View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
14972 | Bug reports | _ Unknown | public | 2019-06-14 08:33 | 2024-11-22 16:08 |
Reporter | gfi_spiess | Assigned To | |||
Priority | high | Severity | minor | ||
Status | feedback | Resolution | open | ||
Product Version | 3.17.x | ||||
Summary | 14972: Ampersand will be translated into "&" | ||||
Description | If survey participants add firstname, lastname or more attributes like company names with an ampersand (&), this will be translated for example into “&”. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 12 | ||||
Complete LimeSurvey version number (& build) | 3.17.5 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Mozilla Firefox | ||||
Database type & version | MS SQL 2012 SP4 | ||||
Server OS (if known) | Red Hat Enterprise Linux Server Release 7.4 | ||||
Webserver software & version (if known) | Apache/2.4.6 | ||||
PHP Version | PHP 5.4.16 | ||||
Are you sure about the PHP version being used? According to https://manual.limesurvey.org/Installation_-_LimeSurvey_CE#Make_sure_you_can_use_LimeSurvey_on_your_website Limesurvey 3.x requires PHP 5.5 or later, you mentioned PHP v5.4. |
|
@DenisChenu, could this be related to the XSS filter? |
|
@Mazi : i don't know … try to deactivate XSS and check … |
|
@cdorin, FYI, this is an issue reported by one of our customers. |
|
WIll also test it on multiple instances and assign it accordingly. Thanks for the tag |
|
It is related to the XSS filter. If disabled, everything is fine. If enabled, the "&" is displayed |
|
|
|
Question : maybe we can deactivate XSS protection on attribute value ? Someone find a reason why it's added ? Attribute can be shown in Survey, but likle all user entered value if i don't make error ? Must find it was added, maybe there are a security reason … |
|
Any chance to get this finally fixed at the next release? |
|
Line apply XSS : https://github.com/LimeSurvey/LimeSurvey/blob/0479e3ff93ff1473a25c71e83cc011920b072b4c/application/models/Token.php#L358 Fixed here : https://github.com/LimeSurvey/LimeSurvey/commit/160b48a95f8bc5b9ac21d02c38720ac12092d9ce Added here : https://github.com/LimeSurvey/LimeSurvey/commit/aeead563c66883cc97a3e861ab1ce4e7fded9b97 Then linked with https://bugs.limesurvey.org/view.php?id=9840 I assign it to Carsten : in my opinion : XSS can be filtered in «out» : always encode token attribute in view, but not in in (when saved) |
|
@c_schmitz |
|
It is "fixed". Just disable the XSS filtering. |
|
We can't have both XSS filtering and leaving ampersand as-is. I argue this is already fixed, since the customer's desired behaviour is achieved if XSS filtering is disabled. |
|
@ollehar, from my point of view there is not really a solution. This is a larger company with many LS users, Most of them are no super admins but need to be able to enter names with special characters like "&" at the participant screen. |
|
Can't have both the cake and eat it. :| Maybe we can limit HTML escaping to '<' and '>'? If that would be enough to limit XSS. |
|
Here's a thread about it: https://stackoverflow.com/questions/39214564/why-ampersand-should-be-escaped-because-of-xss-injection Happy reading! |
|
Escaping & is correct. But how is showing & as the content instead of & relating to the stackoverflow article? The XSS filter is not used and complains about that "feature" is low. Most users are working with XSS filter off. Most Limesurvey installations have only 1-2 users, which are mostly having a user role, which never expose them to the XSS-filter. |
|
@ollhar, isn't this actually a matter of properly showing escaped "&" characters? Forgive my missing kniowledge about the escaping details and the like. I only follow up on the customer's request but it would be weird to not be able to enter "Olle & Team" as a token name or attribute detail. |
|
@CDorin Can you put priority on this? Or discuss it with Carsten during sprint planning. |
|
To proclaim the only superadmins can entering "&" into fields is a way, but how can anyone take that serious? The htmlfilter is removing &. Which should not be the case. |
|
html filter replace & by & amp; . Because when you show it insie html page it must be & amp ... The question is more : did firstname and lastname (and attributes) must be HTML fitered ? But : with {FIRSTNAME} {LASTNAME} : possible XSS.
