Project

General

Profile

Actions
Copy link

Bug #102248

closed

CSP issues in BE for custom eval rules on input fields

Added by Claus Harup about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Documentation
Target version:
-
Start date:
2023-10-25
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.2
Tags:
csp
Complexity:
Is Regression:
Sprint Focus:

Description

https://docs.typo3.org/m/typo3/reference-tca/main/en-us/ColumnsConfig/Type/Input/Properties/Eval.html#custom-eval-rules

When "backend enforce content security policy" is enabled the final script tag contains no nonce and we get CSP issues :-(

Content-Security-Policy: The page's settings blocked the loading of a resource at inline ("script-src").

<script >
/*<![CDATA[*/
var TBE_EDITOR = TBE_EDITOR || { customEvalFunctions: {} }; TBE_EDITOR.customEvalFunctions['TYPOCONSULT\u005CTcSys\u005CEvaluator\u005CUrlEvaluator'] = function(value) { 
            var returnValue = value;

            if(value.length){
                if(value.substring(0, 7) != 'http://' && value.substring(0, 8) != 'https://'){
                    if(value.indexOf('.') > 0){
                        returnValue = 'https://' + value;
                    } else{
                        returnValue = '';
                    }
                }
            }

            return returnValue;
         };
/*]]>*/
</script>
Actions
Copy link

Also available in: Atom PDF