View Issue Details

This bug affects 1 person(s).
 8
IDProjectCategoryView StatusLast Update
18307Bug reportsOtherpublic2022-10-10 10:47
ReporterJussiH Assigned Togabrieljenik  
PriorityhighSeverityblock 
Status closedResolutionfixed 
Product Version5.3.x 
Summary18307: A comment string starting with a "<" is not saved using Multiple choice with comments
Description

Question type "Multiple choice with comments" is not saving comments to the database (at least according to the Settings/Responses tab) if a comment string starts with a "<" symbol (e.g. <2).

Steps To Reproduce

Steps to reproduce

  • create a survey containing a question type "Multiple choice with comments" with at least one option
  • activate and run survey
  • submit the survey when at least one option has a comment starting with a "<" e.g. <2

Expected result

Comment is saved to the database as a string e.g. <2

Actual result

Comment is not saved

TagsNo tags attached.
Bug heat8
Complete LimeSurvey version number (& build)LimeSurvey Community Edition Version 5.3.29 (martialblog Docker image)
I will donate to the project if issue is resolvedNo
BrowserChrome Version 103.0.5060.134
Database type & versionmysql 5.7
Server OS (if known)
Webserver software & version (if known)
PHP Version8.0.22

Relationships

related to 18402 confirmed Free text answer or comments get filtered on the response browsing screen or response detailed view 

