls_urldescription</fieldname>
   <fieldname>surveyls_email_invite_subj</fieldname>
   <fieldname>surveyls_email_invite</fieldname>
   <fieldname>surveyls_email_remind_subj</fieldname>
   <fieldname>surveyls_email_remind</fieldname>
   <fieldname>surveyls_email_register_subj</fieldname>
   <fieldname>surveyls_email_register</fieldname>
   <fieldname>surveyls_email_confirm_subj</fieldname>
   <fieldname>surveyls_email_confirm</fieldname>
   <fieldname>surveyls_dateformat</fieldname>
   <fieldname>surveyls_attributecaptions</fieldname>
   <fieldname>email_admin_notification_subj</fieldname>
   <fieldname>email_admin_notification</fieldname>
   <fieldname>email_admin_responses_subj</fieldname>
   <fieldname>email_admin_responses</fieldname>
   <fieldname>surveyls_numberformat</fieldname>
   <fieldname>attachments</fieldname>
  </fields>
  <rows>
   <row>
    <surveyls_survey_id><![CDATA[732591]]></surveyls_survey_id>
    <surveyls_language><![CDATA[en]]></surveyls_language>
    <surveyls_title><![CDATA[Check > and < in validation]]></surveyls_title>
    <surveyls_description/>
    <surveyls_welcometext/>
    <surveyls_endtext/>
    <surveyls_url/>
    <surveyls_urldescription/>
    <surveyls_email_invite_subj><![CDATA[Invitation to participate in a survey]]></surveyls_email_invite_subj>
    <surveyls_email_invite><![CDATA[Dear {FIRSTNAME},<br />
<br />
you have been invited to participate in a survey.<br />
<br />
The survey is titled:<br />
"{SURVEYNAME}"<br />
<br />
"{SURVEYDESCRIPTION}"<br />
<br />
To participate, please click on the link below.<br />
<br />
Sincerely,<br />
<br />
{ADMINNAME} ({ADMINEMAIL})<br />
<br />
----------------------------------------------<br />
Click here to do the survey:<br />
{SURVEYURL}<br />
<br />
If you do not want to participate in this survey and don't want to receive any more invitations please click the following link:<br />
{OPTOUTURL}<br />
<br />
If you are blacklisted but want to participate in this survey and want to receive invitations please click the following link:<br />
{OPTINURL}]]></surveyls_email_invite>
    <surveyls_email_remind_subj><![CDATA[Reminder to participate in a survey]]></surveyls_email_remind_subj>
    <surveyls_email_remind><![CDATA[Dear {FIRSTNAME},<br />
<br />
Recently we invited you to participate in a survey.<br />
<br />
We note that you have not yet completed the survey, and wish to remind you that the survey is still available should you wish to take part.<br />
<br />
The survey is titled:<br />
"{SURVEYNAME}"<br />
<br />
"{SURVEYDESCRIPTION}"<br />
<br />
To participate, please click on the link below.<br />
<br />
Sincerely,<br />
<br />
{ADMINNAME} ({ADMINEMAIL})<br />
<br />
----------------------------------------------<br />
Click here to do the survey:<br />
{SURVEYURL}<br />
<br />
If you do not want to participate in this survey and don't want to receive any more invitations please click the following link:<br />
{OPTOUTURL}]]></surveyls_email_remind>
    <surveyls_email_register_subj><![CDATA[Survey registration confirmation]]></surveyls_email_register_subj>
    <surveyls_email_register><![CDATA[Dear {FIRSTNAME},<br />
<br />
You, or someone using your email address, have registered to participate in an online survey titled {SURVEYNAME}.<br />
<br />
To complete this survey, click on the following URL:<br />
<br />
{SURVEYURL}<br />
<br />
If you have any questions about this survey, or if you did not register to participate and believe this email is in error, please contact {ADMINNAME} at {ADMINEMAIL}.]]></surveyls_email_register>
    <surveyls_email_confirm_subj><![CDATA[Confirmation of your participation in our survey]]></surveyls_email_confirm_subj>
    <surveyls_email_confirm><![CDATA[Dear {FIRSTNAME},<br />
<br />
this email is to confirm that you have completed the survey titled {SURVEYNAME} and your response has been saved. Thank you for participating.<br />
<br />
If you have any further questions about this email, please contact {ADMINNAME} on {ADMINEMAIL}.<br />
<br />
Sincerely,<br />
<br />
{ADMINNAME}]]></surveyls_email_confirm>
    <surveyls_dateformat><![CDATA[1]]></surveyls_dateformat>
    <email_admin_notification_subj><![CDATA[Response submission for survey {SURVEYNAME}]]></email_admin_notification_subj>
    <email_admin_notification><![CDATA[Hello,<br />
<br />
A new response was submitted for your survey '{SURVEYNAME}'.<br />
<br />
Click the following link to see the individual response:<br />
{VIEWRESPONSEURL}<br />
<br />
Click the following link to edit the individual response:<br />
{EDITRESPONSEURL}<br />
<br />
View statistics by clicking here:<br />
{STATISTICSURL}]]></email_admin_notification>
    <email_admin_responses_subj><![CDATA[Response submission for survey {SURVEYNAME} with results]]></email_admin_responses_subj>
    <email_admin_responses><![CDATA[Hello,<br />
<br />
A new response was submitted for your survey '{SURVEYNAME}'.<br />
<br />
Click the following link to see the individual response:<br />
{VIEWRESPONSEURL}<br />
<br />
Click the following link to edit the individual response:<br />
{EDITRESPONSEURL}<br />
<br />
View statistics by clicking here:<br />
{STATISTICSURL}<br />
<br />
<br />
The following answers were given by the participant:<br />
{ANSWERTABLE}]]></email_admin_responses>
    <surveyls_numberformat><![CDATA[0]]></surveyls_numberformat>
   </row>
  </rows>
 </surveys_languagesettings>
 <themes>
  <theme>
   <sid>732591</sid>
   <template_name>vanilla</template_name>
   <config>
    <options>inherit</options>
   </config>
  </theme>
 </themes>
 <themes_inherited>
  <theme>
   <sid>732591</sid>
   <template_name>vanilla</template_name>
   <config>
    <options>
     <ajaxmode>off</ajaxmode>
     <brandlogo>on</brandlogo>
     <container>on</container>
     <hideprivacyinfo>off</hideprivacyinfo>
     <brandlogofile>./files/logo.png</brandlogofile>
     <font>noto</font>
    </options>
   </config>
  </theme>
 </themes_inherited>
</document>
Bug heat6
Complete LimeSurvey version number (& build)3.27.23
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-11-05 16:11

