Yoast / Yoast-SEO-for-TYPO3

Yoast SEO plugin for TYPO3
Other
51 stars 56 forks source link

"onclick" handler in template violates default content security policy #573

Open brotkrueml opened 7 months ago

brotkrueml commented 7 months ago

Please give us a description of what happened.

I am seeing violations of content security policies (activated in v12.4 via the feature flag for backend):

Blocked inline script attribute from 'inline:'

Because of this in Cornerstone.html:

<input id="{data.elementBaseName}" type="checkbox" data-formengine-input-name="data{data.elementBaseName}" value="1"
    {f:if(condition: data.databaseRow.tx_yoastseo_cornerstone, then: 'checked="checked"')}
    onclick="document.editform['data{data.elementBaseName}'].value=this.checked?(document.editform['data{data.elementBaseName}'].value|1):(document.editform['data{data.elementBaseName}'].value&0);TBE_EDITOR.fieldChanged('{data.tableName}','{data.vanillaUid}','{data.fieldName}','data{data.elementBaseName}');">

Please describe what you expected to happen and why.

No CSP violation with the default rules provided by TYPO3.

How can we reproduce this behavior?

Don't know, just saw the error on my Sentry instance.

But obviously, move the logic of the inline handler into a dedicated script file.

Technical info