Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Embedding YouTube via iFrame with active XSS protection

  • Cheatha
  • Cheatha's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
7 years 3 months ago #147065 by Cheatha
Embedding YouTube via iFrame with active XSS protection was created by Cheatha
I'm using version 2.58.2+170114 and I'd like to embed a YouTube video. IFrame embedding is gloablly allowed. After editing a question and saving it the YouTube-iFrame is gone. It works with disabled XSS-Protection, but disableing it is not an option. Is this a bug?
Attachments:
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 3 months ago #147066 by holch
Replied by holch on topic Embedding YouTube via iFrame with active XSS protection
I am not an expert, but I would say that XSS-Protection and Iframe inclusion are excluding themeselves.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The following user(s) said Thank You: Cheatha
The topic has been locked.
  • Cheatha
  • Cheatha's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
7 years 3 months ago #147069 by Cheatha
Replied by Cheatha on topic Embedding YouTube via iFrame with active XSS protection
So it's a bug in the UI? That's confusing… :( Maybe this IFrame option should be hidden after activating XSS or be marked as »doesn't work with enabled XSS protection«.
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 3 months ago - 7 years 3 months ago #147070 by holch
Replied by holch on topic Embedding YouTube via iFrame with active XSS protection
As I said, I am not an expert on this. But it sounds logic to me, that the XSS filter filters iframes, as they might be a way to cause trouble:

Filter HTML for XSS: By default your survey manager will not be authorized to use dangerous HTML tags in their survey/group/question/labels texts (for instance JavaScript code). This is intended to prevent a survey operator to add malicious script in order to have a true admin raise his permissions on the system. If you want to use any script objects like Javascript scripts of Flash applets in your surveys you will need to switch this off (Specific script for video hoster can be used). The XSS filtering is always disabled for the superadministrator. In order to see the effects of XSS filtering, it is advised to use a regular user account.[/quote}
I would assume that iframes fall under "dangerous HTML tags". I agree that if this is the case, it would be nice to have some hint there. But: I don't know how the XSS filter works exactly and what it is filtering (couldn't find anything more detailed).

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Last edit: 7 years 3 months ago by holch.
The following user(s) said Thank You: Cheatha
The topic has been locked.
  • Cheatha
  • Cheatha's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
7 years 3 months ago #147078 by Cheatha
Replied by Cheatha on topic Embedding YouTube via iFrame with active XSS protection
This seems plausible, so I've created a pull request to fix this: github.com/LimeSurvey/LimeSurvey/pull/619
The following user(s) said Thank You: holch
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 3 months ago #147191 by DenisChenu
Replied by DenisChenu on topic Embedding YouTube via iFrame with active XSS protection
I didn't understand the fix .
I think it's an issue with HTML editor ?

Can you explain more how to reproduce the issue ? Because in 2.6 we can include some iframe : see github.com/LimeSurvey/LimeSurvey/blob/ma..._Validators.php#L116

Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • Joffm
  • Joffm's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
7 years 3 months ago #147194 by Joffm
Replied by Joffm on topic Embedding YouTube via iFrame with active XSS protection
Hi, Cheatha,

I tried to reproduce it. But unfortunately without success. Either with XSS protection active or inactive it works as expected. (that is to say in my environment).
So there might be something else in your environment.

Sorry for not being really helpful

Joffm
Volunteers are not paid.
Not because they are worthless, but because they are priceless
The following user(s) said Thank You: DenisChenu
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source