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

JussiH

JussiH

2022-08-10 16:08

reporter  

limesurvey_survey_894847.lss (21,767 bytes)   
<?xml version="1.0" encoding="UTF-8"?>
<document>
 <LimeSurveyDocType>Survey</LimeSurveyDocType>
 <DBVersion>488</DBVersion>
 <languages>
  <language>en</language>
 </languages>
 <groups>
  <fields>
   <fieldname>gid</fieldname>
   <fieldname>sid</fieldname>
   <fieldname>group_order</fieldname>
   <fieldname>randomization_group</fieldname>
   <fieldname>grelevance</fieldname>
  </fields>
  <rows>
   <row>
    <gid><![CDATA[3]]></gid>
    <sid><![CDATA[894847]]></sid>
    <group_order><![CDATA[0]]></group_order>
    <randomization_group/>
    <grelevance/>
   </row>
  </rows>
 </groups>
 <group_l10ns>
  <fields>
   <fieldname>id</fieldname>
   <fieldname>gid</fieldname>
   <fieldname>group_name</fieldname>
   <fieldname>description</fieldname>
   <fieldname>language</fieldname>
   <fieldname>sid</fieldname>
   <fieldname>group_order</fieldname>
   <fieldname>randomization_group</fieldname>
   <fieldname>grelevance</fieldname>
  </fields>
  <rows>
   <row>
    <id><![CDATA[3]]></id>
    <gid><![CDATA[3]]></gid>
    <group_name><![CDATA[Group]]></group_name>
    <description/>
    <language><![CDATA[en]]></language>
    <sid><![CDATA[894847]]></sid>
    <group_order><![CDATA[0]]></group_order>
    <randomization_group/>
    <grelevance/>
   </row>
  </rows>
 </group_l10ns>
 <questions>
  <fields>
   <fieldname>qid</fieldname>
   <fieldname>parent_qid</fieldname>
   <fieldname>sid</fieldname>
   <fieldname>gid</fieldname>
   <fieldname>type</fieldname>
   <fieldname>title</fieldname>
   <fieldname>preg</fieldname>
   <fieldname>other</fieldname>
   <fieldname>mandatory</fieldname>
   <fieldname>encrypted</fieldname>
   <fieldname>question_order</fieldname>
   <fieldname>scale_id</fieldname>
   <fieldname>same_default</fieldname>
   <fieldname>relevance</fieldname>
   <fieldname>question_theme_name</fieldname>
   <fieldname>modulename</fieldname>
   <fieldname>same_script</fieldname>
  </fields>
  <rows>
   <row>
    <qid><![CDATA[5]]></qid>
    <parent_qid><![CDATA[0]]></parent_qid>
    <sid><![CDATA[894847]]></sid>
    <gid><![CDATA[3]]></gid>
    <type><![CDATA[P]]></type>
    <title><![CDATA[G00Q01]]></title>
    <preg/>
    <other><![CDATA[N]]></other>
    <mandatory><![CDATA[N]]></mandatory>
    <encrypted><![CDATA[N]]></encrypted>
    <question_order><![CDATA[1]]></question_order>
    <scale_id><![CDATA[0]]></scale_id>
    <same_default><![CDATA[0]]></same_default>
    <relevance><![CDATA[1]]></relevance>
    <question_theme_name><![CDATA[multiplechoice_with_comments]]></question_theme_name>
    <modulename/>
    <same_script><![CDATA[0]]></same_script>
   </row>
  </rows>
 </questions>
 <subquestions>
  <fields>
   <fieldname>qid</fieldname>
   <fieldname>parent_qid</fieldname>
   <fieldname>sid</fieldname>
   <fieldname>gid</fieldname>
   <fieldname>type</fieldname>
   <fieldname>title</fieldname>
   <fieldname>preg</fieldname>
   <fieldname>other</fieldname>
   <fieldname>mandatory</fieldname>
   <fieldname>encrypted</fieldname>
   <fieldname>question_order</fieldname>
   <fieldname>scale_id</fieldname>
   <fieldname>same_default</fieldname>
   <fieldname>relevance</fieldname>
   <fieldname>question_theme_name</fieldname>
   <fieldname>modulename</fieldname>
   <fieldname>same_script</fieldname>
  </fields>
  <rows>
   <row>
    <qid><![CDATA[6]]></qid>
    <parent_qid><![CDATA[5]]></parent_qid>
    <sid><![CDATA[894847]]></sid>
    <gid><![CDATA[3]]></gid>
    <type><![CDATA[T]]></type>
    <title><![CDATA[SQ001]]></title>
    <other><![CDATA[N]]></other>
    <encrypted><![CDATA[N]]></encrypted>
    <question_order><![CDATA[0]]></question_order>
    <scale_id><![CDATA[0]]></scale_id>
    <same_default><![CDATA[0]]></same_default>
    <relevance><![CDATA[1]]></relevance>
    <question_theme_name><![CDATA[longfreetext]]></question_theme_name>
    <same_script><![CDATA[0]]></same_script>
   </row>
  </rows>
 </subquestions>
 <question_l10ns>
  <fields>
   <fieldname>id</fieldname>
   <fieldname>qid</fieldname>
   <fieldname>question</fieldname>
   <fieldname>help</fieldname>
   <fieldname>script</fieldname>
   <fieldname>language</fieldname>
  </fields>
  <rows>
   <row>
    <id><![CDATA[5]]></id>
    <qid><![CDATA[5]]></qid>
    <question><![CDATA[Question]]></question>
    <help><![CDATA[Submit with a comment: e.g. <2]]></help>
    <script/>
    <language><![CDATA[en]]></language>
   </row>
   <row>
    <id><![CDATA[6]]></id>
    <qid><![CDATA[6]]></qid>
    <question><![CDATA[Option]]></question>
    <language><![CDATA[en]]></language>
   </row>
  </rows>
 </question_l10ns>
 <question_attributes>
  <fields>
   <fieldname>qid</fieldname>
   <fieldname>attribute</fieldname>
   <fieldname>value</fieldname>
   <fieldname>language</fieldname>
  </fields>
  <rows>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[array_filter]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[array_filter_exclude]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[array_filter_style]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[assessment_value]]></attribute>
