Open jptissot opened 3 years ago
sebastienros
commented
3 years ago Fine to keep javascript as long as it's bound to the same permissions (admin?) as creating/altering templates. If we can't prevent, or if it's better to let it accessible to users, then change it to a json document.
jptissot
commented
3 years ago Antoine fixed the exception but this should remain open to find a safer way to pass the settings to the client
nogginbox
commented
3 years ago @jptissot if this ticket is to remain open, but it has been fixed, can it be moved to a later milestone? Or should a more specific ticket be created?
jptissot
commented
3 years ago I update the title / description with the two issues. The first issue is resolved but we should still fix the second.
I found two issues with the trumbowyg editor.
First, if you setup a content type with the trumbowyg editor and don't specify the options (via the ContentDefinitionManager or via a recipe), the page throws a javascript error because the output js is invalid.
Second, I don't think it's a good idea to output javascript directly in the browser like this. I am pretty sure this is a security issue?
I suggest we pass the settings via a
data-attribute./cc @agriffard