View Issue Details

This bug affects 1 person(s).
 256
IDProjectCategoryView StatusLast Update
07781Bug reportsSecuritypublic2013-04-23 09:09
Reporterubuntourist Assigned Toc_schmitz  
PriorityhighSeveritypartial_block 
Status closedResolutionnot fixable 
Product Version2.00+ 
Summary07781: <video>, <source> and <track> tags stripped from questions
Description

<video>, <source> and <track> tags inserted via the "Source" button in the question editor are replaced with a non-breakable space entity ( ) for all users except the super-administrator.

For the super-administrator, it misunderstands <source> tag and inserts additional copies of the tag.

Steps To Reproduce

Create a question as the site admin. Switch to "Source". Insert something like:

<video controls="controls"
data-timeline-sources="/Video/ASL_Over_iPhone.vtt"
height="432" width="768"
poster="/images/image.jpg"
preload="metadata">
<source src="/Video/ASL_Over_iPhone.webm" type="video/webm"></source>
<track default="default"
kind="captions"
label="English"
src="/Video/ASL_Over_iPhone.vtt"
srclang="en"></track>
</video>

It should "work" but add in bogus extra <source> tags.

Repeat the insert as another user. It should fail and give a <p> </p> in place of the above.

Additional Information

According to tpartner in the forum, this is at least in part related to the global "Filter HTML for XSS" setting. I didn't know how to categorize, but based on that, I put it in "Security".

TagsNo tags attached.
Attached Files
Bug heat256
Complete LimeSurvey version number (& build)130406
I will donate to the project if issue is resolvedYes
BrowserGoogle Chrome (and others)
Database type & versionPostgreSQL 8.4.13
Server OS (if known)Red Hat Enterprise Linux (RHEL) 6
Webserver software & version (if known)Apache 2.2.15
PHP Version5.3.3

Users monitoring this issue

ubuntourist

Activities

ubuntourist

ubuntourist

2013-04-20 23:51

reporter   ~25004

The misunderstanding of the <source> tag is apparently a separate issue, and I have filed a separate bug report for it.

(It still messes up, albeit slightly differently, when the "Filter HTML for XSS" is turned off, which allows normal users to enter the <video>, <source>, and <track> elements.)

c_schmitz

c_schmitz

2013-04-23 09:09

administrator   ~25055

As tpartner already said: It is not a bug but you can just deactivate 'Filter HTML for XSS' in global settings.

Issue History

Date Modified Username Field Change
2013-04-20 21:03 ubuntourist New Issue
2013-04-20 23:12 ubuntourist Issue Monitored: ubuntourist
2013-04-20 23:45 ubuntourist File Added: limesurvey_survey_563849.lss
2013-04-20 23:51 ubuntourist Note Added: 25004
2013-04-23 09:09 c_schmitz Note Added: 25055
2013-04-23 09:09 c_schmitz Status new => closed
2013-04-23 09:09 c_schmitz Assigned To => c_schmitz
2013-04-23 09:09 c_schmitz Resolution open => not fixable
2021-08-18 11:58 guest Bug heat 254 => 256