    <value><![CDATA[1]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[choice_input_columns]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[commented_checkbox]]></attribute>
    <value><![CDATA[checked]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[commented_checkbox_auto]]></attribute>
    <value><![CDATA[1]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[cssclass]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[em_validation_q]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[em_validation_q_tip]]></attribute>
    <value/>
    <language><![CDATA[en]]></language>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[exclude_all_others]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[exclude_all_others_auto]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[hidden]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[hide_tip]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[max_answers]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[min_answers]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[other_comment_mandatory]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[other_numbers_only]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[other_position]]></attribute>
    <value><![CDATA[end]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[other_position_code]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[other_replace_text]]></attribute>
    <value/>
    <language><![CDATA[en]]></language>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[page_break]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[printable_help]]></attribute>
    <value/>
    <language><![CDATA[en]]></language>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[public_statistics]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[random_group]]></attribute>
    <value/>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[random_order]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[save_as_default]]></attribute>
    <value><![CDATA[N]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[scale_export]]></attribute>
    <value><![CDATA[0]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[statistics_showgraph]]></attribute>
    <value><![CDATA[1]]></value>
    <language/>
   </row>
   <row>
    <qid><![CDATA[5]]></qid>
    <attribute><![CDATA[text_input_columns]]></attribute>
    <value/>
    <language/>
   </row>
  </rows>
 </question_attributes>
 <surveys>
  <fields>
   <fieldname>sid</fieldname>
   <fieldname>gsid</fieldname>
   <fieldname>admin</fieldname>
   <fieldname>expires</fieldname>
   <fieldname>startdate</fieldname>
   <fieldname>adminemail</fieldname>
   <fieldname>anonymized</fieldname>
   <fieldname>faxto</fieldname>
   <fieldname>format</fieldname>
   <fieldname>savetimings</fieldname>
   <fieldname>template</fieldname>
   <fieldname>language</fieldname>
   <fieldname>additional_languages</fieldname>
   <fieldname>datestamp</fieldname>
   <fieldname>usecookie</fieldname>
   <fieldname>allowregister</fieldname>
   <fieldname>allowsave</fieldname>
   <fieldname>autonumber_start</fieldname>
   <fieldname>autoredirect</fieldname>
   <fieldname>allowprev</fieldname>
   <fieldname>printanswers</fieldname>
   <fieldname>ipaddr</fieldname>
   <fieldname>ipanonymize</fieldname>
   <fieldname>refurl</fieldname>
   <fieldname>showsurveypolicynotice</fieldname>
   <fieldname>publicstatistics</fieldname>
   <fieldname>publicgraphs</fieldname>
   <fieldname>listpublic</fieldname>
   <fieldname>htmlemail</fieldname>
   <fieldname>sendconfirmation</fieldname>
   <fieldname>tokenanswerspersistence</fieldname>
   <fieldname>assessments</fieldname>
   <fieldname>usecaptcha</fieldname>
   <fieldname>usetokens</fieldname>
   <fieldname>bounce_email</fieldname>
   <fieldname>attributedescriptions</fieldname>
   <fieldname>emailresponseto</fieldname>
   <fieldname>emailnotificationto</fieldname>
   <fieldname>tokenlength</fieldname>
   <fieldname>showxquestions</fieldname>
   <fieldname>showgroupinfo</fieldname>
   <fieldname>shownoanswer</fieldname>
   <fieldname>showqnumcode</fieldname>
   <fieldname>bouncetime</fieldname>
   <fieldname>bounceprocessing</fieldname>
   <fieldname>bounceaccounttype</fieldname>
   <fieldname>bounceaccounthost</fieldname>
   <fieldname>bounceaccountpass</fieldname>
   <fieldname>bounceaccountencryption</fieldname>
   <fieldname>bounceaccountuser</fieldname>
   <fieldname>showwelcome</fieldname>
   <fieldname>showprogress</fieldname>
   <fieldname>questionindex</fieldname>
   <fieldname>navigationdelay</fieldname>
   <fieldname>nokeyboard</fieldname>
   <fieldname>alloweditaftercompletion</fieldname>
   <fieldname>googleanalyticsstyle</fieldname>
   <fieldname>googleanalyticsapikey</fieldname>
   <fieldname>tokenencryptionoptions</fieldname>
  </fields>
  <rows>
   <row>
    <sid><![CDATA[894847]]></sid>
    <gsid><![CDATA[1]]></gsid>
    <admin><![CDATA[inherit]]></admin>
    <adminemail><![CDATA[inherit]]></adminemail>
