View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
07781 | Bug reports | Security | public | 2013-04-20 21:03 | 2013-04-23 09:09 |
Reporter | ubuntourist | Assigned To | c_schmitz | ||
Priority | high | Severity | partial_block | ||
Status | closed | Resolution | not fixable | ||
Product Version | 2.00+ | ||||
Summary | 07781: <video>, <source> and <track> tags stripped from questions | ||||
Description | <video>, <source> and <track> tags inserted via the "Source" button in the question editor are replaced with a non-breakable space entity ( ) for all users except the super-administrator. For the super-administrator, it misunderstands <source> tag and inserts additional copies of the tag. | ||||
Steps To Reproduce | Create a question as the site admin. Switch to "Source". Insert something like: <video controls="controls" It should "work" but add in bogus extra <source> tags. Repeat the insert as another user. It should fail and give a <p> </p> in place of the above. | ||||
Additional Information | According to tpartner in the forum, this is at least in part related to the global "Filter HTML for XSS" setting. I didn't know how to categorize, but based on that, I put it in "Security". | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 256 | ||||
Complete LimeSurvey version number (& build) | 130406 | ||||
I will donate to the project if issue is resolved | Yes | ||||
Browser | Google Chrome (and others) | ||||
Database type & version | PostgreSQL 8.4.13 | ||||
Server OS (if known) | Red Hat Enterprise Linux (RHEL) 6 | ||||
Webserver software & version (if known) | Apache 2.2.15 | ||||
PHP Version | 5.3.3 | ||||
The misunderstanding of the <source> tag is apparently a separate issue, and I have filed a separate bug report for it. (It still messes up, albeit slightly differently, when the "Filter HTML for XSS" is turned off, which allows normal users to enter the <video>, <source>, and <track> elements.) |
|
As tpartner already said: It is not a bug but you can just deactivate 'Filter HTML for XSS' in global settings. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2013-04-20 21:03 | ubuntourist | New Issue | |
2013-04-20 23:12 | ubuntourist | Issue Monitored: ubuntourist | |
2013-04-20 23:45 | ubuntourist | File Added: limesurvey_survey_563849.lss | |
2013-04-20 23:51 | ubuntourist | Note Added: 25004 | |
2013-04-23 09:09 | c_schmitz | Note Added: 25055 | |
2013-04-23 09:09 | c_schmitz | Status | new => closed |
2013-04-23 09:09 | c_schmitz | Assigned To | => c_schmitz |
2013-04-23 09:09 | c_schmitz | Resolution | open => not fixable |
2021-08-18 11:58 | guest | Bug heat | 254 => 256 |