Consider disabling HTML filter for XSS on LimeSurvey
As part of tpo/ux/research#130 (closed), I tried to embed a data handling policy in the questionnaire using a Bootstrap collapsible section, to avoid overwhelming participants with text that they might not read.
The following code works when entered in the description of a group of questions on my other instance of LimeSurvey without HTML filtering:
<p><button aria-controls="data-handling-policy" aria-expanded="false" class="btn btn-secondary" data-bs-target="#data-handling-policy" data-bs-toggle="collapse" type="button">Show Data Handling Policy</button></p>
<div class="collapse" id="data-handling-policy">
<div class="card card-body">Data Handling Policy</div>
</div>
LimeSurvey already uses Bootstrap for theming so all these goodies are readily available.
When I try this on survey.torproject.org, the code gets filtered and actually saves:
<p>Show Data Handling Policy</p>
<div class="collapse" id="data-handling-policy">
<div class="card card-body">Data Handling Policy</div>
</div>
As a result the collapsible section doesn't work.
This relates to the following setting in Configuration → Settings → Global:
It's set to "On" by default, which is probably the case on survey.torproject.org. If I turn it on on my other instance of LimeSurvey, I get the same filtering.
Together with @donuts, we were wondering whether this filtering was activated on purpose or of it could be deactivated to allow the use of more Bootstrap goodies in surveys.
And don't worry if you want to keep the filtering activated for security reasons, I can try to implement a pure CSS collapsible.