Skip to content
Permalink
Browse files

New feature #15693: Allow simple user to update script with XSS enable

Dec: add the settings and use it
  • Loading branch information
Shnoulle committed Jan 17, 2020
1 parent a008c32 commit 96c06a9d93a4209e43c94eeac6d822ebf7aca760
@@ -237,6 +237,12 @@
// allow these users to be able to use Javascript etc. .
$config['filterxsshtml'] = true;

// disablescriptwithxss
// Allow update of script in question
// true : Default : follow XSS rules
// false : allowed for all
$config['disablescriptwithxss'] = true;

// usercontrolSameGroupPolicy
// If this option is set to true, then limesurvey operators will only 'see'
// users that belong to at least one of their groups
@@ -133,6 +133,9 @@ public function isXssFiltered()
// Permission::model exist only after 172 DB version
return Yii::app()->getConfig('filterxsshtml');
}
if (!Yii::app()->getConfig('disablescriptwithxss')) {
return true;
}
if (Yii::app()->getConfig('filterxsshtml')) {
return !\Permission::model()->hasGlobalPermission('superadmin', 'read');
}
@@ -11,7 +11,7 @@
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'surveyPreview_require_Auth',
'id'=>'surveyPreview_require_Auth',
'value' => getGlobalSetting('surveyPreview_require_Auth'),
'value' => Yii::app()->getConfig('surveyPreview_require_Auth'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')));
?>
@@ -24,24 +24,42 @@
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'filterxsshtml',
'id'=>'filterxsshtml',
'value' => getGlobalSetting('filterxsshtml'),
'value' => Yii::app()->getConfig('filterxsshtml'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')
));
?>
</div>
<div class="help-block">
<span class='text-success'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
</div>
</div>

<div class="form-group">
<label class=" control-label" for='disablescriptwithxss'><?php eT("Disable question script for XSS restricted user:"); ?></label>
<div class="">
<span class='hint'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'filterxsshtml',
'id'=>'filterxsshtml',
'value' => Yii::app()->getConfig('disablescriptwithxss'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')
));
?>
</div>
<div class="help-block">
<span class='text-warning'><?php eT("If you disable this option : user with XSS restriction still can add script. This allow user to add cross-site scripting javascript system."); ?></span>
</div>
</div>


<div class="form-group">
<label class=" control-label" for='usercontrolSameGroupPolicy'><?php eT("Group member can only see own group:"); ?></label>
<div class="">
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'usercontrolSameGroupPolicy',
'id'=>'usercontrolSameGroupPolicy',
'value' => getGlobalSetting('usercontrolSameGroupPolicy'),
'value' => Yii::app()->getConfig('usercontrolSameGroupPolicy'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')));
?>
@@ -57,7 +75,7 @@
<div class="">
<?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
'name' => 'x_frame_options',
'value'=> getGlobalSetting('x_frame_options'),
'value'=> Yii::app()->getConfig('x_frame_options'),
'selectOptions'=>array(
"allow"=>gT("Allow",'unescaped'),
"sameorigin"=>gT("Same origin",'unescaped')
@@ -75,7 +93,7 @@
<div class="">
<?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
'name' => 'force_ssl',
'value'=> getGlobalSetting('force_ssl'),
'value'=> Yii::app()->getConfig('force_ssl'),
'selectOptions'=>array(
"on"=>gT("On",'unescaped'),
"off"=>gT("Off",'unescaped')

0 comments on commit 96c06a9

Please sign in to comment.
You can’t perform that action at this time.