 |
@DenisChenu, any thoughts on how to best deal with this? |
 |
Globally : i don't understand fixing a JS script where user must set a specific JS . If he can set JS : he can just add XSS how he want. Still a good idea to move to https://getbootstrap.com/docs/5.0/forms/checks-radios/#switches and remove bootstrapSwitch |
|
|
@DenisChenu: I second this. This is the reason why I hate these automated pentests. They often show issues which are no real use case at all. But if the company has a strict policy, they may not be allowed to use Limesurvey due to such questionable findings. |
|
|
My real opinion :
Simple and clean, 1. No need JS, 2. A11Y proof, 3. Stability proof, There are 4. Can use helper of browser, 5. Can use specific theme by user choice, except we force some update here (not always a good idea) |
|
|
Bootstrap 5/6 supports .form-switch which should be a possible alternative to get rid of this library. |
|
|
Or just a checkbox ;) |
 |
I will create a research ticket that needs to be handled first since it looks like we don't use bootstrap-switch any more, but there may be plugins that use it. |
|
|
|
|
|
@DenisChenu @tibor.pacalat: Is this library used at the admin backend only or also for running surveys? |
|
|
@DenisChenu @tibor.pacalat: Another finding This is the commit for updating parts of LS from 3.3.2 to 3.3.4: https://github.com/LimeSurvey/LimeSurvey/commit/34d67e356dd997fa30c125c4dbbde9b188866b11 -> So maybe updating the outdated 3.3.2 files to 3.3.4 will already solve some pentest issues in case of reported outdated libraries. |
|
|
This has been resolved via https://bugs.limesurvey.org/view.php?id=20273. |
|
|
@tibor,pacalat, I didn't see any related commit. What is the actual solution? Will the library be removed. |
|
|
Library was not removed, but the references to it were. We had an issue when we deployed this to cloud, and we are handling this as we speak. |
- Anonymous
