CSP error when trying to add filter option

tpwd / ke_search

Search Extension for TYPO3 Content Management System, including faceting search functions.

https://extensions.typo3.org/extension/ke_search/

GNU General Public License v3.0

7 stars 31 forks source link

CSP error when trying to add filter option #231

Open Rall3n opened 2 months ago

Rall3n commented 2 months ago

TYPO3 version: 12.4.14 Ke_search version: 5.5.0

In #194 it was stated that this issue does no longer appear, but with the versions mentioned above I could replicate the issue.

The problem lies with the FilterOptionTagValidator->returnFieldJs() method, which returns inline JavaScript code as a plain string. That code is eval'd on client, triggering the CSP.

Additionally, since TYPO3 v12.4 returning a plain string in returnFieldJs() is deprecated in favor of returning a JavaScriptModuleInstruction instance.

christianbltr commented 1 month ago

Chrome 126 Firefox 128 TYPO3 12.4.14 ke_search 5.5.0

Unfortunately I'm still not able to reproduce this issue.

What browser do you use? Do you know if some settings need to be enabled in the browser?

Ironically FilterOptionTagValidator->returnFieldJs() doesn't add any logic so it can most likely just be removed: https://github.com/tpwd/ke_search/blob/8efdbdadccfefc60d014e2d6b18823dcf22889c9/Classes/UserFunction/CustomFieldValidation/FilterOptionTagValidator.php#L86

christianbltr commented 1 month ago

I tested on ddev using nginx

Rall3n commented 1 month ago

@christianbltr I think i forgot to mention it only happens when clicking on the Create new button under "Filter options" when editing a filter.

What browser do you use? Do you know if some settings need to be enabled in the browser?

I'm using latest Firefox (v128.0). I don't have any special settings enabled.

webdev-pw commented 1 month ago

I have the same problem with TYPO3 12.4.15 and ke_search 5.5.0 with all browsers (Chrome, Firefoxe, Edge)