I already have sample user access on some instance, and we can do a lot .... Question Why exactly it's an issue ? When you really need & in lastname ? |
|
The "&" is part of many company names in Germany. |
|
Yes, and when a string with & are shown in HTML it's always & amp; |
|
My opinion : the only issue is
|
|
To sum up: Correct, the issue hasn't changed since 2019-06-14. |
|
I think there are more potential issue without XSS when displaying in a HTML page (or an HTML email) |
|
I don't see a way to fix this - even displaying it correctly is a problem. Maybe a solution for affected people would be to have the XSS filter as a user-based setting. |
|
It can not be a setting for user : since it's a security settings : it must be an user rights setting. |
|
@c-schmitz: Even displaying is a problem? It's same as here in Mantis. I type & into this Notefield. |
|
The are NO issue when sending email in HTML format There are NO issue with {TOKEN:LASTNAME} usage See the screenshots ... |
|
Only real issue : when sending email as text (Survey setting : Use HTML format for token emails: to NO) |
|
Another way to fix it would be to see participants data generally as unsafe. That would mean we would XSS-filter it always on output. In the administration this is already done. For the survey taking part this could be also done. It will just be a problem for people who store data with HTML in their participants fields and want to show it in the survey (it would be no problem for E-mails). Question is if users do that (I bet there are) and how many they are. |
|
is totally false ! Please test before writing something : in fact & NEED to be escaped to be displayed in HTML See the screenshot at https://bugs.limesurvey.org/view.php?id=14972#c55897 |
|
Yes, I meant a user-based permission. |
|
Why not, but if user have XSS enabled : it must be filtered ...... The only issue is "Use HTML format for token emails: to NO" |
|
Yes, it is. To show it you would have to HTML decode it first, which means that you could introduce XSS in the administration. This is not just about the ampersand here, but about all critical characters. |
|
OK, so three measures here:
(Todo: I am not sure about that last point because someone out there is probably using participant data attributes to store URLs and such - also do not know who entered the data in the first place) These are significant changes, can only be implemented in 4.x. |
|
Must be when sending html email too .... |
|
|
|
It's only on the list ... This is not a real issue ... |
|
Sure, for HTML email it should also be automatically encoded. |
|
@jelo The screenshots are not faked, but the problem is deeper than you currently seem to realize. |
|
The funny thing is, that my understanding or misunderstanding is not important. Now I read: "It's only on the list ... This is not a real issue." The real issue might be implementing a ZeroTrust model inside LimeSurvey without making the user experience zero too. |
|
@jelo Yes, and I understand your user story. |
|
c_schmitz: There are more participants in this ticket than you. If you read all the notes the conclusion that it is intended behavior is not far fetched. To allow deactivating of XSS countermeasure to prevent showing & is not contradicting the intended behavior statement. But as cdorin is the product owner and ticket owner he can surely be able to sum it up after the next sprint. Thanks for your time. |
|
This is for me @jelo, not for @c_schmitz or @cdorin or any LimeSurvey team. And sorry : maybe the screenshot was about list, but text of issue are
It's not limited to list in the description. And in https://bugs.limesurvey.org/view.php?id=14972#c55867, i ask
You really need & decoded in list ? Really needed ? No, i don't think ... You really need to show "Your company are LimeSurvey & plugin" during survey : OK, no issue here. Encoded 1 is OK.... |
|
Anyway, discussion is finished. Solutions is in 14972:55904 |
|
Should I move this to new features? I believe I fixed a similar issue related to What's the priority? |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-06-14 08:33 | gfi_spiess | New Issue | |
2019-06-14 08:33 | gfi_spiess | File Added: datenausgabe.jpg | |
2019-06-14 08:33 | gfi_spiess | File Added: Dateneingabe.jpg | |
2019-06-14 09:00 | Mazi | Product Version | 3.12.x => 3.17.x |
2019-06-14 09:01 | Mazi | Note Added: 52411 | |
2019-06-14 09:03 | Mazi | Note Added: 52412 | |
2019-06-14 09:13 | DenisChenu | Note Added: 52413 | |
