|
|
We fix partially here : https://bugs.limesurvey.org/view.php?id=9300 ( XSS protection or variable substitution breaks links or other elements that contain variable substitutions)
Maybe we can allow _ ?
Feature or bug ? |
|
|
|
I would say is a bug, but I would set a low priority right now.
XSS filtering is really tricky and sometimes need to be more strict than it has to as to not let some cases to slip away. |
|
|
|
Confirming the issue as it was registered by Denis |
|
|
|
We have a fix to allow {QCODE} i think we must allow {QCODE_SUBQ} and {ATTRIBUTE_1}
But feature or not ? Didn't know.
Tottaly OK for the low priority.
About {TOKEN:ATTRIBUTE_1} : moire difficult : <code>:</code> is encoded too … |
|
|
|
We have a fix to allow {QCODE} i think we must allow {QCODE_SUBQ} and {ATTRIBUTE_1}
Not sure I follow.
The issue is about XSS on special chars... not seeing how it is related to {QCODE_SUBQ} and {ATTRIBUTE_1}
About {TOKEN:ATTRIBUTE_1} : moire difficult : <code>:</code> is encoded too …
Not following, sorry.
But maybe we can pick up the discussion when picking up the ticket |
|
|
|
The issue is about XSS on special chars... not seeing how it is related to {QCODE_SUBQ} and {ATTRIBUTE_1}
No the issue is : XSS: Unable to use attribute in URL
Follow parent link
https://bugs.limesurvey.org/view.php?id=9300
https://bugs.limesurvey.org/plugin.php?page=Source/view&id=14571
https://github.com/LimeSurvey/LimeSurvey/commit/73b4a00a42e8ab17722eff1ac6eb995abb73f6d1
/** Start to get complete filtered value with url decode {QCODE} (bug #09300). This allow only question number in url, seems OK with XSS protection **/
$sFiltered=preg_replace('#%7B([a-zA-Z0-9\.]*)%7D#','{$1}',$filter->purify($value));
|
|
