View Issue Details

IDProjectCategoryView StatusLast Update
07781Bug reports[All Projects] Securitypublic2013-04-23 09:09
ReporterubuntouristAssigned Toc_schmitz 
Status closedResolutionnot fixable 
Product Version2.00+ 
Target VersionFixed in Version 
Summary07781: <video>, <source> and <track> tags stripped from questions
Description<video>, <source> and <track> tags inserted via the "Source" button in the question editor are replaced with a non-breakable space entity ( ) for all users except the super-administrator.

For the super-administrator, it misunderstands <source> tag and inserts additional copies of the tag.
Steps To ReproduceCreate a question as the site admin. Switch to "Source". Insert something like:

<video controls="controls"
       height="432" width="768"
<source src="/Video/ASL_Over_iPhone.webm" type="video/webm"></source>
<track default="default"

It should "work" but add in bogus extra <source> tags.

Repeat the insert as another user. It should fail and give a


in place of the above.
Additional InformationAccording to tpartner in the forum, this is at least in part related to the global "Filter HTML for XSS" setting. I didn't know how to categorize, but based on that, I put it in "Security".
TagsNo tags attached.
Complete LimeSurvey version number (& build)130406
I will donate to the project if issue is resolvedYes
BrowserGoogle Chrome (and others)
Database & DB-VersionPostgreSQL 8.4.13
Operating System (Server)Red Hat Enterprise Linux (RHEL) 6
Webserver software & versionApache 2.2.15
PHP Version5.3.3




2013-04-20 23:45


limesurvey_survey_563849.lss (13,450 bytes)


2013-04-20 23:51

reporter   ~25004

The misunderstanding of the <source> tag is apparently a separate issue, and I have filed a separate bug report for it.

(It still messes up, albeit slightly differently, when the "Filter HTML for XSS" is turned off, which allows normal users to enter the <video>, <source>, and <track> elements.)


2013-04-23 09:09

administrator   ~25055

As tpartner already said: It is not a bug but you can just deactivate 'Filter HTML for XSS' in global settings.

Issue History

Date Modified Username Field Change
2013-04-20 21:03 ubuntourist New Issue
2013-04-20 23:45 ubuntourist File Added: limesurvey_survey_563849.lss
2013-04-20 23:51 ubuntourist Note Added: 25004
2013-04-23 09:09 c_schmitz Note Added: 25055
2013-04-23 09:09 c_schmitz Status new => closed
2013-04-23 09:09 c_schmitz Assigned To => c_schmitz
2013-04-23 09:09 c_schmitz Resolution open => not fixable