09300: XSS protection or variable substitution breaks links or other elements that contain variable substitutions

This bug affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

09300	Bug reports	Security	public	2014-10-13 16:17	2022-07-05 09:07

Reporter	DLange	Assigned To	DenisChenu
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.05+
Fixed in Version	2.05+

Summary	09300: XSS protection or variable substitution breaks links or other elements that contain variable substitutions
Description	Things like <a href="/upload/surveys/{SID}/Report.pdf" target="_blank"><img alt="Workshop report" src="/upload/surveys/{SID}/images/Visual_Report.jpg" style="width:400px;height:200px;" title="Report" /></a> are broken by the Anti-XSS stripping or the Variable substitution. In the latter case it is similar to bug 09293
Steps To Reproduce	Create query. Put HTML from description above into a Text element (source edit mode). Save as non-Superadmin with XSS protection enabled -> Code gets truncated.
Additional Information	Testcase on http://demo.limesurvey.org/index.php?r=survey/index/sid/889276/newtest/Y/lang/en Use as non-admin user to check the corruption.
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	2.05+ (141003)
I will donate to the project if issue is resolved	No
Browser	any
Database type & version	MySQL
Server OS (if known)	Linux
Webserver software & version (if known)	Apache/PHP
PHP Version	5.4.4

User List	There are no users monitoring this issue.

DenisChenu 2014-10-15 09:07 developer ~30798	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14571

DenisChenu 2014-10-15 09:09 developer ~30799	This method are allowed now. Due to url encoding and XSS with { in url, must make a choice. Only {QCODE} (or {SID} ) can be used in URL with XSS activated. See : http://manual.limesurvey.org/Expression_Manager#XSS_security

c_schmitz 2014-10-20 13:49 administrator ~30825	Version 2.05+ Build 141020 released

LimeSurvey: master 73b4a00a 2014-10-15 09:07 DenisChenu Details Diff	Fixed issue 09300: XSS protection or variable substitution breaks links with variable substitutions Dev: adding some manual : http://manual.limesurvey.org/Expression_Manager#XSS_security Dev: some EM method still can not be used		Affected Issues 09300
	mod - application/core/LSYii_Validators.php		Diff File

Date Modified	Username	Field	Change
2014-10-13 16:17	DLange	New Issue
2014-10-13 23:05	c_schmitz	Assigned To	=> DenisChenu
2014-10-13 23:05	c_schmitz	Status	new => assigned
2014-10-15 09:07	DenisChenu	Changeset attached	=> LimeSurvey master 73b4a00a
2014-10-15 09:07	DenisChenu	Note Added: 30798
2014-10-15 09:07	DenisChenu	Resolution	open => fixed
2014-10-15 09:09	DenisChenu	Note Added: 30799
2014-10-15 09:09	DenisChenu	Status	assigned => resolved
2014-10-15 09:09	DenisChenu	Fixed in Version	=> 2.05+
2014-10-20 13:49	c_schmitz	Note Added: 30825
2014-10-20 13:49	c_schmitz	Status	resolved => closed
2022-07-05 09:07	DenisChenu	Relationship added	parent of 18236

parent of	18236	confirmed		XSS: Unable to use attribute in URL
Not all the children of this issue are yet resolved or closed.