08476: open invite registration form doesn't allow quotes or dashes in people's names

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

08476	Bug reports	Survey taking	public	2013-12-19 18:25	2014-01-19 17:59

Reporter	abezverkhyy	Assigned To	abezverkhyy
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Fixed in Version	2.05+

Summary	08476: open invite registration form doesn't allow quotes or dashes in people's names
Description	Open invite registration form doesn't allow quotes or dashes in people's names whereas this is quite common in some languages. I don't see any XSS or security risk involved in allowing dashes or quotes in names.
Steps To Reproduce	Make a survey with open registrations. Try to register with names like "O'neil" or "Jean-Pierre". In the token table they will appear as "Oneil" and "JeanPierre".
Additional Information	Proposed patch : diff --git a/application/helpers/sanitize_helper.php b/application/helpers/sanitize_helper.php index 45a545a..f5dac16 100644 --- a/application/helpers/sanitize_helper.php +++ b/application/helpers/sanitize_helper.php @@ -185,7 +185,7 @@ function sanitize_xss_string($string) { if (isset($string)) { $bad = array ('','^','&','\'',';','\"','(',')','%','$','?'); $bad = array ('','^','&',';','\"','(',')','%','$','?'); return str_replace($bad, '',$string); } } Please tell me if I can commit it.
Tags	No tags attached.

Bug heat	4
Complete LimeSurvey version number (& build)	c51d934
I will donate to the project if issue is resolved	No
Browser
Database type & version	not relevant
Server OS (if known)	not relevant
Webserver software & version (if known)	not relevant
PHP Version	not relevant

User List	There are no users monitoring this issue.

c_schmitz 2013-12-19 21:42 administrator ~27670	Please do.

abezverkhyy 2014-01-10 17:01 reporter ~27825	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13672

c_schmitz 2014-01-19 17:59 administrator ~28011	Please set the issue to resolved next time after patching it. Thank you!

LimeSurvey: master 67ce0a2e 2014-01-10 15:59:20 abezverkhyy Details Diff	Fixed issue 08476: there is no reason to wipe quote and dash characters from people names, in many countries this is a valid character and there is no XSS risk.		Affected Issues 08476
	mod - application/helpers/sanitize_helper.php		Diff File

Date Modified	Username	Field	Change
2013-12-19 18:25	abezverkhyy	New Issue
2013-12-19 21:42	c_schmitz	Assigned To	=> abezverkhyy
2013-12-19 21:42	c_schmitz	Status	new => assigned
2013-12-19 21:42	c_schmitz	Note Added: 27670
2014-01-10 17:01	abezverkhyy	Changeset attached	=> LimeSurvey master 67ce0a2e
2014-01-10 17:01	abezverkhyy	Note Added: 27825
2014-01-10 17:01	abezverkhyy	Resolution	open => fixed
2014-01-19 17:59	c_schmitz	Note Added: 28011
2014-01-19 17:59	c_schmitz	Status	assigned => closed
2014-01-19 17:59	c_schmitz	Fixed in Version	=> 2.05+

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History