    <anonymized><![CDATA[N]]></anonymized>
    <format><![CDATA[I]]></format>
    <savetimings><![CDATA[N]]></savetimings>
    <template><![CDATA[inherit]]></template>
    <language><![CDATA[en]]></language>
    <additional_languages/>
    <datestamp><![CDATA[N]]></datestamp>
    <usecookie><![CDATA[I]]></usecookie>
    <allowregister><![CDATA[I]]></allowregister>
    <allowsave><![CDATA[I]]></allowsave>
    <autonumber_start><![CDATA[0]]></autonumber_start>
    <autoredirect><![CDATA[I]]></autoredirect>
    <allowprev><![CDATA[I]]></allowprev>
    <printanswers><![CDATA[I]]></printanswers>
    <ipaddr><![CDATA[N]]></ipaddr>
    <ipanonymize><![CDATA[N]]></ipanonymize>
    <refurl><![CDATA[N]]></refurl>
    <showsurveypolicynotice><![CDATA[0]]></showsurveypolicynotice>
    <publicstatistics><![CDATA[I]]></publicstatistics>
    <publicgraphs><![CDATA[I]]></publicgraphs>
    <listpublic><![CDATA[I]]></listpublic>
    <htmlemail><![CDATA[I]]></htmlemail>
    <sendconfirmation><![CDATA[I]]></sendconfirmation>
    <tokenanswerspersistence><![CDATA[I]]></tokenanswerspersistence>
    <assessments><![CDATA[I]]></assessments>
    <usecaptcha><![CDATA[E]]></usecaptcha>
    <usetokens><![CDATA[N]]></usetokens>
    <bounce_email><![CDATA[inherit]]></bounce_email>
    <emailresponseto><![CDATA[inherit]]></emailresponseto>
    <emailnotificationto><![CDATA[inherit]]></emailnotificationto>
    <tokenlength><![CDATA[-1]]></tokenlength>
    <showxquestions><![CDATA[I]]></showxquestions>
    <showgroupinfo><![CDATA[I]]></showgroupinfo>
    <shownoanswer><![CDATA[I]]></shownoanswer>
    <showqnumcode><![CDATA[I]]></showqnumcode>
    <bounceprocessing><![CDATA[N]]></bounceprocessing>
    <showwelcome><![CDATA[I]]></showwelcome>
    <showprogress><![CDATA[I]]></showprogress>
    <questionindex><![CDATA[-1]]></questionindex>
    <navigationdelay><![CDATA[-1]]></navigationdelay>
    <nokeyboard><![CDATA[I]]></nokeyboard>
    <alloweditaftercompletion><![CDATA[I]]></alloweditaftercompletion>
    <tokenencryptionoptions/>
   </row>
  </rows>
 </surveys>
 <surveys_languagesettings>
  <fields>
   <fieldname>surveyls_survey_id</fieldname>
   <fieldname>surveyls_language</fieldname>
   <fieldname>surveyls_title</fieldname>
   <fieldname>surveyls_description</fieldname>
   <fieldname>surveyls_welcometext</fieldname>
   <fieldname>surveyls_endtext</fieldname>
   <fieldname>surveyls_policy_notice</fieldname>
   <fieldname>surveyls_policy_error</fieldname>
   <fieldname>surveyls_policy_notice_label</fieldname>
   <fieldname>surveyls_url</fieldname>
   <fieldname>surveyls_urldescription</fieldname>
   <fieldname>surveyls_email_invite_subj</fieldname>
   <fieldname>surveyls_email_invite</fieldname>
   <fieldname>surveyls_email_remind_subj</fieldname>
   <fieldname>surveyls_email_remind</fieldname>
   <fieldname>surveyls_email_register_subj</fieldname>
   <fieldname>surveyls_email_register</fieldname>
   <fieldname>surveyls_email_confirm_subj</fieldname>
   <fieldname>surveyls_email_confirm</fieldname>
   <fieldname>surveyls_dateformat</fieldname>
   <fieldname>surveyls_attributecaptions</fieldname>
   <fieldname>email_admin_notification_subj</fieldname>
   <fieldname>email_admin_notification</fieldname>
   <fieldname>email_admin_responses_subj</fieldname>
   <fieldname>email_admin_responses</fieldname>
   <fieldname>surveyls_numberformat</fieldname>
   <fieldname>attachments</fieldname>
  </fields>
  <rows>
   <row>
    <surveyls_survey_id><![CDATA[894847]]></surveyls_survey_id>
    <surveyls_language><![CDATA[en]]></surveyls_language>
    <surveyls_title><![CDATA[Bug report]]></surveyls_title>
    <surveyls_description/>
    <surveyls_welcometext/>
    <surveyls_endtext/>
    <surveyls_policy_notice/>
    <surveyls_policy_notice_label/>
    <surveyls_url/>
    <surveyls_urldescription/>
    <surveyls_email_invite_subj><![CDATA[Invitation to participate in a survey]]></surveyls_email_invite_subj>
    <surveyls_email_invite><![CDATA[Dear {FIRSTNAME},<br />
<br />
you have been invited to participate in a survey.<br />
<br />
The survey is titled:<br />
"{SURVEYNAME}"<br />
<br />
"{SURVEYDESCRIPTION}"<br />
<br />
To participate, please click on the link below.<br />
<br />
Sincerely,<br />
<br />
{ADMINNAME} ({ADMINEMAIL})<br />
<br />
----------------------------------------------<br />
Click here to do the survey:<br />
{SURVEYURL}<br />
<br />
If you do not want to participate in this survey and don't want to receive any more invitations please click the following link:<br />
{OPTOUTURL}<br />
<br />
If you are blacklisted but want to participate in this survey and want to receive invitations please click the following link:<br />
{OPTINURL}]]></surveyls_email_invite>
    <surveyls_email_remind_subj><![CDATA[Reminder to participate in a survey]]></surveyls_email_remind_subj>
    <surveyls_email_remind><![CDATA[Dear {FIRSTNAME},<br />
<br />
Recently we invited you to participate in a survey.<br />
<br />
We note that you have not yet completed the survey, and wish to remind you that the survey is still available should you wish to take part.<br />
