Relationship Graph
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
15096 | Feature requests | Security | public | 2019-08-01 15:06 | 2021-03-08 23:29 |
Reporter | DenisChenu | Assigned To | DenisChenu | ||
Priority | none | Severity | feature | ||
Status | closed | Resolution | won't fix | ||
Summary | 15096: XSS for super-admin too | ||||
Description | Currently XSS settings do 2 things :
I like to have a filter HTML when i'm super-admin too. And filter XSS can be good for super-admin too. | ||||
Additional Information | Maybe separation between XSS and Script (for 4.0) can be great too Add script active settings (start in config.php) Then we can have This settings can be accessible only via php file. | ||||
Tags | No tags attached. | ||||
Bug heat | 262 | ||||
Story point estimate | |||||
Users affected % | |||||
related to | 15690 | closed | DenisChenu | Bug reports | User with XSS enable can add/update scripts |
related to | 15693 | closed | DenisChenu | Feature requests | Allow simple user to update script with XSS enable |
Update solution :
This settings can be accessible only via php file. |
|
ping @c_schmitz |
|
After some thinking need more :
|
|
disablescriptwithxss
forcedfilterxss
superadminenablescript
|
|
I consider more flexibility with the XSS filter a very useful feature. But adjusting settings should be doable at global settings, not config.php. |
|
BTW, we should also add some kind of detection to show a warning if the XSS filter turns some JS/CSS into bullshit on save. Because many users are very confused about what happens to their JS code on save. We should show additional details/hints to the user. |
|
If you disable XSS for superadmin, but leave this in GUI : you don't need a setting. It's a security fix, some user want to totally disable XSS even for superadmin (user with all rights). This settings is done for this
Create another feature request, seems a good idea.
Old issue here … Else about waorkaround : with (in GUI) XSS on + disablescriptwithxss OFF : user can add workaround with XSS enable. |
|
Think of final part forcedfilterxss
Is OK But : i didn't like superadminenablescript
I think we must have more enablescript
Another idea ? |
|
Use-case: Enable XSS filtering for superadmin. Why do we need three new options? |
|
Arg ... invalid time tracking lost all .... Because : there are scripts now, and it's linked with XSS protection (like upload of SVG ....) (or js edition) Idea with
|
|
It's OK ? Or i close this one ? Nobody behind, then not a real need. |
|
I think this would be feature bloat. I don't see any chance to take this into core. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-08-01 15:06 | DenisChenu | New Issue | |
2019-09-18 16:41 | DenisChenu | Additional Information Updated | |
2019-09-18 16:42 | DenisChenu | Note Added: 53640 | |
2019-11-20 16:30 | cdorin | Note Added: 54723 | |
2019-11-20 16:44 | DenisChenu | Note Added: 54731 | |
2019-12-30 18:40 | DenisChenu | Relationship added | related to 15690 |
2020-01-03 15:17 | DenisChenu | Issue Monitored: DenisChenu | |
2020-01-03 15:24 | DenisChenu | Note Added: 55124 | |
2020-01-03 15:25 | DenisChenu | Note Added: 55126 | |
2020-01-03 15:26 | DenisChenu | Note Edited: 55126 | |
2020-01-03 15:27 | DenisChenu | Note Edited: 55126 | |
2020-01-03 15:27 | DenisChenu | Note Edited: 55126 | |
2020-01-07 17:29 | DenisChenu | Relationship added | related to 15693 |
2020-01-08 08:57 | Mazi | Note Added: 55147 | |
2020-01-08 08:58 | Mazi | Note Added: 55148 | |
2020-01-08 09:16 | DenisChenu | Note Added: 55149 | |
2020-01-08 09:19 | DenisChenu | Note Edited: 55149 | |
2020-01-17 15:42 | DenisChenu | Assigned To | => DenisChenu |
2020-01-17 15:42 | DenisChenu | Status | new => assigned |
2020-01-28 17:38 | DenisChenu | Note Added: 55529 | |
2020-02-11 15:01 | ollehar | Note Added: 55862 | |
2020-02-11 15:54 | DenisChenu | Note Added: 55869 | |
2020-02-11 15:56 | DenisChenu | Note Edited: 55869 | |
2020-06-25 15:35 | DenisChenu | Note Added: 58467 | |
2021-03-08 23:29 | c_schmitz | Note Added: 62913 | |
2021-03-08 23:29 | c_schmitz | Status | assigned => closed |
2021-03-08 23:29 | c_schmitz | Resolution | open => won't fix |
2021-08-02 17:29 | guest | Bug heat | 260 => 262 |