2019-06-24 13:16 | Mazi | Note Added: 52497 | |
2019-06-24 13:18 | cdorin | Note Added: 52498 | |
2019-06-24 14:15 | cdorin | Note Added: 52501 | |
2019-06-27 17:46 | cdorin | Assigned To | => dominikvitt |
2019-06-27 17:46 | cdorin | Status | new => assigned |
2019-06-27 18:02 | DenisChenu | Note Added: 52598 | |
2019-06-27 18:03 | DenisChenu | Note Added: 52599 | |
2019-07-15 11:41 |
|
Assigned To | dominikvitt => cdorin |
2019-08-08 17:16 | cdorin | Assigned To | cdorin => LimeBot |
2019-08-21 13:55 | Mazi | Note Added: 53217 | |
2019-08-21 17:14 | DenisChenu | Note Added: 53220 | |
2019-09-02 16:19 | Mazi | Note Added: 53391 | |
2020-01-31 10:03 | Mazi | Relationship added | related to 14113 |
2020-01-31 12:56 | ollehar | Priority | none => high |
2020-01-31 13:37 | ollehar | Note Added: 55583 | |
2020-01-31 13:38 | ollehar | Note Added: 55584 | |
2020-01-31 13:44 | ollehar | Status | assigned => feedback |
2020-01-31 14:59 | Mazi | Note Added: 55590 | |
2020-01-31 15:20 | ollehar | Note Added: 55592 | |
2020-01-31 15:21 | ollehar | Note Added: 55593 | |
2020-01-31 15:51 | jelo | Note Added: 55597 | |
2020-02-07 13:10 | Mazi | Note Added: 55804 | |
2020-02-11 15:15 | ollehar | Note Added: 55865 | |
2020-02-11 15:34 | jelo | Note Added: 55866 | |
2020-02-11 15:42 | DenisChenu | Note Added: 55867 | |
2020-02-11 15:43 | DenisChenu | Note Edited: 55867 | |
2020-02-11 15:54 | jelo | Note Added: 55868 | |
2020-02-11 16:03 | DenisChenu | Note Added: 55870 | |
2020-02-11 16:04 | DenisChenu | File Added: Capture d’écran du 2020-02-11 16-01-45.png | |
2020-02-11 16:04 | DenisChenu | File Added: Capture d’écran du 2020-02-11 16-02-03.png | |
2020-02-11 16:04 | DenisChenu | Note Added: 55871 | |
2020-02-11 16:53 | jelo | Note Added: 55872 | |
2020-02-11 17:13 | DenisChenu | Note Added: 55874 | |
2020-02-12 11:58 | c_schmitz | Note Added: 55894 | |
2020-02-12 11:59 | DenisChenu | Note Added: 55895 | |
2020-02-12 12:05 | jelo | Note Added: 55896 | |
2020-02-12 12:05 | DenisChenu | File Added: Capture d’écran du 2020-02-12 12-01-28.png | |
2020-02-12 12:05 | DenisChenu | File Added: Capture d’écran du 2020-02-12 12-01-52.png | |
2020-02-12 12:05 | DenisChenu | File Added: Capture d’écran du 2020-02-12 12-02-14.png | |
2020-02-12 12:05 | DenisChenu | File Added: Capture d’écran du 2020-02-12 12-02-28.png | |
2020-02-12 12:05 | DenisChenu | File Added: Capture d’écran du 2020-02-12 12-04-10.png | |
2020-02-12 12:05 | DenisChenu | File Added: Capture d’écran du 2020-02-12 12-04-44.png | |
2020-02-12 12:05 | DenisChenu | Note Added: 55897 | |
2020-02-12 12:08 | DenisChenu | Note Added: 55898 | |
2020-02-12 12:08 | c_schmitz | Note Added: 55899 | |
2020-02-12 12:10 | DenisChenu | Note Added: 55900 | |
2020-02-12 12:10 | c_schmitz | Note Added: 55901 | |
2020-02-12 12:11 | DenisChenu | Note Added: 55902 | |
2020-02-12 12:13 | c_schmitz | Note Added: 55903 | |
2020-02-12 12:29 | c_schmitz | Note Edited: 55899 | |
2020-02-12 12:33 | c_schmitz | Note Added: 55904 | |
2020-02-12 12:34 | c_schmitz | Assigned To | LimeBot => cdorin |
2020-02-12 12:34 | c_schmitz | Status | feedback => confirmed |
2020-02-12 12:36 | c_schmitz | Note Edited: 55904 | |
2020-02-12 12:36 | c_schmitz | Note Edited: 55904 | |
2020-02-12 12:37 | DenisChenu | Note Added: 55906 | |
2020-02-12 12:37 | jelo | File Added: datenausgabeModfied.jpg | |
2020-02-12 12:37 | jelo | Note Added: 55907 | |
2020-02-12 12:39 | DenisChenu | Note Added: 55908 | |
2020-02-12 12:44 | c_schmitz | Note Edited: 55904 | |
2020-02-12 12:45 | c_schmitz | Note Added: 55909 | |
2020-02-12 12:46 | c_schmitz | Note Edited: 55909 | |
2020-02-12 12:49 | c_schmitz | Note Added: 55910 | |
2020-02-12 13:09 | jelo | Note Added: 55911 | |
2020-02-12 14:08 | c_schmitz | Note Added: 55912 | |
2020-02-12 14:43 | jelo | Note Added: 55915 | |
2020-02-12 15:17 | DenisChenu | Note Added: 55918 | |
2020-02-12 15:47 | c_schmitz | Note Added: 55923 | |
2020-02-12 15:48 | c_schmitz | Note Edited: 55923 | |
2020-02-21 14:52 | cdorin | Assigned To | cdorin => |
2021-03-04 17:54 | ollehar | Note Added: 62734 | |
2021-03-04 17:54 | ollehar | Assigned To | => ollehar |
2021-03-04 17:54 | ollehar | Status | confirmed => feedback |
2021-03-22 22:10 | c_schmitz | Sync to Zoho Project | => |Yes| |
2021-03-25 17:42 | c_schmitz | Note Edited: 55904 | |
2021-03-25 17:42 | c_schmitz | Note Edited: 55904 | |
2021-06-07 08:51 | c_schmitz | Note Edited: 55904 | |
2021-06-07 08:54 | c_schmitz | Note Edited: 55904 | |
2024-11-22 16:08 | ollehar | Assigned To | ollehar => |