View Issue Details

IDProjectCategoryView StatusLast Update
15096Feature requestsSecuritypublic2020-02-11 15:56
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityfeature 
Status assignedResolutionopen 
Summary15096: XSS for super-admin too
Description

Currently XSS settings do 2 things :

  1. Filter XSS
  2. Filter HTML

I like to have a filter HTML when i'm super-admin too.

And filter XSS can be good for super-admin too.

Additional Information

Maybe separation between XSS and Script (for 4.0) can be great too
Default XSS == 1 => XSS on for (! superadmin && !ForcedAdmin)
XSS = 0 : Xss all for all

Add script active settings (start in config.php)

Then we can have
XSS true for : (!ForcedAdmin) or (!superadmin) or (All user)
script true for : (same as XSS (default)) or All user (even with XSS enable) or superadmin (even if XSS for superadmin).

This settings can be accessible only via php file.

TagsNo tags attached.

Relationships

related to 15690 closedDenisChenu Bug reports User with XSS enable can add/update scripts 
related to 15693 resolvedDenisChenu Feature requests Allow simple user to update script with XSS enable 

Activities

DenisChenu

DenisChenu

2019-09-18 16:42

developer   ~53640

Update solution :

  1. XSS true for : (!ForcedAdmin (current default)) or (!superadmin) or (All user (current disable XSS))
  2. script true for : (same as XSS (default)) or All user (even with XSS enable) or superadmin (even if XSS for superadmin).

This settings can be accessible only via php file.

cdorin

cdorin

2019-11-20 16:30

manager   ~54723

ping @c_schmitz

DenisChenu

DenisChenu

2019-11-20 16:44

developer   ~54731

After some thinking need more :

  1. Allow super admin to update via GUI or not (forced by config)
  2. XSS : off : no change , 1 : all except superadmin , 2 (or all ?) : superadmin too
  3. scripts : follow XSS (like today ?) , for all users, for noboby
DenisChenu

DenisChenu

2020-01-03 15:24

developer   ~55124

https://github.com/LimeSurvey/LimeSurvey/pull/1358

DenisChenu

DenisChenu

2020-01-03 15:25

developer   ~55126

Last edited: 2020-01-03 15:27

View 4 revisions

disablescriptwithxss

Allow update of script in question
true : Default : follow XSS rules
false : allowed for all

$config['disablescriptwithxss'] = true;

forcedfilterxss

Enables filtering of suspicious html tags in survey, group, questions
and answer texts in the administration interface
Even super-administrator have this restriction.
This settings can not be updated by GUI interface

$config['forcedfilterxss'] = false;

superadminenablescript

Totally disable question script update
Remove the script part in question edition
Used only if forcedfilterxss and disablescriptwithxss are true
This settings can not be updated by GUI interface

$config['superadminenablescript'] = false;

Mazi

Mazi

2020-01-08 08:57

partner   ~55147

I consider more flexibility with the XSS filter a very useful feature. But adjusting settings should be doable at global settings, not config.php.
Furthermore, what about a global user right setting for the XSS filter? That way one could allow a common user to also add JS for example.

Mazi

Mazi

2020-01-08 08:58

partner   ~55148

BTW, we should also add some kind of detection to show a warning if the XSS filter turns some JS/CSS into bullshit on save. Because many users are very confused about what happens to their JS code on save. We should show additional details/hints to the user.

DenisChenu

DenisChenu

2020-01-08 09:16

developer   ~55149

Last edited: 2020-01-08 09:19

View 2 revisions

But adjusting settings should be doable at global settings, not config.php.

If you disable XSS for superadmin, but leave this in GUI : you don't need a setting. It's a security fix, some user want to totally disable XSS even for superadmin (user with all rights). This settings is done for this

Furthermore, what about a global user right setting for the XSS filter?

Create another feature request, seems a good idea.

We should show additional details/hints to the user.

Old issue here …

Else about waorkaround : with (in GUI) XSS on + disablescriptwithxss OFF : user can add workaround with XSS enable.

DenisChenu

DenisChenu

2020-01-28 17:38

developer   ~55529

Think of final part

forcedfilterxss

Enables filtering of suspicious html tags in survey, group, questions
and answer texts in the administration interface
Even super-administrator have this restriction.
This settings can not be updated by GUI interface

$config['forcedfilterxss'] = false;

Is OK

But : i didn't like

superadminenablescript

Totally disable question script update
Remove the script part in question edition
Used only if forcedfilterxss and disablescriptwithxss are true
This settings can not be updated by GUI interface

$config['superadminenablescript'] = false;

I think we must have more

enablescript

Allow administrato to get script according to their rights
Follow xss for simple user
Allowed for superadmin
Settings false here : even super administrator have script disable
Any existing scripts are reset to empty
Script editor or view are removed from GUI
$config['enablescript'] = true;

Another idea ?

ollehar

ollehar

2020-02-11 15:01

administrator   ~55862

Use-case: Enable XSS filtering for superadmin. Why do we need three new options?

DenisChenu

DenisChenu

2020-02-11 15:54

developer   ~55869

Last edited: 2020-02-11 15:56

View 2 revisions

Arg ... invalid time tracking lost all ....

Because : there are scripts now, and it's linked with XSS protection (like upload of SVG ....) (or js edition)

Idea with forcedfilterxss and enablescript. But enablescript are checked only if forcedfilterxss is true ?

  • default (forcedfilterxss:false / enablescript : true)
    • XSS for other user : true/false
    • disable script update with XSS: true/false (then only for other)
  • forcedfilterxss:true / enablescript : true
    • XSS for other user : Disable edit : always true
    • disable script update with XSS: true/false (then for all user, superadmin included)
  • forcedfilterxss:true / enablescript : false
    • XSS for other user : Disable edit : always true
    • disable script update with XSS: Disable edit : always true, and more : remove all existing scripts
  • forcedXSS:false / enablescript : true
    • Not used : same than default

Issue History

Date Modified Username Field Change
2019-08-01 15:06 DenisChenu New Issue
2019-09-18 16:41 DenisChenu Additional Information Updated View Revisions
2019-09-18 16:42 DenisChenu Note Added: 53640
2019-11-20 16:30 cdorin Note Added: 54723
2019-11-20 16:44 DenisChenu Note Added: 54731
2019-12-30 18:40 DenisChenu Relationship added related to 15690
2020-01-03 15:24 DenisChenu Note Added: 55124
2020-01-03 15:25 DenisChenu Note Added: 55126
2020-01-03 15:26 DenisChenu Note Edited: 55126 View Revisions
2020-01-03 15:27 DenisChenu Note Edited: 55126 View Revisions
2020-01-03 15:27 DenisChenu Note Edited: 55126 View Revisions
2020-01-07 17:29 DenisChenu Relationship added related to 15693
2020-01-08 08:57 Mazi Note Added: 55147
2020-01-08 08:58 Mazi Note Added: 55148
2020-01-08 09:16 DenisChenu Note Added: 55149
2020-01-08 09:19 DenisChenu Note Edited: 55149 View Revisions
2020-01-17 15:42 DenisChenu Assigned To => DenisChenu
2020-01-17 15:42 DenisChenu Status new => assigned
2020-01-28 17:38 DenisChenu Note Added: 55529
2020-02-11 15:01 ollehar Note Added: 55862
2020-02-11 15:54 DenisChenu Note Added: 55869
2020-02-11 15:56 DenisChenu Note Edited: 55869 View Revisions