Global settings/9/en: Difference between revisions
From LimeSurvey Manual
(Importing a new version from external source) |
(Importing a new version from external source) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
==Security== | ==Security== | ||
*'''Survey preview only for administration users''': By default, the preview of inactive surveys is restricted only to authenticated. If you set this to 'No', any person can test your survey using the survey URL | *'''Survey preview only for administration users''': By default, the preview of inactive surveys is restricted only to authenticated. If you set this to 'No', any person can test your survey using the survey URL – without logging in to the administration and without having to activate the survey first | ||
*'''Filter HTML for XSS''': It is | *'''Filter HTML for XSS''': It is turned 'on' by default. They will not be authorized to use dangerous HTML tags in their survey/group/question/labels texts (JavaScript code, for instance). The idea behind this is to prevent a survey operator to add a malicious script to get his permissions raised on your system. '''However, if you want to use any JavaScript in your surveys, you will need to switch this off''' (specific scripts for video hosting platforms can be used). | ||
{{Hint|Text=The super admins never have their HTML filtered when saved or on public survey view. | {{Hint|Text=The super admins never have their HTML filtered when saved or on public survey view. To see the effects of XSS filtering, it is advised to use a regular user account.}} | ||
{{Alert|title=Warning|text=With XSS enabled, some parts of the expression manager system | {{Alert|title=Warning|text=With XSS enabled, some parts of the expression manager system cannot be used: see [[ExpressionScript_-_Presentation#XSS security|XSS and ExpressionScript]].}} | ||
Latest revision as of 01:13, 31 January 2023
Security
- Survey preview only for administration users: By default, the preview of inactive surveys is restricted only to authenticated. If you set this to 'No', any person can test your survey using the survey URL – without logging in to the administration and without having to activate the survey first
- Filter HTML for XSS: It is turned 'on' by default. They will not be authorized to use dangerous HTML tags in their survey/group/question/labels texts (JavaScript code, for instance). The idea behind this is to prevent a survey operator to add a malicious script to get his permissions raised on your system. However, if you want to use any JavaScript in your surveys, you will need to switch this off (specific scripts for video hosting platforms can be used).
Hint: The super admins never have their HTML filtered when saved or on public survey view. To see the effects of XSS filtering, it is advised to use a regular user account.
Warning : With XSS enabled, some parts of the expression manager system cannot be used: see XSS and ExpressionScript.