Task #63712

Avoid use of eval() and replace it

Added by Job Rutgers almost 5 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2015-09-30
Due date:
% Done:

100%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The use of the eval() can be slow and insecure, so maybe it's better to avoid and replace it.
More info on:
http://www.nczonline.net/blog/2013/06/25/eval-isnt-evil-just-misunderstood/

After it is implemented it should be possible to use (in nginx):

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'";

Now 'unsafe-eval' still needed in default-src


Subtasks

Bug #70205: Remove eval from TCA slider JavaScriptClosedAndreas Fernandez


Related issues

Related to TYPO3 Core - Bug #61996: unsafe-eval Closed 2014-10-01
Related to TYPO3 Core - Task #17626: JS-function checkSubmit should not use eval Closed 2007-09-24
Related to TYPO3 Core - Task #73047: Content-Security-Policy for the Backend Closed 2016-01-31

Associated revisions

Revision a167e6c3 (diff)
Added by Andreas Fernandez almost 4 years ago

[BUGFIX] Remove eval from TCA slider JavaScript

Resolves: #70205
Related: #63712
Releases: master
Change-Id: I6d5c7d21870a7d36557db40f9047450701315bc1
Reviewed-on: http://review.typo3.org/43651
Reviewed-by: Christian Kuhn <>
Tested-by: Christian Kuhn <>
Reviewed-by: Wouter Wolters <>
Tested-by: Wouter Wolters <>

History

#1 Updated by Mathias Schreiber over 4 years ago

  • Target version changed from 7.0 to 7.1 (Cleanup)

#2 Updated by Benni Mack over 4 years ago

  • Target version changed from 7.1 (Cleanup) to 7.4 (Backend)

#3 Updated by Susanne Moog about 4 years ago

  • Target version changed from 7.4 (Backend) to 7.5

#4 Updated by Benni Mack almost 4 years ago

  • Target version changed from 7.5 to 7 LTS

#5 Updated by Stefan Neufeind almost 4 years ago

  • Status changed from New to Resolved

just a few remaining evals, but all in JavaScript-code. Let's imho close it

#6 Updated by Peter Proell over 3 years ago

There is still (7.6) CSP Issues in the backend (/typo3).

We should add a fitting CSP to the .htaccess in /typo3. Currently I am adding

Header set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline';

in /typo3/.htaccess to overrule the more strict CSP of the website itself and make the backend work as well.

It would be a nice security feature if the TYPO3 backend would support a stricter CSP.

Infos on CSP:
http://content-security-policy.com/
https://de.wikipedia.org/wiki/Content_Security_Policy

#7 Updated by Peter Proell over 3 years ago

Opened a new ticket https://forge.typo3.org/issues/73047 as I cannot reopen this one.

#8 Updated by Riccardo De Contardi almost 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF