Task #63712

Avoid use of eval() and replace it

Added by Job Rutgers almost 7 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
Start date:
2015-09-30
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The use of the eval() can be slow and insecure, so maybe it's better to avoid and replace it.
More info on:
http://www.nczonline.net/blog/2013/06/25/eval-isnt-evil-just-misunderstood/

After it is implemented it should be possible to use (in nginx):

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'";

Now 'unsafe-eval' still needed in default-src


Subtasks

Bug #70205: Remove eval from TCA slider JavaScriptClosedAndreas Fernandez2015-09-30

Actions

Related issues

Related to TYPO3 Core - Bug #61996: unsafe-evalClosed2014-10-01

Actions
Related to TYPO3 Core - Task #17626: JS-function checkSubmit should not use evalClosedFrank Naegler2007-09-24

Actions
Related to TYPO3 Core - Task #73047: Content-Security-Policy for the BackendClosed2016-01-31

Actions
#1

Updated by Mathias Schreiber over 6 years ago

  • Target version changed from 7.0 to 7.1 (Cleanup)
#2

Updated by Benni Mack over 6 years ago

  • Target version changed from 7.1 (Cleanup) to 7.4 (Backend)
#3

Updated by Susanne Moog about 6 years ago

  • Target version changed from 7.4 (Backend) to 7.5
#4

Updated by Benni Mack almost 6 years ago

  • Target version changed from 7.5 to 7 LTS
#5

Updated by Stefan Neufeind almost 6 years ago

  • Status changed from New to Resolved

just a few remaining evals, but all in JavaScript-code. Let's imho close it

#6

Updated by Peter Proell over 5 years ago

There is still (7.6) CSP Issues in the backend (/typo3).

We should add a fitting CSP to the .htaccess in /typo3. Currently I am adding

Header set Content-Security-Policy "default-src * 'unsafe-eval' 'unsafe-inline';

in /typo3/.htaccess to overrule the more strict CSP of the website itself and make the backend work as well.

It would be a nice security feature if the TYPO3 backend would support a stricter CSP.

Infos on CSP:
http://content-security-policy.com/
https://de.wikipedia.org/wiki/Content_Security_Policy

#7

Updated by Peter Proell over 5 years ago

Opened a new ticket https://forge.typo3.org/issues/73047 as I cannot reopen this one.

#8

Updated by Riccardo De Contardi almost 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF