View Issue Details

This bug affects 1 person(s).
IDProjectCategoryView StatusLast Update
19197Bug reportsQuestion editorpublic2023-10-27 03:41
Reporterdiana_was_here Assigned To 
Status newResolutionopen 
Product Version6.3.x 
Summary19197: Sandbox attribute added to iframe in question editor

After recent limesurvey updates, I became unable to use <iframe>s in the survey questions. The iframes are displayed but interaction is disabled. I realised this is because whenever I include an iframe, limesurvey automatically adds the sandbox attribute: sandbox="allow-scripts allow-same-origin" . And despite the exception in the sandbox (allow-scrips), no scripts are permitted to run in the iframe.

The most frustrating aspect is that whenever I try to remove the sandbox attribute in the Source editor, this is automatically added back to the code. I eventually managed to get around this issue by disabling the question editor in my account preferences and using the sourcecode editor instead. By using the sourcecode editor, I am finally able to remove the sandbox attribute that kept being added to my iframes, thanks to the very helpful limesurvey community: .

I attach two images to illustrate:
(image 1 - enter-code) Here is some test code I wrote in the Source editor. I click 'OK', and when I open the Source editor again, I see...
(image 2 - enter-code-edited) that the 'sandbox' attribute was added to my iframe. If I try to delete it, it gets added again.

Further to this, after the addition of the sandbox attribute, scripts in the iframe won't work. In the test code, there is a button triggering an alert. The iframe contains that same code of the button triggering the alert. What I see when I run the code with the 'sandbox' addition is the two buttons, but the alert is only triggered by the button directly added to the html code, but not the iframe one.

Steps To Reproduce

Steps to reproduce

Go to the default question editor. Click on Source. Include an <iframe> element.

Expected result

I expect to be able to interact with the page displayed in the iframe, i.e. for scripts to run, forms to be submitted etc.

Actual result

The Source editor adds the sandbox attribute and all interaction is disabled.

TagsNo tags attached.
Attached Files
enter code edited.png (13,555 bytes)   
enter code edited.png (13,555 bytes)   
enter code.png (13,291 bytes)   
enter code.png (13,291 bytes)   
Bug heat8
Complete LimeSurvey version number (& build)6.3.0+231016
I will donate to the project if issue is resolvedNo
Browsertested on Firefox + Chrome
Database type & versionnot sure
Server OS (if known)
Webserver software & version (if known)
PHP Version7.4.

Users monitoring this issue

DenisChenu, mfavetti




2023-10-25 23:33

developer   ~78017 is the responsible line of code.

Added in this commit: to fix the editor adding sandbox="" (most restrictive value is empty string: So my guess is the fix was just to explicitly state the sandbox attribute values rather than letting the editor decide.

The issue for the mentioned commit is on jira...

Need to check browser behavior.

So yeah workaround is disable the editor.



2023-10-25 23:35

developer   ~78018

@diana_was here

anything in browser console? js is not working at all? or partial?



2023-10-25 23:38

developer   ~78019


allow-scripts allows js, but no pop up window

allow-popups/allow-popups-to-escape-sandbox is needed for this

do we have way for user to extend editor config?



2023-10-25 23:39

developer   ~78020


can you try enabling editor, and add allow-popups/allow-popups-to-escape-sandbox (depending on needs) to sandbox attribute value and see if your js works as expected then?



2023-10-25 23:39

developer   ~78021

anyways, don't think its a bug

just misconfigured



2023-10-25 23:55

developer   ~78022

Last edited: 2023-10-25 23:56

also thinking about this, not sure i agree with having a default value at all...

just in general, lots of threats to users evolve over time to exploit iframe use. so, browsers provide a way to increase user security when using iframes.

limesurvey users may use iframe. shouldn't each user decide how much security their particular use of iframe needs rather than disabling protections by default because some users don't care to understand/configure the setting? otherwise, we just pass on risk to all the survey respondents. (also users of the software)

this is more like default allow than default deny policy



2023-10-26 12:01

partner   ~78038

I see this as a regression.

In 5.x the editor did not set a sandbox attribute. I think it should be left to the user to set element attributes.

Can this be defined in the editor config settings?



2023-10-27 03:41

developer   ~78069

per mdn allow scripts and allow same origin (LS current default settings) is no more secure than running with no sandbox at all. so if you see this issue as a regression, why don't we just remove the attribute entirely (revert to pre 4.21 editor behavior)?

ckeditor docs:

simple enough change. on just set to an empty object

my feeling is we should leave default sandbox="" (most restrictive) and put a note in the manual for question editing regarding iframes, and link to mdn docs. this defaults to most secure and if a user needs less security, they can choose which exceptions to apply for their use case and add them to the attribute. how common is iframe use anyways?

i think this is akin to disabling the incoming firewall just because a user needs one port open and doesn't know how

Issue History

Date Modified Username Field Change
2023-10-25 23:05 diana_was_here New Issue
2023-10-25 23:05 diana_was_here File Added: enter code edited.png
2023-10-25 23:05 diana_was_here File Added: enter code.png
2023-10-25 23:33 mfavetti Note Added: 78017
2023-10-25 23:33 mfavetti Bug heat 0 => 2
2023-10-25 23:35 mfavetti Note Added: 78018
2023-10-25 23:38 mfavetti Note Added: 78019
2023-10-25 23:39 mfavetti Note Added: 78020
2023-10-25 23:39 mfavetti Note Added: 78021
2023-10-25 23:55 mfavetti Note Added: 78022
2023-10-25 23:56 mfavetti Note Edited: 78022
2023-10-26 00:44 mfavetti Issue Monitored: mfavetti
2023-10-26 00:44 mfavetti Bug heat 2 => 4
2023-10-26 08:02 DenisChenu Issue Monitored: DenisChenu
2023-10-26 08:02 DenisChenu Bug heat 4 => 6
2023-10-26 12:01 tpartner Note Added: 78038
2023-10-26 12:01 tpartner Bug heat 6 => 8
2023-10-27 03:41 mfavetti Note Added: 78069