Skip to content
Permalink
Browse files

New feature #15693: Allow simple user to update script with XSS enable (

  • Loading branch information
Shnoulle authored and lacrioque committed Jan 28, 2020
1 parent 73f405e commit ae8a6cb8bbd31a337ebb9cbe5bddd0f7847b2c4c
@@ -237,6 +237,12 @@
// allow these users to be able to use Javascript etc. .
$config['filterxsshtml'] = true;

// disablescriptwithxss
// Allow update of script in question
// true : Default : follow XSS rules
// false : allowed for all
$config['disablescriptwithxss'] = true;

// usercontrolSameGroupPolicy
// If this option is set to true, then limesurvey operators will only 'see'
// users that belong to at least one of their groups
@@ -133,6 +133,9 @@ public function isXssFiltered()
// Permission::model exist only after 172 DB version
return Yii::app()->getConfig('filterxsshtml');
}
if (!Yii::app()->getConfig('disablescriptwithxss')) {
return true;
}
if (Yii::app()->getConfig('filterxsshtml')) {
return !\Permission::model()->hasGlobalPermission('superadmin', 'read');
}
@@ -11,7 +11,7 @@
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'surveyPreview_require_Auth',
'id'=>'surveyPreview_require_Auth',
'value' => getGlobalSetting('surveyPreview_require_Auth'),
'value' => Yii::app()->getConfig('surveyPreview_require_Auth'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')));
?>
@@ -24,24 +24,42 @@
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'filterxsshtml',
'id'=>'filterxsshtml',
'value' => getGlobalSetting('filterxsshtml'),
'value' => Yii::app()->getConfig('filterxsshtml'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')
));
?>
</div>
<div class="help-block">
<span class='text-success'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
</div>
</div>

<div class="form-group">
<label class=" control-label" for='disablescriptwithxss'><?php eT("Disable question script for XSS restricted user:"); ?></label>
<div class="">
<span class='hint'><?php eT("Note: XSS filtering is always disabled for the superadministrator."); ?></span>
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'filterxsshtml',
'id'=>'filterxsshtml',
'value' => Yii::app()->getConfig('disablescriptwithxss'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')
));
?>
</div>
<div class="help-block">
<span class='text-warning'><?php eT("If you disable this option : user with XSS restriction still can add script. This allow user to add cross-site scripting javascript system."); ?></span>

This comment has been minimized.

Copy link
@c-schmitz

c-schmitz Feb 11, 2020

Contributor

@Shnoulle I am sorry but I have no clue what you want to say here. Can you please give me an explanation in French and I will try to correct the string?

This comment has been minimized.

Copy link
@c-schmitz

c-schmitz Feb 12, 2020

Contributor

@Shnoulle Pretty please?

This comment has been minimized.

Copy link
@Shnoulle

Shnoulle Feb 12, 2020

Author Collaborator

If you enable XSS, but disable Disable question script for XSS restricted user: (set to OFF) : then if simple user can not add <script>alert('XSS');<script> inside question text : they can add alert('XSS'); in question script.

Something like this in French

Si vous désactivez cette option: les utilisateur avec restriction XSS porront ajouter des scripts java-script.
Cela permet aux utilisateurs d'ajouter un système de type cross-site scripting.

This comment has been minimized.

Copy link
@c-schmitz

c-schmitz Feb 12, 2020

Contributor

The option says 'Disable question script for XSS restricted user:' On/Off

So when I disable this option it disables the disabled? This is way too complicated. I still don't understand it.

Can we change the text of the switch and the explanation to something that is easier to understand?

Like 'Allow question script editing for users if XSS filter is enabled' Yes/No ?
If the switch text is like that what would the explanation look like?

This comment has been minimized.