<br />
The survey is titled:<br />
"{SURVEYNAME}"<br />
<br />
"{SURVEYDESCRIPTION}"<br />
<br />
To participate, please click on the link below.<br />
<br />
Sincerely,<br />
<br />
{ADMINNAME} ({ADMINEMAIL})<br />
<br />
----------------------------------------------<br />
Click here to do the survey:<br />
{SURVEYURL}<br />
<br />
If you do not want to participate in this survey and don't want to receive any more invitations please click the following link:<br />
{OPTOUTURL}]]></surveyls_email_remind>
    <surveyls_email_register_subj><![CDATA[Survey registration confirmation]]></surveyls_email_register_subj>
    <surveyls_email_register><![CDATA[Dear {FIRSTNAME},<br />
<br />
You, or someone using your email address, have registered to participate in an online survey titled {SURVEYNAME}.<br />
<br />
To complete this survey, click on the following URL:<br />
<br />
{SURVEYURL}<br />
<br />
If you have any questions about this survey, or if you did not register to participate and believe this email is in error, please contact {ADMINNAME} at {ADMINEMAIL}.]]></surveyls_email_register>
    <surveyls_email_confirm_subj><![CDATA[Confirmation of your participation in our survey]]></surveyls_email_confirm_subj>
    <surveyls_email_confirm><![CDATA[Dear {FIRSTNAME},<br />
<br />
this email is to confirm that you have completed the survey titled {SURVEYNAME} and your response has been saved. Thank you for participating.<br />
<br />
If you have any further questions about this email, please contact {ADMINNAME} on {ADMINEMAIL}.<br />
<br />
Sincerely,<br />
<br />
{ADMINNAME}]]></surveyls_email_confirm>
    <surveyls_dateformat><![CDATA[9]]></surveyls_dateformat>
    <email_admin_notification_subj><![CDATA[Response submission for survey {SURVEYNAME}]]></email_admin_notification_subj>
    <email_admin_notification><![CDATA[Hello,<br />
<br />
A new response was submitted for your survey '{SURVEYNAME}'.<br />
<br />
Click the following link to see the individual response:<br />
{VIEWRESPONSEURL}<br />
<br />
Click the following link to edit the individual response:<br />
{EDITRESPONSEURL}<br />
<br />
View statistics by clicking here:<br />
{STATISTICSURL}]]></email_admin_notification>
    <email_admin_responses_subj><![CDATA[Response submission for survey {SURVEYNAME} with results]]></email_admin_responses_subj>
    <email_admin_responses><![CDATA[Hello,<br />
<br />
A new response was submitted for your survey '{SURVEYNAME}'.<br />
<br />
Click the following link to see the individual response:<br />
{VIEWRESPONSEURL}<br />
<br />
Click the following link to edit the individual response:<br />
{EDITRESPONSEURL}<br />
<br />
View statistics by clicking here:<br />
{STATISTICSURL}<br />
<br />
<br />
The following answers were given by the participant:<br />
{ANSWERTABLE}]]></email_admin_responses>
    <surveyls_numberformat><![CDATA[0]]></surveyls_numberformat>
   </row>
  </rows>
 </surveys_languagesettings>
 <themes>
  <theme>
   <sid>894847</sid>
   <template_name>fruity</template_name>
   <config>
    <options>inherit</options>
   </config>
  </theme>
 </themes>
 <themes_inherited>
  <theme>
   <sid>894847</sid>
   <template_name>fruity</template_name>
   <config>
    <options>
     <ajaxmode>off</ajaxmode>
     <brandlogo>on</brandlogo>
     <brandlogofile>themes/survey/fruity/files/logo.png</brandlogofile>
     <container>on</container>
     <backgroundimage>off</backgroundimage>
     <animatebody>off</animatebody>
     <bodyanimation>fadeInRight</bodyanimation>
     <bodyanimationduration>500</bodyanimationduration>
     <animatequestion>off</animatequestion>
     <questionanimation>flipInX</questionanimation>
     <questionanimationduration>500</questionanimationduration>
     <animatealert>off</animatealert>
     <alertanimation>shake</alertanimation>
     <alertanimationduration>500</alertanimationduration>
     <font>noto</font>
     <bodybackgroundcolor>#ffffff</bodybackgroundcolor>
     <fontcolor>#444444</fontcolor>
     <questionbackgroundcolor>#ffffff</questionbackgroundcolor>
     <questionborder>on</questionborder>
     <questioncontainershadow>on</questioncontainershadow>
     <checkicon>f00c</checkicon>
     <animatecheckbox>on</animatecheckbox>
     <checkboxanimation>rubberBand</checkboxanimation>
     <checkboxanimationduration>500</checkboxanimationduration>
     <animateradio>on</animateradio>
     <radioanimation>zoomIn</radioanimation>
     <radioanimationduration>500</radioanimationduration>
     <zebrastriping>off</zebrastriping>
     <stickymatrixheaders>off</stickymatrixheaders>
     <greyoutselected>off</greyoutselected>
     <hideprivacyinfo>off</hideprivacyinfo>
     <crosshover>off</crosshover>
     <showpopups>1</showpopups>
     <showclearall>off</showclearall>
     <questionhelptextposition>top</questionhelptextposition>
     <notables>1</notables>
    </options>
   </config>
  </theme>
 </themes_inherited>
</document>
limesurvey_survey_894847.lss (21,767 bytes)   
survey_responses_screenshot.jpg (33,342 bytes)   
survey_responses_screenshot.jpg (33,342 bytes)   
ollehar

