From ae8a6cb8bbd31a337ebb9cbe5bddd0f7847b2c4c Mon Sep 17 00:00:00 2001
From: Denis Chenu <denis@sondages.pro>
Date: Tue, 28 Jan 2020 15:02:48 +0100
Subject: [PATCH] New feature #15693: Allow simple user to update script with
 XSS enable (#1372)

---
 application/config/config-defaults.php        |  6 ++++
 application/core/LSWebUser.php                |  3 ++
 .../views/admin/globalsettings/_security.php  | 30 +++++++++++++++----
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/application/config/config-defaults.php b/application/config/config-defaults.php
index 44faa16cb01..ba3da499925 100644
--- a/application/config/config-defaults.php
+++ b/application/config/config-defaults.php
@@ -237,6 +237,12 @@
 // allow these users to be able to use Javascript etc. .
 $config['filterxsshtml'] = true;
 
+// disablescriptwithxss
+// Allow update of script in question
+// true : Default : follow XSS rules
+// false : allowed for all
+$config['disablescriptwithxss'] = true;
+
 // usercontrolSameGroupPolicy
 // If this option is set to true, then limesurvey operators will only 'see'
 // users that belong to at least one of their groups
diff --git a/application/core/LSWebUser.php b/application/core/LSWebUser.php
index 054022c1ff0..7ca2ef65b63 100644
--- a/application/core/LSWebUser.php
+++ b/application/core/LSWebUser.php
@@ -133,6 +133,9 @@ public function isXssFiltered()
             // Permission::model exist only after 172 DB version
             return Yii::app()->getConfig('filterxsshtml');
         }
+        if (!Yii::app()->getConfig('disablescriptwithxss')) {
+            return true;
+        }
         if (Yii::app()->getConfig('filterxsshtml')) {
             return !\Permission::model()->hasGlobalPermission('superadmin', 'read');
         }
diff --git a/application/views/admin/globalsettings/_security.php b/application/views/admin/globalsettings/_security.php
index f485a91e3c3..dd72f7480ff 100644
--- a/application/views/admin/globalsettings/_security.php
+++ b/application/views/admin/globalsettings/_security.php
@@ -11,7 +11,7 @@
         <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
             'name' => 'surveyPreview_require_Auth',
             'id'=>'surveyPreview_require_Auth',
-            'value' => getGlobalSetting('surveyPreview_require_Auth'),
+            'value' => Yii::app()->getConfig('surveyPreview_require_Auth'),
             'onLabel'=>gT('On'),
             'offLabel' => gT('Off')));
         ?>
@@ -24,24 +24,42 @@
         <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
             'name' => 'filterxsshtml',
             'id'=>'filterxsshtml',
-            'value' => getGlobalSetting('filterxsshtml'),
+            'value' => Yii::app()->getConfig('filterxsshtml'),
             'onLabel'=>gT('On'),
             'offLabel' => gT('Off')
             ));
         ?>
     </div>
+    <div class="help-block">
+        <span class='text-success'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
+    </div>
+</div>
+
+<div class="form-group">
+    <label class=" control-label"  for='disablescriptwithxss'><?php eT("Disable question script for XSS restricted user:"); ?></label>
     <div class="">
-        <span class='hint'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
+        <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
+            'name' => 'filterxsshtml',
+            'id'=>'filterxsshtml',
+            'value' => Yii::app()->getConfig('disablescriptwithxss'),
+            'onLabel'=>gT('On'),
+            'offLabel' => gT('Off')
+            ));
+        ?>
+    </div>
+    <div class="help-block">
+        <span class='text-warning'><?php eT("If you disable this option : user with XSS restriction still can add script. This allow user to add cross-site scripting javascript system."); ?></span>
     </div>
 </div>
 
+
 <div class="form-group">
     <label class=" control-label"  for='usercontrolSameGroupPolicy'><?php eT("Group member can only see own group:"); ?></label>
     <div class="">
         <?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
             'name' => 'usercontrolSameGroupPolicy',
             'id'=>'usercontrolSameGroupPolicy',
-            'value' => getGlobalSetting('usercontrolSameGroupPolicy'),
+            'value' => Yii::app()->getConfig('usercontrolSameGroupPolicy'),
             'onLabel'=>gT('On'),
             'offLabel' => gT('Off')));
         ?>
@@ -57,7 +75,7 @@
     <div class="">
         <?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
             'name' => 'x_frame_options',
-            'value'=> getGlobalSetting('x_frame_options'),
+            'value'=> Yii::app()->getConfig('x_frame_options'),
             'selectOptions'=>array(
                 "allow"=>gT("Allow",'unescaped'),
                 "sameorigin"=>gT("Same origin",'unescaped')
@@ -75,7 +93,7 @@
     <div class="">
         <?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
             'name' => 'force_ssl',
-            'value'=> getGlobalSetting('force_ssl'),
+            'value'=> Yii::app()->getConfig('force_ssl'),
             'selectOptions'=>array(
                 "on"=>gT("On",'unescaped'),
                 "off"=>gT("Off",'unescaped')