Project

General

Profile

Actions

Bug #102248

closed

CSP issues in BE for custom eval rules on input fields

Added by Claus Harup about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Documentation
Target version:
-
Start date:
2023-10-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
csp
Complexity:
Is Regression:
Sprint Focus:

Description

https://docs.typo3.org/m/typo3/reference-tca/main/en-us/ColumnsConfig/Type/Input/Properties/Eval.html#custom-eval-rules

When "backend enforce content security policy" is enabled the final script tag contains no nonce and we get CSP issues :-(

Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").

<script >
/*<![CDATA[*/
var TBE_EDITOR = TBE_EDITOR || { customEvalFunctions: {} }; TBE_EDITOR.customEvalFunctions['TYPOCONSULT\u005CTcSys\u005CEvaluator\u005CUrlEvaluator'] = function(value) { 
            var returnValue = value;

            if(value.length){
                if(value.substring(0, 7) != 'http://' && value.substring(0, 8) != 'https://'){
                    if(value.indexOf('.') > 0){
                        returnValue = 'https://' + value;
                    } else{
                        returnValue = '';
                    }
                }
            }

            return returnValue;
         };
/*]]>*/
</script>
Actions #1

Updated by Oliver Hader about 1 year ago

  • Category changed from Security to Documentation
  • Status changed from New to Accepted
  • Assignee deleted (Oliver Hader)
  • Target version deleted (next-patchlevel)
  • Tags set to csp

The mentioned functionality for dynamically creating JavaScript has been deprecated with TYPO3 v12.4. Allowing dynamic inline scripts (e.g. by adding a nonce or hash value for all of them) would not add to the security aspects of CSP. Thus, the suggestion is to reduce the amount of inline JavaScript and make that static instead.

https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.4/Deprecation-100587-DeprecateFormEngineAdditionalJavaScriptPostAndCustomEvalInlineJavaScript.html

It seems, that this part has not been adjusted the combined docs, yet.

Actions #2

Updated by Claus Harup about 1 year ago

I changed the setup and it works like a charm.... :-)

import FormEngineValidation from "@typo3/backend/form-engine-validation.js";

export class UrlEvaluator {
    static registerCustomEvaluation(value) {
        FormEngineValidation.registerCustomEvaluation(value, UrlEvaluator.evaluateSourceHost)
    }

    static evaluateSourceHost(value) {
        var returnValue = value;

        if (value.length) {
            if (value.substring(0, 7) !== 'http://' && value.substring(0, 8) !== 'https://') {
                if (value.indexOf('.') > 0) {
                    returnValue = 'https://' + value;
                } else {
                    returnValue = '';
                }
            }
        }

        return returnValue;
    }
}
Actions #4

Updated by Oliver Hader about 1 year ago

  • Status changed from Accepted to Closed
Actions

Also available in: Atom PDF