14735: not every admin should be allowed to edit all fields in source mode

This issue affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update
14735	Bug reports	Security	public	2019-04-04 07:38	2019-04-04 07:55

Reporter	bewi	Assigned To	DenisChenu
Priority	none	Severity	minor
Status	closed	Resolution	no change required
Product Version	3.17.x

Summary	14735: not every admin should be allowed to edit all fields in source mode
Description	for RTE fields it is possible to switch to source mode. In this mode an admin can insert any HTML code. That could be an XSS, which everyone doing the survey (as preview or live) will execute. the right to switch to source mode should be restrictable to selected admins.
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	3.17.0
I will donate to the project if issue is resolved	No
Browser
Database type & version	*
Server OS (if known)
Webserver software & version (if known)
PHP Version	*

User List	There are no users monitoring this issue.

DenisChenu 2019-04-04 07:52 developer ~51331	Only super admin have this right (by default). filterxsshtml https://manual.limesurvey.org/Optional_settings#Security and https://manual.limesurvey.org/Global_settings#Security Source still can be edited , but when saved script are removed. I close this one, if you want some improvments here : please open a feature request (for example : filterxsshtml for super admin too).

bewi 2019-04-04 07:55 reporter ~51332	I should work as a normal admin more often ;)

Date Modified	Username	Field	Change
2019-04-04 07:38	bewi	New Issue
2019-04-04 07:52	DenisChenu	Assigned To	=> DenisChenu
2019-04-04 07:52	DenisChenu	Status	new => closed
2019-04-04 07:52	DenisChenu	Resolution	open => no change required
2019-04-04 07:52	DenisChenu	Note Added: 51331
2019-04-04 07:55	bewi	Note Added: 51332