search

surveyjs / survey-library

Free JavaScript form builder library with integration for React, Angular, Vue, jQuery, and Knockout.
https://surveyjs.io/form-library
MIT License
4.11k stars 799 forks source link

Content Security Police compatibility broken #877

Closed MrKrabat closed 4 years ago

MrKrabat commented 6 years ago

Are you requesting a feature, reporting a bug or ask a question?

The newest release 1.0.2 broke the compatibility with Content Security Police (CSP) which forbids the use of inline Javascript and the use of "eval()" function.

What is the current behavior?

Browser refuses to execute Javascript. Survey is not showing up at all. unbenannt

What is the expected behavior?

Everything works as it was with 1.0.1.

How would you reproduce the current behavior (if this is a bug)?

Inject a CSP for testing purpose. Add to HTML Head: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';">

Provide the test code and the tested page URL (if applicable)

Tested page URL: Press F12 to open your javascript console! SurveyJS 1.0.2 (broken): https://iq4s-2.hci.uni-hannover.de/tmp/index.php?id=4ff93b77 SurveyJS 1.0.1 (working): https://iq4s-2.hci.uni-hannover.de/master/index.php?id=4ff93b77

Test code not needed.

Specify your

tsv2013 commented 6 years ago

Thank you for the valueable feedback, @MrKrabat! This issue is related to the thing that we started to using in the Angular and jQuery libraries the Knockout core instead of React+preact. If you need the CSP compatibility, you can use the "survey-react" library as a workaround for now. We will discuss this issue with the team and update this thread as soon as we'll find a solution.

tsv2013 commented 6 years ago

@MrKrabat Could you please describe your requirements in greater details, if it possible - what the real world application are you developing - a web site, an electron app, a Chrome extension, chrome app or something else? Probably you have other security requirements you can tell us about.

MrKrabat commented 6 years ago

Thanks, we are developing a web site which allows employees of the institue to create surveys. We use SurveyJS to render a preview in our editor and to display the online surveys.

In general we have no special security requirements, but being CSP compatible and disable of inline-javascript and eval() should be standard for new applications today.

tsv2013 commented 6 years ago

@MrKrabat Thank you for the information you provided. We understand CSP compatibility importance and we've included this feature in our task list. We'll update this thread as soon as we'll have some results.

ozatski commented 5 years ago

Having the same issue with v1.0.60.

tsv2013 commented 5 years ago

@ozatski Yes, we've not changed this behavior.

Lionqueen94 commented 4 years ago

How high is making SurveyJS compatible with CSP on the task list at the moment? And is there a version of SurveyJS that is CSP compatible (in a comment it was stated that the react version was, but is this still the case)? I'm using the jquery version at the moment.

tsv2013 commented 4 years ago

@Lionqueen94 No we've postponed this task at this moment

tsv2013 commented 4 years ago

@Lionqueen94 But react version should still be SCP compatible.

sabaansari86 commented 4 years ago

Hi any updates on this issue? Is there a fix yet? I am facing the same issue.

tsv2013 commented 4 years ago

@sabaansari86 You can use the survey-react library as I wrote earlier.

sabaansari86 commented 4 years ago

The problem is we are using the custom widgets from survey js taht have the knockout dependency. Also surveyjs itself has a dependency on knockout.

tsv2013 commented 4 years ago

@sabaansari86 You can use the survey-react library as I wrote earlier. The survey-react library doesn't have knockoutjs dependency. Custom widgets are also doesn't use knockoutjs.

If it doesn't so please provide a live sample illustrating the issue.

mattdeacon commented 3 years ago

The survey-react library still uses stylemanager and uses inline styles ... this really should not be closed until it is resolved surely!

tsv2013 commented 3 years ago

@mattdeacon What's the problem with the inline styles and the styles manager?

gawielgo commented 3 years ago

hi guys, is there any possibility that the survey-angular will also be adapted?

tsv2013 commented 3 years ago

@gawielgo survey-angular is a wrapper over the survey-knockout package. We have a native angular implementation out of the box in our plans, but not exactly right now

gawielgo commented 2 years ago

hi @tsv2013 , sorry if I ask you again...when you plan to release that version? if it's possible to know...

tsv2013 commented 2 years ago

Our roadmap for the nearest future was announced by @andrewtelnov here - https://github.com/surveyjs/survey-library/issues/2756#issuecomment-967461460

After SurveyJS Creator V2 we plan to start work on native Angular implementation (latest Angular). Unfortunately we can't promise you the exact timeframe.

gawielgo commented 2 years ago

hi @tsv2013, there are news for survey-angular native???

tsv2013 commented 2 years ago

@gawielgo We started to work on it in this branch - https://github.com/surveyjs/survey-library/tree/feature/3681-native-ng