From 97d8e349617715c62bbdfd6cef4ef4151c08066b Mon Sep 17 00:00:00 2001
From: Denis Chenu <denis@sondages.pro>
Date: Fri, 17 Jan 2020 17:44:55 +0100
Subject: [PATCH] =?UTF-8?q?Revert=20"New=20feature=20#15693:=20Allow=20sim?=
 =?UTF-8?q?ple=20user=20to=20update=20script=20with=20XSS=20enable"=20Dev:?=
 =?UTF-8?q?=20bad=20push=20=E2=80=A6=20This=20reverts=20commit=2096c06a9d9?=
 =?UTF-8?q?3a4209e43c94eeac6d822ebf7aca760.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/config/config-defaults.php        |  6 ----
 application/core/LSWebUser.php                |  3 --
 .../views/admin/globalsettings/_security.php  | 30 ++++---------------
 3 files changed, 6 insertions(+), 33 deletions(-)

diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php
index ba3da499925..44faa16cb01 100644
--- a/application/config/config-defaults.php
+++ b/application/config/config-defaults.php
@@ -237,12 +237,6 @@
 // allow these users to be able to use Javascript etc. .
 $config['filterxsshtml'] = true;
 
-// disablescriptwithxss
-// Allow update of script in question
-// true : Default : follow XSS rules
-// false : allowed for all
-$config['disablescriptwithxss'] = true;
-
 // usercontrolSameGroupPolicy
 // If this option is set to true, then limesurvey operators will only 'see'
 // users that belong to at least one of their groups
diff --git a/application/core/LSWebUser.php b/application/core/LSWebUser.php
index 7ca2ef65b63..054022c1ff0 100644
--- a/application/core/LSWebUser.php
+++ b/application/core/LSWebUser.php
@@ -133,9 +133,6 @@ public function isXssFiltered()
             // Permission::model exist only after 172 DB version
             return Yii::app()->getConfig('filterxsshtml');
         }
-        if (!Yii::app()->getConfig('disablescriptwithxss')) {
-            return true;
-        }
         if (Yii::app()->getConfig('filterxsshtml')) {
             return !\Permission::model()->hasGlobalPermission('superadmin', 'read');
         }
diff --git a/application/views/admin/globalsettings/_security.php b/application/views/admin/globalsettings/_security.php
index dd72f7480ff..f485a91e3c3 100644
--- a/application/views/admin/globalsettings/_security.php
+++ b/application/views/admin/globalsettings/_security.php
@@ -11,7 +11,7 @@
         <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
             'name' => 'surveyPreview_require_Auth',
             'id'=>'surveyPreview_require_Auth',
-            'value' => Yii::app()->getConfig('surveyPreview_require_Auth'),
+            'value' => getGlobalSetting('surveyPreview_require_Auth'),
             'onLabel'=>gT('On'),
             'offLabel' => gT('Off')));
         ?>
@@ -24,42 +24,24 @@
         <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
             'name' => 'filterxsshtml',
             'id'=>'filterxsshtml',
-            'value' => Yii::app()->getConfig('filterxsshtml'),
+            'value' => getGlobalSetting('filterxsshtml'),
             'onLabel'=>gT('On'),
             'offLabel' => gT('Off')
             ));
         ?>
     </div>
-    <div class="help-block">
-        <span class='text-success'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
-    </div>
-</div>
-
-<div class="form-group">
-    <label class=" control-label"  for='disablescriptwithxss'><?php eT("Disable question script for XSS restricted user:"); ?></label>
     <div class="">
-        <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
-            'name' => 'filterxsshtml',
-            'id'=>'filterxsshtml',
-            'value' => Yii::app()->getConfig('disablescriptwithxss'),
-            'onLabel'=>gT('On'),
-            'offLabel' => gT('Off')
-            ));
-        ?>
-    </div>
-    <div class="help-block">
-        <span class='text-warning'><?php eT("If you disable this option : user with XSS restriction still can add script. This allow user to add cross-site scripting javascript system."); ?></span>
+        <span class='hint'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
     </div>
 </div>
 
-
 <div class="form-group">
     <label class=" control-label"  for='usercontrolSameGroupPolicy'><?php eT("Group member can only see own group:"); ?></label>
     <div class="">
         <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
             'name' => 'usercontrolSameGroupPolicy',
             'id'=>'usercontrolSameGroupPolicy',
-            'value' => Yii::app()->getConfig('usercontrolSameGroupPolicy'),
+            'value' => getGlobalSetting('usercontrolSameGroupPolicy'),
             'onLabel'=>gT('On'),
             'offLabel' => gT('Off')));
         ?>
@@ -75,7 +57,7 @@
     <div class="">
         <?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
             'name' => 'x_frame_options',
-            'value'=> Yii::app()->getConfig('x_frame_options'),
+            'value'=> getGlobalSetting('x_frame_options'),
             'selectOptions'=>array(
                 "allow"=>gT("Allow",'unescaped'),
                 "sameorigin"=>gT("Same origin",'unescaped')
@@ -93,7 +75,7 @@
     <div class="">
         <?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
             'name' => 'force_ssl',
-            'value'=> Yii::app()->getConfig('force_ssl'),
+            'value'=> getGlobalSetting('force_ssl'),
             'selectOptions'=>array(
                 "on"=>gT("On",'unescaped'),
                 "off"=>gT("Off",'unescaped')