[#28719] - [4.0] Make sure the renderer does not manipulate the inline CSS and JS
- Fixed in Code Base
- 11 Aug 2020
- Urgent
- Build: 4.0-dev
- # 28719
- Diff
- zero-24:fix_style_script_renderer
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #28557
Summary of Changes
Make sure there renderer does not manipulate the inline CSS and JS
Testing Instructions
Add the following lines to the index.php of the cassiopea template:
// Add inline JavaScript
Factory::getDocument()->addScriptDeclaration('
window.event("domready", function() {
alert("An inline JavaScript Declaration");
});
');
// Add inline Style
Factory::getDocument()->addStyleDeclaration('
body {
background: #00ff00;
color: rgb(0,0,255);
}
');
Enable CSP (System -> Content-Security-Policy -> Options) and configure like this:
- visit the frontend
- notice that the styles and scripts are blocked before the patch
- apply the patch
- notice it is working now
Expected result
inline script and inline style tags are not modified by the renderer and can be whitelisted via an csp.
Actual result
the style and script renderer add some spaces and line endings that breaks the CSP hash generation.
Documentation Changes Required
none
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries Front End Plugins |
| Labels |
Added:
?
?
|
||
Pls overlook my ignorance, isn't it cassiopea on J4?
Yes thanks fixed. I worked in parallel on protostar too :D
richard67
- | Title |
|
||||||
| Title |
|
||||||
This is going to make the source look much worse when debugging. But then again given everyone uses dev tools in browsers these days I guess it doesn't matter much either?
This is going to make the source look much worse when debugging. But then again given everyone uses dev tools in browsers these days I guess it doesn't matter much either?
I have not noticed any difference in the dev tools.
BTW you should not use any inline JS or Inline CSS anyway so one more reason to not use them :D
Yes thans fixed. I worked in parallel on protostar too :D
Thanks Tobias, I need a bit more info as running into some wierdness.
With security policy enabled or disabled, I get this warning:
( ! ) Warning: hash() expects parameter 2 to be string, array given in F:\xampp\htdocs\j4test\plugins\system\httpheaders\httpheaders.php on line 178
Can I ignore?
Also, I'm testing this locally, that OK for this PR?
Yes you can ignore it. That is an issue that has been patched here too when you apply the patch that Warning should be gone too.
jwaisner
- | Priority | Medium | ⇒ | Urgent |
| Labels |
Added:
?
Removed: ? |
||
I have tested this item
Tested with Chrome on Win64
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28719.
I have tested this item
Tested successfully.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28719.
CDATA for xhtml/xml document, and as long as Document may be used for render XML I would keep it. Even if we never used it
Ok right now to me this PR looks ready than given that I do not touch the CDATA thing and that we only apply hashes on HTML sites anyway.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-08-11 18:11:31 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
Information Required
?
Removed: ? |
||
I'm still not 100% we're getting this right - but let's give it a go
Here is the backport to 3.x: #28720