Sanitize HTML within SurveyJS Creator

Cef Tovil

created a year ago (modified a year ago)

[Ticket cloned from T18769: XSS Security issue with markdown]

Hello again,
Yesterday, I said it is ok,
it is ok wit the form side, fortunately end user wont see this issue

inside creator, the problem slightly changed but is not completely solved,
My method is this;

Code
creatorModel.onSurveyInstanceCreated.add(function (survey, options) {
      options.survey.onTextMarkdown.add(doMarkdown);

What do you recommend to solve this issue for creator
You can see a little demo attached; first part is creator, second part is form

xss attack.gif

Answers approved by surveyjs Support

Jane

created a year ago

Hi Cef,
The issue is fixed in v1.11.6. Please upgrade your SurveyJS Creator and Library version.

Should you have any further questions, feel free to contact us at any time.

Comments (2)

Cef Tovil a year ago

it works, thank you very much.

Jane a year ago

You're always welcome. Please feel free to contact us if you require further assistance.

Thank you

Jane

created a year ago

Hello,
I created the following demo: View Plunker. The demo uses the latest version of SurveyJS Creator. The survey.onTextMarkdown function is registered within the creator.onSurveyInstanceCreated function as follows:

JavaScript
creator.onSurveyInstanceCreated.add((sender, options) => {
      if(options.area = "designer-tab" || options.area === "preview-tab"){
        options.survey.onTextMarkdown.add(processMarkdown);
      }
})

I confirm that the above code stops execution of a custom JS code within survey texts. If you haven't yet upgraded to the most recent version of SurveyJS (v1.11.4), please do so.

Let me know how it goes.

Show previous comments (3)

Cef Tovil a year ago

the following demo: View Plunker. also has no effect to the problem.

by the way i upgraded to the latest, but problem goes.

xss attack...lunker.gif

Jane a year ago

Hi Cef,
Thank you for the update. I forwarded this issue to our developers for further investigation. We'll update you as soon as we get any news to share.
Please stay tuned.

Jane a year ago

Hi Cef,
Thank you for your patience. To solve the issue, please update the onTextMarkdown and sanitize the Markdown content before processing it with a Markdown processing library. Please consider the updated example: View Demo.

Let us know if you have further questions.

Cef Tovil a year ago

I checked updated example and nothing changed. Could you please check out at my gif file that i send you before.

Thanks.

Jane a year ago

Hello Cef,
Please accept my apologies for missing this. We will investigate the issue further and update you shortly.

Thank you

Cef Tovil a year ago

no problem, sincere…

Sanitize HTML within SurveyJS Creator

Answers approved by surveyjs Support

Recently viewed tickets