Hello.

We have found that when the XSS filter is activated users cannot insert videos, even if they are imported in LS.

We are using version 3.17.1

Is this a normal behaviour ?
I can't deactivate the XSS filter globally since there are many users, is there a way around this ?

Thank you for your help.

LarryF wrote: Is this a normal behaviour?

As far as I have followed discussions about the XSS concept and developer opinons, this can be seen as intended behaviour for LimeSurvey. I still find that strange. But developers want to ease the filter issues with a control on userlevel.

No,

I think viodeo is allowed even with XSS. I think you can report the issue

DenisChenu wrote: I think you can report the issue

A report uploaded videos inside LimeSurvey not running without XSS disabled is open since 2017.
bugs.limesurvey.org/view.php?id=12560

I don't follow these XSS issues closely, cause I never have issues with XSS (cause the filter is disabled).

Thanks for your answers.

jelo wrote: But developers want to ease the filter issues with a control on userlevel.

Do you know if this has been implemented in the 4.x ?

jelo wrote:

DenisChenu wrote: I think you can report the issue

A report uploaded videos inside LimeSurvey not running without XSS disabled is open since 2017.
bugs.limesurvey.org/view.php?id=12560

I don't follow these XSS issues closely, cause I never have issues with XSS (cause the filter is disabled).

Yes, and the issue was not closed …

LarryF wrote: Do you know if this has been implemented in the 4.x ?

I don't know. XSS filter concept is constantly discussed.
E.g. bugs.limesurvey.org/view.php?id=15096

I still don't see LS4 ready for production level usage.

Your user case is to allow people to upload video/audio files into LimeSurvey and conduct surveys with working videos/audio files.

The funny thing is, that LS4 restricts access to the filemanager to superadmins.

You cannot upload videos and audio files anymore - that's what I will put down (at least not easily via GUI).
I cannot recreate the other issue: to access file manager, you must be superadmin.

bugs.limesurvey.org/view.php?id=15935#c56307


Personally I don't see LimeSurvey 3/4 very suitable for a multi-user-environment, where users can only be trusted limited.

Well that's a bummer.

We'll just have to work around it while it's still a feature.

Thanks again.