ollehar

2022-08-10 16:27

administrator   ~71406

Please add a unit test for this, too.

gabrieljenik

gabrieljenik

2022-08-11 19:54

manager   ~71413

Comment is not saved? or comment is saved but not shown?

@ollehar, from the research this is saved, but not shown.
Why not shown? because strip_tags is being used.
Is it necesarry to use strp_tags here? html_encode is not enough?
(obviously not a security expert :) )

ollehar

ollehar

2022-08-12 10:23

administrator   ~71426

Aha. Hm. Yeah, same, I usually leave security questions to Carsten and Denis. What's the commit history for the strip tags line?

gabrieljenik

gabrieljenik

2022-08-12 15:40

manager   ~71434

Haven't checked recently.
But kind of messy.
The same code is used in multiple places, so hard to make a change.

ollehar

ollehar

2022-08-12 15:48

administrator   ~71435

What about strip tags at that specific place, for answers? There should be decision reasoning in the commit message. Is it in em manager?

gabrieljenik

gabrieljenik

2022-08-19 14:52

manager   ~71497

Last edited: 2022-08-19 14:53

Chat with Carsten:

  • XSS is overkill
  • strip_tags could be removed.
  • We need something like html_encode or html_special_chars
DenisChenu

DenisChenu

2022-09-17 10:14

developer   ~71808

Remind about difference between user enter survey and answer came from Single choice

To be more clear : import LSA and check

Q00 : free text : user enter <strong>strong</strong>
Q01 : single choice : user choose the choice strong show as <strong>strong</strong>

I send the current one (strip tag in all condition)

I send (in my opinion) the desired behaviours
The curent one
and the undesired : comment here : https://github.com/LimeSurvey/LimeSurvey/pull/2608#discussion_r973075125

In my opinion : it must depend on question type and part type :

  • free text encoded
  • other encoded
  • comment encoded

All other stripped (and filtered for JS)
Maybe need to rewrite getExtendedAnswer (move it to Question object ?) to return stripped value for survey content and encoded value for user content ?

3X_current.png (7,386 bytes)   
3X_current.png (7,386 bytes)   
3X_desired.png (9,189 bytes)   
3X_desired.png (9,189 bytes)   
3X_undesiredToTest.png (9,840 bytes)   
3X_undesiredToTest.png (9,840 bytes)   
DenisChenu

DenisChenu

2022-09-17 10:19

developer   ~71809

Maybe need to rewrite getExtendedAnswer (move it to Question object ?) to return stripped value for survey content and encoded value for user content ?

