09260: XSS in browse response - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

252

ID	Project	Category	View Status	Date Submitted	Last Update

09260	Bug reports	Security	public	2014-09-26 16:22	2014-11-27 15:10

Reporter	DenisChenu	Assigned To	DenisChenu
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.06+
Fixed in Version	2.06+

Summary	09260: XSS in browse response
Description	Look at screen, same than an old issue.
Steps To Reproduce	Import LSA included and browse
Additional Information	Seems part of merge is frome 2012 : https://github.com/LimeSurvey/LimeSurvey/blob/2.06/scripts/admin/listresponse.js#L1 We have to fix XSS for texte, for upload files to . Any other ?
Tags	No tags attached.
Attached Files	survey_archive_975921.lsa (87,649 bytes) Capture du 2014-09-26 16:19:45.png (53,660 bytes) Capture du 2014-09-26 16:19:45.png (53,660 bytes) Capture du 2014-09-26 16:20:04.png (40,808 bytes) Capture du 2014-09-26 16:20:04.png (40,808 bytes)

Bug heat	252
Complete LimeSurvey version number (& build)	140926
I will donate to the project if issue is resolved	No
Browser	FF32
Database type & version	mysql
Server OS (if known)	debian/linux
Webserver software & version (if known)	apache
PHP Version	PHP Version 5.4.4

User List	There are no users monitoring this issue.

DenisChenu 2014-10-02 12:06 developer ~30727	https://github.com/Shnoulle/LimeSurvey-shnoulle/commit/a499de8a5362205cb2ab6593c86a231362ac9247

DenisChenu 2014-11-27 00:37 developer ~31118	Fix committed to 2.06 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14667

DenisChenu 2014-11-27 00:37 developer ~31119	Fix XSS , some js and css and permission

LimeSurvey: 2.06 325f4f55 2014-11-26 23:36:43 DenisChenu Details Diff	Fixed issue 09260: XSS in browse response Fixed issue : awfull screen for browse responses Dev : default permission search is read (just to do : Permission::model()->hasGlobalPermission('superadmin') :) ) Dev : header and footer of jqgris is allways shown completely on screen (if you don't resize the window ?) Dev : Use .tooltip from jquery-ui in jqgrid table : todo : test with more column ? tested with big example file	Affected Issues 09207, 09260
	mod - application/controllers/admin/responses.php	Diff File
	mod - application/helpers/common_helper.php	Diff File
	mod - application/models/Permission.php	Diff File
	mod - scripts/admin/listresponse.js	Diff File
	mod - styles/adminstyle.css	Diff File

Date Modified	Username	Field	Change
2014-09-26 16:22	DenisChenu	New Issue
2014-09-26 16:22	DenisChenu	File Added: survey_archive_975921.lsa
2014-09-26 16:22	DenisChenu	File Added: Capture du 2014-09-26 16:19:45.png
2014-09-26 16:22	DenisChenu	File Added: Capture du 2014-09-26 16:20:04.png
2014-09-30 11:45	DenisChenu	Assigned To	=> DenisChenu
2014-09-30 11:45	DenisChenu	Status	new => assigned
2014-10-02 10:40	DenisChenu	Assigned To	DenisChenu =>
2014-10-02 10:40	DenisChenu	Status	assigned => new
2014-10-02 10:40	Mazi	Relationship added	related to 09207
2014-10-02 10:41	DenisChenu	Relationship replaced	child of 09207
2014-10-02 12:06	DenisChenu	Note Added: 30727
2014-11-16 13:30	DenisChenu	Assigned To	=> Mazi
2014-11-16 13:30	DenisChenu	Status	new => assigned
2014-11-26 10:55	DenisChenu	Assigned To	Mazi => DenisChenu
2014-11-27 00:37	DenisChenu	Changeset attached	=> LimeSurvey 2.06 325f4f55
2014-11-27 00:37	DenisChenu	Note Added: 31118
2014-11-27 00:37	DenisChenu	Resolution	open => fixed
2014-11-27 00:37	DenisChenu	Note Added: 31119
2014-11-27 00:37	DenisChenu	Status	assigned => resolved
2014-11-27 00:37	DenisChenu	Fixed in Version	=> 2.06+
2014-11-27 15:10	c_schmitz	Status	resolved => closed