Copy link
@Shnoulle

Shnoulle Feb 12, 2020

Author Collaborator

The option are disablescriptwithxss with true : Default : follow XSS rules

Then we need
Allow question script editing for users if XSS filter is enabled :

  • Yes : set disablescriptwithxss to false
  • No : set disablescriptwithxss to true

Else : i make 4 pull request for this simple feature .... the 1st one (and complete) are here : #1358

</div>
</div>


<div class="form-group">
<label class=" control-label" for='usercontrolSameGroupPolicy'><?php eT("Group member can only see own group:"); ?></label>
<div class="">
<?php $this->widget('yiiwheels.widgets.switch.WhSwitch', array(
'name' => 'usercontrolSameGroupPolicy',
'id'=>'usercontrolSameGroupPolicy',
'value' => getGlobalSetting('usercontrolSameGroupPolicy'),
'value' => Yii::app()->getConfig('usercontrolSameGroupPolicy'),
'onLabel'=>gT('On'),
'offLabel' => gT('Off')));
?>
@@ -57,7 +75,7 @@
<div class="">
<?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
'name' => 'x_frame_options',
'value'=> getGlobalSetting('x_frame_options'),
'value'=> Yii::app()->getConfig('x_frame_options'),
'selectOptions'=>array(
"allow"=>gT("Allow",'unescaped'),
"sameorigin"=>gT("Same origin",'unescaped')
@@ -75,7 +93,7 @@
<div class="">
<?php $this->widget('yiiwheels.widgets.buttongroup.WhButtonGroup', array(
'name' => 'force_ssl',
'value'=> getGlobalSetting('force_ssl'),
'value'=> Yii::app()->getConfig('force_ssl'),
'selectOptions'=>array(
"on"=>gT("On",'unescaped'),
"off"=>gT("Off",'unescaped')

8 comments on commit ae8a6cb

@olleharstedt

This comment has been minimized.

Copy link
Contributor

@olleharstedt olleharstedt replied Jan 28, 2020

This feature has no acceptance tests and should be reverted.

@olleharstedt

This comment has been minimized.

Copy link
Contributor

@olleharstedt olleharstedt replied Jan 28, 2020

Why was it merged?

@Shnoulle

This comment has been minimized.

Copy link
Collaborator Author

@Shnoulle Shnoulle replied Jan 29, 2020

@olleharstedt sorry, but … #1364

And … more and more complex to add new feature on LS ? Maybe time to fork and stop contribution …

@Shnoulle

This comment has been minimized.

Copy link
Collaborator Author

@Shnoulle Shnoulle replied Jan 29, 2020

@olleharstedt

This comment has been minimized.

Copy link
Contributor

@olleharstedt olleharstedt replied Jan 29, 2020

And … more and more complex to add new feature on LS ? Maybe time to fork and stop contribution …

If our new workflow doesn't work, we should reevaluate it. But we have to try it first. If we continue like before, we will have the same instability as before. We should test the new workflow with scenarios, acceptance tests, regular releases. Then we'll crunch the numbers and see if the stability went up. Maybe we have to reach a compromise if contributors hate it or come up with something new. I hope this makes sense to you. We need to discuss internally (and on IRC, perhaps) what "regular releases" means. I gave you some details on Zulip. I definitely want to get away from large releases with tons of regressions, and also from "feature freeze". We can talk more about it later.

@olleharstedt

This comment has been minimized.

Copy link
Contributor

@olleharstedt olleharstedt replied Jan 29, 2020

Or maybe LS GmbH should do some of the work of a PR, depending on how requested the new feature is.

@Shnoulle

This comment has been minimized.

Copy link
Collaborator Author

@Shnoulle Shnoulle replied Jan 29, 2020

I mean : The 2st pull request done for this feature are #1358

And here : about acceptance test : i don't want to do a Admin Gui edition acceptance test for this single option.
Give me a working admin gui question edition acceptance test … before.

I can do with import, but how to check JS is here or not … must find a way.

And currently : this part of feature are not totally made : need XSS for admin and Question script management.

@olleharstedt

This comment has been minimized.

Copy link
Contributor

@olleharstedt olleharstedt replied Jan 29, 2020

Give me a working admin gui question edition acceptance test … before.

This is a reasonable request, I think. Contributors should have access to example tests they can copy and paste from, to make it easy to add new tests.

And currently : this part of feature are not totally made : need XSS for admin and Question script management.

Right.

Please sign in to comment.
You can’t perform that action at this time.