Hi,
I am on LimerSurvey 2.06+ Build 151018 and have a simple one question per page survey where all questions are of long text type.
Someone pointed me out that a common panel user (no admin login but just token invited) can XSS attack the platform by injecting </textarea><script>javascript malicious code</script><textarea>(IE </textarea><script>alert(document.cookie)</script><textarea>) inside any answer. I have global XSS filter active both in admin configuration and config file. I searched docs and forums and didn't find anything useful in this case. It is really so? What can I do to prevent this?

Actually we are not informed of such attack.

User can enter this sentence in a textarea, but this not worling using LimeSurvey (public or admin) we filtering when we show it.

Someone must validate information before alerting you. ANd we have a bug report where security issue is fixed in less a day.

Denis

The fact is that I tried by myself and it worked! I can send you a link and token where you can reproduce if you think that it may be useful.
Perhaps i should open an issue in Mantis?

Actually it worked also here: survey.limesurvey.org/97793 . First screen, put malicious code in the textarea, click on next, click on "Administrative interface" from questions index and you will alert document.cookie.

albertosepe wrote: ...
Perhaps i should open an issue in Mantis?
....

Yes

Oh : better understand : Not in admin part, but in public part ... Your right : must be fixed .

Please : report the bug

PS : there are XSS protection, then user must really enter this sentence. Not sure what security we have here.