We can even show [A1] (answer code) as strong or anything else

See : https://demo.sondages.pro/plugins/direct?plugin=responseListAndManage&amp;sid=759983
(using code tag)

gabrieljenik

gabrieljenik

2022-09-23 14:58

manager   ~71899

As dennis said we have 2 sources of value for the cell:
a- User Answer
b- Answer Option

A - User Answer must be shown encoded. Not much to discuss there I believe.

B - Answer Options, shall be flattened, as to not show HTML in there.
Not because of a security issue, as it is coming from inside LS, should already be safe - either XSSed or superadmin entered.
But because it is to be shown on a grid.

The problem with flattening is that strip_tags is also removing options like "< 1", which kind of resemble the start of a tag.
We will try with purifier instead of striptags and be back.

Something else I would do is rename SureyDinamic::getExtendedData() --> SureyDinamic::getResponseGridColData()
As it is public, we can make an alias for backwards compatibility.
I am inclined to do that as to make pretty clear that function is taylor made for the widget and we shall not reuse it for something else, as to later make it easy/safer to update it.

DenisChenu

DenisChenu

2022-09-23 16:11

developer   ~71902

I am inclined to do that as to make pretty clear that function is taylor made for the widget and we shall not reuse it for something else, as to later make it easy/safer to update it.

+1

better for link for responseListAndManage solution : https://demo.sondages.pro/plugins/direct?plugin=responseListAndManage&amp;sid=759983

But here : there a lot of work : https://gitlab.com/SondagesPro/coreAndTools/getQuestionInformation/-/blob/master/helpers/surveyColumnsInformation.php#L212

Alternative solution :

https://github.com/LimeSurvey/LimeSurvey/blob/0569c3c326f22927caee459ffe9fef55303218f7/application/models/SurveyDynamic.php#L391
Then update (or copy) getAnswer function
https://github.com/LimeSurvey/LimeSurvey/blob/0569c3c326f22927caee459ffe9fef55303218f7/application/helpers/common_helper.php#L963

getExtendedAnswer($iSurveyID, $sFieldCode, $sValue, $sLanguage, $forgrid = false)

if $forgrid : striptags for singlechoce answer and encode for free text.

gabrieljenik

gabrieljenik

2022-09-23 17:07

manager   ~71916

striptags for singlechoce answer

This is actually causing the reported error.
Can;t use strip_tags on answer options.

gabrieljenik

gabrieljenik

2022-09-23 17:16

manager   ~71917

Maybe we are trying to hard.
We can't derive a plain text value from an HTML without probably, messing some answer options which are wrongly identified as HTML.
The survey designer knows.

So, maybe:

  • Always encode the answer, no matter if it is free text or answer option.
  • Add a question attribute: Strip HTML from options when showing responses.
  • Add a setting on the response view: Show Answer Code, Show Answer Code + Text, Show Text

I mean, showing html on that response table is not the worst.

Same scenario should be checked when exporting, although I believe it works fine.

Thoughts?

DenisChenu

DenisChenu

2022-09-23 17:29

developer   ~71919

A quick idea for testing :

function getExtendedAnswer($iSurveyID, $sFieldCode, $sValue, $sLanguage, $forgrid = false)

And at line https://github.com/LimeSurvey/LimeSurvey/blob/0569c3c326f22927caee459ffe9fef55303218f7/application/helpers/common_helper.php#L1127

if($forgrid) {
    if (isset($this_answer)) {
        return viewHelper::flatten($this_answer) . &quot; [$sValue]&quot;;
    } else {
        return CHtml::encode($sValue);
    }
}

And don't update anything in grid (raw format)

OR

    if (isset($this_answer)) {
        if($forgrid) {
            return viewHelper::flatten($this_answer) . &quot; [$sValue]&quot;;
        } else {
            return $this_answer . &quot; [$sValue]&quot;;
        }
    } else {
        return $sValue;
    }

In your current commit.

DenisChenu

DenisChenu

2022-09-23 17:31

developer   ~71920

maybe issue with other to test here …

if (!empty($this_answer)) { can be better.

DenisChenu

DenisChenu

2022-09-23 17:36

developer   ~71921

Update the test lsa file with some <2 answer at last line.

DenisChenu

DenisChenu

2022-09-30 17:35

developer   ~72035

See discussion.

Current PR fix 1 &lt; 2 or &lt;0 but not <strong>strong</strong> in free text answers

gabrieljenik

gabrieljenik

2022-10-05 17:38

manager   ~72126

Tested it again.
All good. Even for export.

