Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make BootstrapFileInputField strict content security policy compliant #901

Open
nmandrescu opened this issue Jun 4, 2021 · 6 comments
Open

Comments

@nmandrescu
Copy link

When loading a BootstrapFileInputField that has no errors, it is hidden through style attribute

<div class="kv-fileinput-error file-error-message" style="display: none;"></div>

It is happening in Wicket Bootstrap 5.0.4
https://github.com/l0rdn1kk0n/wicket-bootstrap/blob/add49f25467d2f7ee51a5aa88eff308c6b302fb8/bootstrap-extensions/src/main/java/de/agilecoders/wicket/extensions/markup/html/bootstrap/form/fileinput/res/js/fileinput.js#L661

Below is another .hide() call and likely more similar cases exists.

Adding style attribute is not allowed in CSP strict mode.

Please fix BootstrapFileInputField and other components to be CSP compliant.

@martin-g
Copy link
Owner

martin-g commented Jun 4, 2021

Thanks for the report!
Pull Requests are welcome!

@reckart
Copy link
Contributor

reckart commented Feb 26, 2023

Considering this is Bootstrap we are using here, I believe the change should be simple from switching to add a style attribute to adding/removing the Bootstrap CSS class d-none instead.

@reckart
Copy link
Contributor

reckart commented Feb 26, 2023

However, this is not a thing that should be fixed in Wicket Bootstrap because it would prevent updating the fileinput component which originally comes from https://github.com/kartik-v/bootstrap-fileinput. So this should probably be fixed upstream in https://github.com/kartik-v/bootstrap-fileinput.

@reckart
Copy link
Contributor

reckart commented Feb 26, 2023

Essentially, the CSP issue boils down to calls to JQuery's parseHTML and innerHTML which are used by the Bootstrap FileInput. I cannot even see that calls to .hide() are an issue at this point. Unfortunately, this is something not easy to fix, even upstream in https://github.com/kartik-v/bootstrap-fileinput because it would probably mean that the whole templating and even theming approach might need to be reimplemented...

@reckart
Copy link
Contributor

reckart commented Feb 26, 2023

There was an upstream issue related to CSP which actually did re-implement parts of the templating/theming: kartik-v/bootstrap-fileinput#1565

However, I just checked in the latest version of bootstrap-fileinput and it still uses parseHTML and innerHTML which triggers a CSP error for me in Chrome when not using the unsafe-inline policy.

@reckart
Copy link
Contributor

reckart commented Feb 26, 2023

I have opened another upstream issue: kartik-v/bootstrap-fileinput#1833

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants