Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

JavaScript for fixing answer order gets stripped by XSS filter

More
3 days 23 hours ago #272746 by Chymster
Please help us help you and fill where relevant:
Your LimeSurvey version: LimeSurvey Community Edition version 6.15.11
Own server or LimeSurvey hosting:
Survey theme/template:
==================Hello everyone,I'm facing an issue with a JavaScript snippet in LimeSurvey and would appreciate some guidance.My Goal: I'm using a question with a randomized answer order, and I need to keep the last answer (or a specific number of answers) in a fixed position at the end of the list.The Problem: I have a JavaScript code that accomplishes this perfectly. When I place it inside
Code:
<script>
tags in the question's source editor, it works as expected. However, after saving the question, the built-in XSS filter strips the
Code:
<script>
and
Code:
</script>
tags, causing the code to be rendered as plain text within the question body. For security reasons, I need to keep the global XSS filtering enabled.What I've Tried:
  1. Using the dedicated 'Script' tab: I tried pasting the JavaScript code (without the
    Code:
    <script>
    tags) into the question's 'Script' section in the advanced settings. Unfortunately, the script doesn't seem to execute from there and has no effect.
  2. Using a custom CSS class and
    Code:
    custom.js
    : My other idea was to add a custom CSS class (e.g.,
    Code:
    fix-last-answer
    ) to the question. Then, I attempted to modify my template's
    Code:
    custom.js
    file to detect questions with this class and apply the script to them. I wasn't able to get this approach to work, but perhaps I implemented it incorrectly.
My Question: What is the recommended way to implement question-specific JavaScript like this without it being stripped by the XSS filter? Is modifying the template's
Code:
custom.js
based on a CSS class the right path, and if so, what would be the correct way to target the question and execute the script?My JavaScript Code: This is the code I'm trying to use:
Code:
$(document).on('ready pjax:scriptcomplete',function(){
    // The number of answers to be fixed at the end of the list
    var fixedAnswers = 1;
    // Set this to "true" if you want "Other" to be fixed in the last position
    var otherFixed = false;
 
    // Identify this question
    var qID = {QID};
 
    // Find the number of answers
    var ansCount = $('#question'+qID+' .answer-item').length;
    if($('#question'+qID+' input[type="text"]').length > 0) {
        ansCount = ansCount -1
    }
    console.log(ansCount);
 
    // Place the last n answers created at the end of the list
    var fixedIndex = fixedAnswers - 1;
    for (var i=0; i<fixedAnswers; i++) {
        var answer = $('input[id^="answer"][id$="X'+qID+(ansCount-fixedIndex)+'"]');
        var answerItem = $(answer).closest('.answer-item');
        var answersList = $(answer).closest('ul');
        $(answersList).append(answerItem);
        fixedIndex--;
    }        
 
    // Handle "Other"
    if(otherFixed == true &amp;&amp; $('#question'+qID+' input[type="text"]').length > 0) {
        var otherAnswer = $('#question'+qID+' input[type="text"]');
        var otherAnswerItem = $(otherAnswer).closest('.answer-item');
        var otherAnswersList = $(otherAnswer).closest('ul');
        $(otherAnswersList).append(otherAnswerItem);
    }
});


Thank you in advance for any help or suggestions!

Please Log in to join the conversation.

More
3 days 16 hours ago #272747 by holch

For security reasons, I need to keep the global XSS filtering enabled.


If the code is inserted by a super admin (and never touched or saved by anyone else, the XSS should ignore this.

Now if you are not a super admin or if someone else who is a no super admin will "touch" this questions again, the XSS filter will do its thing.

I am not sure if putting this into a external Javascript file would work, as the script uses QID, etc. which might be an issue.

Let's see what others have to say.

Help us to help you!
  • Provide your LS version and where it is installed (own server, uni/employer, SaaS hosting, etc.).
  • Always provide a LSS file (not LSQ or LSG).
Note: I answer at this forum in my spare time, I'm not a LimeSurvey GmbH employee.

Please Log in to join the conversation.

More
1 day 18 hours ago - 1 day 18 hours ago #272762 by tpartner
If you place the script in custom.js, you will need to hard code the qID variable.

Code:
var qID = 12345;

You may also want to wrap it in an IF statement, so it only fires if the question is detected (not on all pages).

Code:
if($('#question'+qID).length > 0) {
...code here...
}

Cheers,
Tony Partner

Solutions, code and workarounds presented in these forums are given without any warranty, implied or otherwise.
Last edit: 1 day 18 hours ago by tpartner.

Please Log in to join the conversation.

Moderators: tpartnerholch

Lime-years ahead

Online-surveys for every purse and purpose