- Posts: 3
- Thank you received: 1
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Embedding YouTube via iFrame with active XSS protection
- Cheatha
- Topic Author
- Offline
- New Member
- holch
- Offline
- LimeSurvey Community Team
- Posts: 11660
- Thank you received: 2742
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- Cheatha
- Topic Author
- Offline
- New Member
- Posts: 3
- Thank you received: 1
- holch
- Offline
- LimeSurvey Community Team
- Posts: 11660
- Thank you received: 2742
Filter HTML for XSS: By default your survey manager will not be authorized to use dangerous HTML tags in their survey/group/question/labels texts (for instance JavaScript code). This is intended to prevent a survey operator to add malicious script in order to have a true admin raise his permissions on the system. If you want to use any script objects like Javascript scripts of Flash applets in your surveys you will need to switch this off (Specific script for video hoster can be used). The XSS filtering is always disabled for the superadministrator. In order to see the effects of XSS filtering, it is advised to use a regular user account.[/quote}
I would assume that iframes fall under "dangerous HTML tags". I agree that if this is the case, it would be nice to have some hint there. But: I don't know how the XSS filter works exactly and what it is filtering (couldn't find anything more detailed).
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- Cheatha
- Topic Author
- Offline
- New Member
- Posts: 3
- Thank you received: 1
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13648
- Thank you received: 2491
I think it's an issue with HTML editor ?
Can you explain more how to reproduce the issue ? Because in 2.6 we can include some iframe : see github.com/LimeSurvey/LimeSurvey/blob/ma..._Validators.php#L116
Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- Joffm
- Offline
- LimeSurvey Community Team
- Posts: 12941
- Thank you received: 3979
I tried to reproduce it. But unfortunately without success. Either with XSS protection active or inactive it works as expected. (that is to say in my environment).
So there might be something else in your environment.
Sorry for not being really helpful
Joffm
Volunteers are not paid.
Not because they are worthless, but because they are priceless