Skip to content

FIX: Restore map editing for non-admin roles (#452)#456

Open
loocars wants to merge 1 commit into
masterfrom
fix/edithtml-map-editing
Open

FIX: Restore map editing for non-admin roles (#452)#456
loocars wants to merge 1 commit into
masterfrom
fix/edithtml-map-editing

Conversation

@loocars

@loocars loocars commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

The XSS mitigation for the WYSIWYG editor (CVE-2024-47090) added an editHtml permission check at the top of handleAddModify(), which runs for every map object save. As a result, roles without that permission (e.g. Managers) could no longer edit maps at all — adding a host, service or icon failed with "Cannot edit HTML. Please contact your administrator".

This scopes the check to submissions that actually change an HTML field (the textbox text, field type textarea), comparing the submitted value against the stored one. Regular map editing works again without the permission, while changing HTML content still requires editHtml. textarea() now also keeps the current value in a hidden field so a textbox can be moved/resized and saved unchanged.

Fixes #452

The editHtml permission check (CVE-2024-47090) was applied to every map
modification, blocking roles like Managers from editing maps at all.
Scope it to changes of HTML fields (textbox text), and keep the current
value as a hidden field so objects can still be saved/moved unchanged.

Fixes #452
@loocars loocars requested a review from LarsMichelsen July 10, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature request] Role for editHtml in GUI - Cannot edit HTML. Please contact your administrator

2 participants