03856: Users can right-click-paste around character restrictions

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

03856	Bug reports	Survey taking	public	2009-11-18 18:53	2009-11-30 01:41

Reporter	~~user3760~~	Assigned To	c_schmitz
Priority	normal	Severity	partial_block
Status	closed	Resolution	no change required
Product Version	1.86

Summary	03856: Users can right-click-paste around character restrictions
Description	In qanda.php, you can specify which characters are valid for the various input types. For do_numerical, the allowed characters are 0-9 and '.'. Users can get around the restrictions by using the context menu, and using paste from within the context menu(ctrl-v does not work). Unfortunately it is against my requirements to disable the context menu, so the fix below is what I implemented.
Additional Information	Here is the fix I implemented, however it will need to be slightly modified to be included with the limesurvey package. (i replaced the onchange located on line 3727) onchange='checkconditions(this.value, this.name, this.type); var match = new RegExp(\".,\"); if (match.test()) {this.value = this.value.replace(\",\", \"\"); alert(\"Commas are not allowed, and have been removed. Please recheck the number and use a period if necessary.\");}'" Something similar will need to be done for every input type to ensure that only valid input can be entered.
Tags	No tags attached.

Bug heat	6
Complete LimeSurvey version number (& build)	7697
I will donate to the project if issue is resolved
Browser	Chrome, Firefox, IE
Database type & version	MS SQL - 138
Server OS (if known)	Windows Server 2003
Webserver software & version (if known)	IIS 6
PHP Version	5

User List	There are no users monitoring this issue.

~~user3760~~ 2009-11-19 00:57 ~10153	Should actually be: onchange='checkconditions(this.value, this.name, this.type); var match = new RegExp(\"[,]\"); if (match.test(this.value)) {this.value = this.value.replace(\",\", \"\"); alert(\"Commas are not allowed, and have been removed. Please recheck the number and use a period if necessary.\");}'"

~~user372~~ 2009-11-19 07:50 ~10156	@c_schmitz: may you please have a look (=review) at the code provided by Pharmakon.

c_schmitz 2009-11-22 21:47 administrator ~10210	OnChange does not cut it here, since conditions and submission would take effect too late on survey submission. Even if your user inserts characters by pasting the characters are sanitized to a number so there is no harm done.

~~user3760~~ 2009-11-23 01:49 ~10212	To address point 1. A javascript box is opened immediately when the user attempts to go to another input. Your explanation is inadequate. Point 2: It is NOT sanitized to a number properly. Here is a prime example; A database is setup in the US - numbers in the US are formatted such as 3,000,000.00. Numbers in Europe are entered as 3.000.000,00. They are not the same(and yet are both considered valid numbers by LimeSurvey). Conversion from one standard to another must occur. It is best to catch this when it is being input. This is a valid concern for anyone who takes surveys on a global scale. If you don't want to implement the method I posted - that's fine...no offense taken. I didn't tell you to, I informed you of the issue that needs to be resolved. Fix it another way - but this is a very serious data entry and potentially a security issue in this application.

c_schmitz 2009-11-30 01:41 administrator ~10320	1.) The javascript box is coming too late. A users can still manage to press a button to go to the next page. 2.) Before you start spitting around if this is 'potentially a security issue in this application' please get informed first how LimeSurvey works before spreading FUD - LimeSurvey is perfectly safe regarding that. The suggested method doesn't work properly and so does not solve the problem. LimeSurvey does not yet support different number format. In fact, all numbers are treated like the x.xx decimal float format. Please file a feature request if you think that is not adequate - or better.. implement a number format as a question attribute and provide an according patch. We will be happy to help if you have questions!

Date Modified	Username	Field	Change
2009-11-18 18:53	~~user3760~~	New Issue
2009-11-18 18:53	~~user3760~~	Status	new => assigned
2009-11-18 18:53	~~user3760~~	Assigned To	=> user372
2009-11-18 18:53	~~user3760~~	LimeSurvey build number	=> 7697
2009-11-18 18:53	~~user3760~~	Browser	=> Chrome, Firefox, IE
2009-11-18 18:53	~~user3760~~	Database & DB-Version	=> MS SQL - 138
2009-11-18 18:53	~~user3760~~	Operating System (Server)	=> Windows Server 2003
2009-11-18 18:53	~~user3760~~	Webserver	=> IIS 6
2009-11-18 18:53	~~user3760~~	PHP Version	=> 5
2009-11-19 00:57	~~user3760~~	Note Added: 10153
2009-11-19 07:50	~~user372~~	Note Added: 10156
2009-11-19 07:50	~~user372~~	Assigned To	user372 => c_schmitz
2009-11-22 21:47	c_schmitz	Note Added: 10210
2009-11-22 21:47	c_schmitz	Status	assigned => closed
2009-11-22 21:47	c_schmitz	Resolution	open => won't fix
2009-11-23 01:49	~~user3760~~	Note Added: 10212
2009-11-23 01:49	~~user3760~~	Status	closed => feedback
2009-11-23 01:49	~~user3760~~	Resolution	won't fix => reopened
2009-11-30 01:41	c_schmitz	Note Added: 10320
2009-11-30 01:41	c_schmitz	Status	feedback => closed
2009-11-30 01:41	c_schmitz	Resolution	reopened => no change required
2010-10-25 00:18	c_schmitz	Category	Survey at Runtime => Survey taking

View Issue Details

Users monitoring this issue

Activities

Issue History