View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
17553Bug reportsSurvey takingpublic2021-09-21 09:45
Reportergalads Assigned Togabrieljenik  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version5.x 
Summary17553: End URL link not working (redirecting to survey home page)
DescriptionThe end URL redirects to home page instead of the URL inserted in the "End URL" field.
I used https://www.github.com/ as the end URL and after clicking on the end URL link it redirects to http://10.0.0.10/https%3A%2F%2Fwww.github.com%2F
Steps To Reproduce1. Create a survey
2. add end URL
3. Set "Automatically load end URL when survey complete" Off. (Presentation)
4. Activate and participate in the survey
5. At the end of the survey click on the URL
Additional InformationAutomatically load end URL when survey complete: set to "off".
TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)5.1.3
I will donate to the project if issue is resolvedNo
Browser
Database type & versionnot relevant
Server OS (if known)
Webserver software & version (if known)
PHP Versionnot relevant

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

gabrieljenik

gabrieljenik

2021-09-01 18:17

manager   ~66271

A urlencode was added recently to the end_url.
> commit 22afd935 (Fixed issue [security]: Add missing url_encode filter to URL in Twig template (Mika Kulmala and Ville Kapanen at F-Secure)).

The issue on this case is that the "/" characters from the "protocol" part (https) is getting encoded as well, resulting in a malformed url.

I believe urlencode should only be used for the parameters part, not the path of the url neither the protocol.
> The url_encode filter percent encodes a given string as URL segment or an array as query
> https://twig.symfony.com/doc/3.x/filters/url_encode.html

I think it is difficult to use urlencode after having formed the complete url (or in this case, after saving the end_url parameter).
Parsing the end_url to only encode part of the url could be tricky.

Still, what we could do is try to filter/encode it for some characters.
Additionally, that setting could be XSS filtered when saved

Thoughts?
ollehar

ollehar

2021-09-02 10:03

administrator   ~66276

Crap
c_schmitz

c_schmitz

2021-09-21 09:45

administrator   ~66562

New version released

Issue History

Date Modified Username Field Change
2021-08-30 12:59 galads New Issue
2021-08-30 12:59 galads Status new => assigned
2021-08-30 12:59 galads Assigned To => gabrieljenik
2021-08-30 13:29 galads Sync to Zoho Project Yes =>
2021-08-30 13:29 galads Sync to Zoho Project => |Yes|
2021-09-01 18:17 gabrieljenik Note Added: 66271
2021-09-01 18:17 gabrieljenik Bug heat 0 => 2
2021-09-02 10:03 ollehar Note Added: 66276
2021-09-02 10:03 ollehar Bug heat 2 => 4
2021-09-10 14:22 c_schmitz Status assigned => resolved
2021-09-10 14:22 c_schmitz Resolution open => fixed
2021-09-21 09:45 c_schmitz Note Added: 66562
2021-09-21 09:45 c_schmitz Bug heat 4 => 6
2021-09-21 09:45 c_schmitz Status resolved => closed