View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
18236Bug reportsSurvey participants (Tokens)public2022-07-05 15:04
ReporterDenisChenu Assigned To 
PrioritynoneSeverityminor 
Status confirmedResolutionopen 
Product Version3.28.x 
Summary18236: XSS: Unable to use attribute in URL
Description

When try to use ATTRIBUTE in URL, it was rewritten and broke the link

Steps To Reproduce

Steps to reproduce

With an user with XSS activated, disable HTML inline editor (can stay but more simple without)
Edit email
Add <a href='@@SURVEYURL@@&UO1={ATTRIBUTE_1}'>do the survey</a>
Save

Expected result

@@SURVEYURL@@&UO1={ATTRIBUTE_1} stay like that

Actual result

become @@SURVEYURL@@&UO1={ATTRIBUTE_1}">je participe

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)3.28.17
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

child of 09300 closedDenisChenu XSS protection or variable substitution breaks links or other elements that contain variable substitutions 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2022-07-05 09:08

developer   ~70696

We fix partially here : https://bugs.limesurvey.org/view.php?id=9300 ( XSS protection or variable substitution breaks links or other elements that contain variable substitutions)

Maybe we can allow _ ?

Feature or bug ?

gabrieljenik

gabrieljenik

2022-07-05 14:47

manager   ~70717

I would say is a bug, but I would set a low priority right now.
XSS filtering is really tricky and sometimes need to be more strict than it has to as to not let some cases to slip away.

gabrieljenik

gabrieljenik

2022-07-05 14:47

manager   ~70718

Confirming the issue as it was registered by Denis

DenisChenu

DenisChenu

2022-07-05 14:49

developer   ~70719

We have a fix to allow {QCODE} i think we must allow {QCODE_SUBQ} and {ATTRIBUTE_1}
But feature or not ? Didn't know.

Tottaly OK for the low priority.

About {TOKEN:ATTRIBUTE_1} : moire difficult : <code>:</code> is encoded too …

gabrieljenik

gabrieljenik

2022-07-05 14:57

manager   ~70723

We have a fix to allow {QCODE} i think we must allow {QCODE_SUBQ} and {ATTRIBUTE_1}

Not sure I follow.
The issue is about XSS on special chars... not seeing how it is related to {QCODE_SUBQ} and {ATTRIBUTE_1}

About {TOKEN:ATTRIBUTE_1} : moire difficult : <code>:</code> is encoded too …

Not following, sorry.
But maybe we can pick up the discussion when picking up the ticket

DenisChenu

DenisChenu

2022-07-05 15:03

developer   ~70726

Last edited: 2022-07-05 15:04

The issue is about XSS on special chars... not seeing how it is related to {QCODE_SUBQ} and {ATTRIBUTE_1}

No the issue is : XSS: Unable to use attribute in URL

Follow parent link
https://bugs.limesurvey.org/view.php?id=9300
https://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=14571
https://github.com/LimeSurvey/LimeSurvey/commit/73b4a00a42e8ab17722eff1ac6eb995abb73f6d1

        /** Start to get complete filtered value with  url decode {QCODE} (bug 09300). This allow only question number in url, seems OK with XSS protection **/
        $sFiltered=preg_replace('#%7B([a-zA-Z0-9\.]*)%7D#','{$1}',$filter->purify($value));

Issue History

Date Modified Username Field Change
2022-07-05 09:07 DenisChenu New Issue
2022-07-05 09:07 DenisChenu Relationship added child of 09300
2022-07-05 09:08 DenisChenu Note Added: 70696
2022-07-05 09:08 DenisChenu Bug heat 0 => 2
2022-07-05 14:47 gabrieljenik Note Added: 70717
2022-07-05 14:47 gabrieljenik Bug heat 2 => 4
2022-07-05 14:47 gabrieljenik Assigned To => gabrieljenik
2022-07-05 14:47 gabrieljenik Status new => confirmed
2022-07-05 14:47 gabrieljenik Note Added: 70718
2022-07-05 14:49 DenisChenu Note Added: 70719
2022-07-05 14:57 gabrieljenik Note Added: 70723
2022-07-05 15:03 DenisChenu Note Added: 70726
2022-07-05 15:03 gabrieljenik Assigned To gabrieljenik =>
2022-07-05 15:04 DenisChenu Note Edited: 70726