Actions
Task #96187
closed
Epic #87417: Integrate proper Content Security Policy (CSP) handling
Task #87418: Refactor and remove usage of inline scripts in backend
Avoid CKEditor4 inline JavaScript
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend JavaScript
Target version:
-
Start date:
2021-12-02
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Sprint Focus:
Description
- https://github.com/ckeditor/ckeditor4/blob/4.17.1/plugins/clipboard/dialogs/paste.js#L140-L142
- https://github.com/ckeditor/ckeditor4/blob/4.17.1/plugins/preview/plugin.js#L186
- https://github.com/ckeditor/ckeditor4/blob/4.17.1/core/dom/document.js#L276
- https://github.com/ckeditor/ckeditor4/blob/4.17.1/plugins/docprops/dialogs/docprops.js#L148-L154
- https://github.com/ckeditor/ckeditor4/blob/4.17.1/plugins/wysiwygarea/plugin.js#L33-L36
- https://github.com/ckeditor/ckeditor4/blob/4.17.1/plugins/dialog/plugin.js#L199-L206
Actually this should lead to failures in acceptance tests now already, but is does not...
Using
'strict-dynamic' is not an option for document.write due to CSP L3 rules
- https://w3c.github.io/webappsec-csp/#strict-dynamic-usage
- https://html.spec.whatwg.org/#parser-inserted -
document.writeis "parser-inserted" and not considered applicable for "strict-dynamic"
Updated by
Updated by Oliver Hader almost 2 years ago
- Status changed from Accepted to Closed
→ see #96874 CKEditor5, fixing CKEditor4 was not an option
Actions