08194: mailto URLs in questions are removed by xss filter - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

08194	Bug reports	Survey editing	public	2013-09-26 15:51	2013-09-29 15:27

Reporter	random1	Assigned To	c_schmitz
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.00+
Fixed in Version	2.00+

Summary	08194: mailto URLs in questions are removed by xss filter
Description	When using mailto URLs in question texts as a non-admin user, the link gets removed by the xss filter when saving the question. Question texts are purified twice, first in the controller and then in the model. In application/controllers/admin/database.php, there is a CHtmlPurifier in function index, which only allows "http" and "https" URI schemes, so "mailto" gets stripped. In application/core/LSYii_Validators.php, "mailto" is one of the allowed URI schemes, so from the model's viewpoint mailto would be ok. Adding mailto to the CHtmlPurifier in database.php solves the problem (maybe the other schemes should be added there as well).
Tags	No tags attached.

Bug heat	2
Complete LimeSurvey version number (& build)	130923
I will donate to the project if issue is resolved	No
Browser
Database type & version	PostgreSQL, 164
Server OS (if known)	Linux
Webserver software & version (if known)	Apache 2.2
PHP Version	5.3.3

User List	There are no users monitoring this issue.

c_schmitz 2013-09-26 23:53 administrator ~26393	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13088

c_schmitz 2013-09-26 23:55 administrator ~26394	Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13089

c_schmitz 2013-09-29 15:27 administrator ~26426	Version 2.00+ Build 130929 released

LimeSurvey: master b5b099c4 2013-09-26 21:53:43 c_schmitz Details Diff	Fixed issue 08194: Mailto: URLs in questions are removed by XSS filter	Affected Issues 08194
	mod - application/controllers/admin/database.php	Diff File
LimeSurvey: 2.05 7159074c 2013-09-26 21:53:43 c_schmitz Details Diff	Fixed issue 08194: Mailto: URLs in questions are removed by XSS filter	Affected Issues 08194
	mod - application/controllers/admin/database.php	Diff File

Date Modified	Username	Field	Change
2013-09-26 15:51	random1	New Issue
2013-09-26 23:48	c_schmitz	Assigned To	=> c_schmitz
2013-09-26 23:48	c_schmitz	Status	new => assigned
2013-09-26 23:53	c_schmitz	Status	assigned => resolved
2013-09-26 23:53	c_schmitz	Fixed in Version	=> 2.00+
2013-09-26 23:53	c_schmitz	Resolution	open => fixed
2013-09-26 23:53	c_schmitz	Changeset attached	=> LimeSurvey master b5b099c4
2013-09-26 23:53	c_schmitz	Note Added: 26393
2013-09-26 23:55	c_schmitz	Changeset attached	=> LimeSurvey 2.05 7159074c
2013-09-26 23:55	c_schmitz	Note Added: 26394
2013-09-29 15:27	c_schmitz	Note Added: 26426
2013-09-29 15:27	c_schmitz	Status	resolved => closed
2019-11-01 17:25	c_schmitz	Category	Survey design => Survey editing