- Posts: 11660
- Thank you received: 2742
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Using html entities such as greater than or less than <> not parsing as text
- holch
- Offline
- LimeSurvey Community Team
Less
More
11 months 3 weeks ago #243036
by holch
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Replied by holch on topic Using html entities such as greater than or less than <> not parsing as text
XSS is not activated. Did you look at my screenshots and what is happening there? There is definitely something wrong.
The > that I put is showing in the question, the "<" doesn't (but is in the text, thus hasn't been filtered, because the XSS is not on, I am also Superadmin)
The > that I put is showing in the question, the "<" doesn't (but is in the text, thus hasn't been filtered, because the XSS is not on, I am also Superadmin)
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Please Log in to join the conversation.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13648
- Thank you received: 2491
11 months 3 weeks ago - 11 months 3 weeks ago #243059
by DenisChenu
The HTML are this one
<option>Choice 1 <</option>
I think you can play (as super admin) to put
Choice 1 </option> <option>Choice 2
in the same answer … and see something strange …
PS : i think we need XSS filtering for superadmin too … (by options)
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Using html entities such as greater than or less than <> not parsing as text
yes : because XSS is not activated for you : < is not shownXSS is not activated. Did you look at my screenshots and what is happening there? There is definitely something wrong.
The > that I put is showing in the question, the "<" doesn't (but is in the text, thus hasn't been filtered, because the XSS is not on, I am also Superadmin)
The HTML are this one
<option>Choice 1 <</option>
I think you can play (as super admin) to put
Choice 1 </option> <option>Choice 2
in the same answer … and see something strange …
PS : i think we need XSS filtering for superadmin too … (by options)
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 11 months 3 weeks ago by DenisChenu.
Please Log in to join the conversation.
- cheeseburger
- Topic Author
- Offline
- Senior Member
Less
More
- Posts: 63
- Thank you received: 4
11 months 3 weeks ago #243118
by cheeseburger
Replied by cheeseburger on topic Using html entities such as greater than or less than <> not parsing as text
Hi. To help with your analysis: I just temp deactivated XSS and it did allow the greater than and less then symbols to display properly. However in our org we are required to keep it on.
Is it possible to update LS so it permits lone symbols such as greater than and less than when not in the context of an actual tag?
Also, early in this thread it was confirmed to be a bug. Do we still see it as a bug? If so, could someone continue to post that in the tracker? I know we were headed that direction but the conversation broke off into a secondary topic.
I'm asking so we know how to communicate to our client. If it's not considered a bug, we will have to have them find an alternative method to present the question. We currently have them doing the same while awaiting the previous bug fix for array type F questions. We just need to know what status to communicate to them and to know if alternative solutions need to be found for the two outstanding challenges (possibly bugs).
Thanks!
Is it possible to update LS so it permits lone symbols such as greater than and less than when not in the context of an actual tag?
Also, early in this thread it was confirmed to be a bug. Do we still see it as a bug? If so, could someone continue to post that in the tracker? I know we were headed that direction but the conversation broke off into a secondary topic.
I'm asking so we know how to communicate to our client. If it's not considered a bug, we will have to have them find an alternative method to present the question. We currently have them doing the same while awaiting the previous bug fix for array type F questions. We just need to know what status to communicate to them and to know if alternative solutions need to be found for the two outstanding challenges (possibly bugs).
Thanks!
Please Log in to join the conversation.