Updating the test LSA

Free text is still getting filtered when view. Will open another ticket

gabrieljenik

gabrieljenik

2022-10-06 10:42

manager   ~72140

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=33934

LimeBot

LimeBot

2022-10-10 10:47

administrator   ~72178

Fixed in Release 5.4.5+221010

Related Changesets

LimeSurvey: master b634379e

2022-10-06 10:41:57

gabrieljenik


Committer: GitHub Details Diff
Fixed issue 18307: A comment string starting with a '<' is not saved using Multiple choice with comments (#2608)

Co-authored-by: encuestabizdevgit <devgit@encuesta.biz>
Affected Issues
18307
mod - application/controllers/ResponsesController.php Diff File
mod - application/models/SurveyDynamic.php Diff File

Issue History

Date Modified Username Field Change
2022-08-10 16:08 JussiH New Issue
2022-08-10 16:08 JussiH File Added: limesurvey_survey_894847.lss
2022-08-10 16:08 JussiH File Added: survey_responses_screenshot.jpg
2022-08-10 16:11 ollehar Priority none => high
2022-08-10 16:11 ollehar Severity minor => block
2022-08-10 16:27 ollehar Note Added: 71406
2022-08-10 16:27 ollehar Bug heat 0 => 2
2022-08-11 15:17 gabrieljenik Assigned To => gabrieljenik
2022-08-11 15:17 gabrieljenik Status new => assigned
2022-08-11 19:54 gabrieljenik Note Added: 71413
2022-08-11 19:54 gabrieljenik Bug heat 2 => 4
2022-08-12 10:23 ollehar Note Added: 71426
2022-08-12 15:40 gabrieljenik Note Added: 71434
2022-08-12 15:48 ollehar Note Added: 71435
2022-08-19 14:52 gabrieljenik Note Added: 71497
2022-08-19 14:53 gabrieljenik Note Edited: 71497
2022-09-17 10:14 DenisChenu Note Added: 71808
2022-09-17 10:14 DenisChenu File Added: 3X_current.png
2022-09-17 10:14 DenisChenu File Added: 3X_desired.png
2022-09-17 10:14 DenisChenu File Added: 3X_undesiredToTest.png
2022-09-17 10:14 DenisChenu File Added: survey_archive_TagCheck.lsa
2022-09-17 10:14 DenisChenu Bug heat 4 => 6
2022-09-17 10:19 DenisChenu Note Added: 71809
2022-09-23 14:58 gabrieljenik Note Added: 71899
2022-09-23 16:11 DenisChenu Note Added: 71902
2022-09-23 17:07 gabrieljenik Note Added: 71916
2022-09-23 17:16 gabrieljenik Note Added: 71917
2022-09-23 17:29 DenisChenu Note Added: 71919
2022-09-23 17:31 DenisChenu Note Added: 71920
2022-09-23 17:36 DenisChenu Note Added: 71921
2022-09-23 17:36 DenisChenu File Added: survey_archive_TagCheckWithOtherComment.lsa
2022-09-27 17:18 gabrieljenik Assigned To gabrieljenik => DenisChenu
2022-09-27 17:18 gabrieljenik Status assigned => ready for code review
2022-09-28 10:35 DenisChenu Status ready for code review => ready for testing
2022-09-30 17:35 DenisChenu Assigned To DenisChenu =>
2022-09-30 17:35 DenisChenu Status ready for testing => ready for merge
2022-09-30 17:35 DenisChenu Note Added: 72035
2022-10-05 17:38 gabrieljenik Note Added: 72126
2022-10-05 17:38 gabrieljenik File Added: survey_archive_682144.lsa
2022-10-05 17:41 gabrieljenik Issue cloned: 18402
2022-10-05 17:41 gabrieljenik Relationship added related to 18402
2022-10-05 17:43 gabrieljenik Assigned To => ollehar
2022-10-06 10:42 gabrieljenik Changeset attached => LimeSurvey master b634379e
2022-10-06 10:42 gabrieljenik Note Added: 72140
2022-10-06 10:42 gabrieljenik Assigned To ollehar => gabrieljenik
2022-10-06 10:42 gabrieljenik Resolution open => fixed
2022-10-10 10:47 LimeBot Note Added: 72178
2022-10-10 10:47 LimeBot Status ready for merge => closed
2022-10-10 10:47 LimeBot Bug heat 6 => 8