developer   ~67136

Found via : https://forums.limesurvey.org/forum/can-i-do-this-with-limesurvey/125821-conditional-minimum-value#221698

ollehar

ollehar

2021-11-19 11:29

administrator   ~67444

Yikes
Do we need to revert the updateAll fix?

DenisChenu

DenisChenu

2021-11-19 12:04

developer   ~67445

https://bugs.limesurvey.org/view.php?id=17527#c67141

ollehar

ollehar

2021-11-19 12:17

administrator   ~67448

Please pull and test again, after my revert.

gabrieljenik

gabrieljenik

2022-04-22 14:56

manager   ~69194

As per the comments, will be closing the ticket.
Please add any comments in case it should be reopened.
Thanks

Issue History

Date Modified Username Field Change
2021-11-05 16:06 DenisChenu New Issue
2021-11-05 16:06 DenisChenu File Added: Capture d’écran du 2021-11-05 16-06-12.png
2021-11-05 16:06 DenisChenu File Added: limesurvey_survey_gtlt_validation.lss
2021-11-05 16:11 DenisChenu Note Added: 67136
2021-11-05 16:11 DenisChenu Bug heat 0 => 2
2021-11-19 11:29 ollehar Note Added: 67444
2021-11-19 11:29 ollehar Bug heat 2 => 4
2021-11-19 12:04 DenisChenu Note Added: 67445
2021-11-19 12:17 ollehar Note Added: 67448
2022-04-22 14:56 gabrieljenik Assigned To => gabrieljenik
2022-04-22 14:56 gabrieljenik Status new => closed
2022-04-22 14:56 gabrieljenik Resolution open => fixed
2022-04-22 14:56 gabrieljenik Note Added: 69194
2022-04-22 14:56 gabrieljenik Bug heat 4 => 6