[#33644] - [4.0] Help scroll top
- Closed
- 8 May 2021
- Medium
- Build: 4.0-dev
- # 33644
- Diff
- ceford:help_scroll_top
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
Added 'onclick' => 'window.scroll(0,0)' to Administrator Joomla! Help page
Testing Instructions
Go to Administrator / Help / Start Here panel / Joomla! Help
Scroll down to the bottom of the list and click an item there
Actual result BEFORE applying this Pull Request
Nothing appears to happen because the Iframe with the Help page has changed out of site.
Expected result AFTER applying this Pull Request
The page scrolls to the top and the new Help page is seen
Documentation Changes Required
None
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_admin |
| Title |
|
||||||
I have tested this item
__
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
?
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.
Inline javascript should be avoided, onclick is a potentially XSS
| Status | Ready to Commit | ⇒ | Pending |
Back to pending due to previous comment.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.
Inline javascript should be avoided, onclick is a potentially XSS
I read that somewhere. But there are 170 instances of onclick in the administrator/components ... what should I do?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.
I read that somewhere. But there are 170 instances of onclick in the administrator/components ... what should I do?
Maybe so: OutputFilter::ampReplace ???
See example:
OR ???
use Joomla\CMS\Factory;
/** @var Joomla\CMS\WebAsset\WebAssetManager $wa */
$wa = Factory::getApplication()->getDocument()->getWebAssetManager();
// Add inline JavaScript
$wa->addInlineScript('
document.addEventListener("DOMContentLoaded", function(event) {
alert("An inline JavaScript Declaration");
});
');
I have tested this item
non-sanitised inline scripts are not safe
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.
Inline javascript should be avoided, onclick is a potentially XSS
I read that somewhere. But there are 170 instances of onclick in the administrator/components ... what should I do?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.
replace them all with <button></button> ? Most of them shouldn't be an <a></a>. And start with this one...
I remembered where I read about not using onclick and the like - it is in CSP documentation. Closing this - I may come with a CSP compliant implementation.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-08 21:20:48 |
| Closed_By | ⇒ | ceford | |
| Labels |
Added:
?
|
||
I have tested this item✅ successfully on e75acd1
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/33644.