XSS filter blocking videos from inside limesurvey

More
1 month 3 weeks ago #199456 by LarryF
Hello.

We have found that when the XSS filter is activated users cannot insert videos, even if they are imported in LS.

We are using version 3.17.1

Is this a normal behaviour ?
I can't deactivate the XSS filter globally since there are many users, is there a way around this ?

Thank you for your help.
Attachments:

Please Log in to join the conversation.

LimeSurvey Partners
More
1 month 3 weeks ago #199479 by jelo

LarryF wrote: Is this a normal behaviour?

As far as I have followed discussions about the XSS concept and developer opinons, this can be seen as intended behaviour for LimeSurvey. I still find that strange. But developers want to ease the filter issues with a control on userlevel.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Please Log in to join the conversation.

More
1 month 3 weeks ago #199503 by DenisChenu
No,

I think viodeo is allowed even with XSS. I think you can report the issue

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.

Please Log in to join the conversation.

More
1 month 3 weeks ago #199518 by jelo

DenisChenu wrote: I think you can report the issue

A report uploaded videos inside LimeSurvey not running without XSS disabled is open since 2017.
bugs.limesurvey.org/view.php?id=12560

I don't follow these XSS issues closely, cause I never have issues with XSS (cause the filter is disabled).

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Please Log in to join the conversation.

More
1 month 3 weeks ago #199525 by LarryF
Thanks for your answers.

jelo wrote: But developers want to ease the filter issues with a control on userlevel.

Do you know if this has been implemented in the 4.x ?

Please Log in to join the conversation.

More
1 month 3 weeks ago #199528 by DenisChenu

jelo wrote:

DenisChenu wrote: I think you can report the issue

A report uploaded videos inside LimeSurvey not running without XSS disabled is open since 2017.
bugs.limesurvey.org/view.php?id=12560

I don't follow these XSS issues closely, cause I never have issues with XSS (cause the filter is disabled).

Yes, and the issue was not closed …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.

Please Log in to join the conversation.

More
1 month 3 weeks ago #199533 by jelo

LarryF wrote: Do you know if this has been implemented in the 4.x ?

I don't know. XSS filter concept is constantly discussed.
E.g. bugs.limesurvey.org/view.php?id=15096

I still don't see LS4 ready for production level usage.

Your user case is to allow people to upload video/audio files into LimeSurvey and conduct surveys with working videos/audio files.

The funny thing is, that LS4 restricts access to the filemanager to superadmins.

You cannot upload videos and audio files anymore - that's what I will put down (at least not easily via GUI).
I cannot recreate the other issue: to access file manager, you must be superadmin.

bugs.limesurvey.org/view.php?id=15935#c56307


Personally I don't see LimeSurvey 3/4 very suitable for a multi-user-environment, where users can only be trusted limited.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The following user(s) said Thank You: LarryF

Please Log in to join the conversation.

More
1 month 3 weeks ago #199534 by LarryF
Well that's a bummer.

We'll just have to work around it while it's still a feature.

Thanks again.

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now