[4.0] Make sure the renderer does not manipulate the inline CSS and JS

[zero-24]

Pull Request for Issue #28557

Summary of Changes

Make sure there renderer does not manipulate the inline CSS and JS

Testing Instructions

Add the following lines to the index.php of the cassiopea template:

// Add inline JavaScript
Factory::getDocument()->addScriptDeclaration('
    window.event("domready", function() {
        alert("An inline JavaScript Declaration");
    });
');

// Add inline Style
Factory::getDocument()->addStyleDeclaration('
	body {
		background: #00ff00;
		color: rgb(0,0,255);
	}
');

Enable CSP (System -> Content-Security-Policy -> Options) and configure like this:

• visit the frontend
• notice that the styles and scripts are blocked before the patch
• apply the patch
• notice it is working now

Expected result

inline script and inline style tags are not modified by the renderer and can be whitelisted via an csp.

Actual result

the style and script renderer add some spaces and line endings that breaks the CSP hash generation.

Documentation Changes Required

none

cc @wilsonge @SharkyKZ

[zero-24]

Here is the backport to 3.x: #28720

[Bodge-IT]

Pls overlook my ignorance, isn't it cassiopea on J4?

[zero-24]

Yes thanks fixed. I worked in parallel on protostar too :D

[wilsonge]

This is going to make the source look much worse when debugging. But then again given everyone uses dev tools in browsers these days I guess it doesn't matter much either?

[zero-24]

This is going to make the source look much worse when debugging. But then again given everyone uses dev tools in browsers these days I guess it doesn't matter much either?

I have not noticed any difference in the dev tools.

[zero-24]

BTW you should not use any inline JS or Inline CSS anyway so one more reason to not use them :D

[Bodge-IT]

Yes thans fixed. I worked in parallel on protostar too :D

Thanks Tobias, I need a bit more info as running into some wierdness.
With security policy enabled or disabled, I get this warning:
( ! ) Warning: hash() expects parameter 2 to be string, array given in F:\xampp\htdocs\j4test\plugins\system\httpheaders\httpheaders.php on line 178
Can I ignore?
Also, I'm testing this locally, that OK for this PR?

[zero-24]

Yes you can ignore it. That is an issue that has been patched here too when you apply the patch that Warning should be gone too.

[wilsonge]

Will this CData tag still work without the line break above? Honestly don't know enough here to be sure.

[zero-24]

How to trigger that stuff anyway? Does joomla actually support something different than html and json?

[wilsonge]

In the template of your choice something like $this->setMimeEncoding('application/xhtml+xml')

[wilsonge]

Technically it does support these things - but I think it dates back to XHTML support. We can probably get rid of it (we should try and track back it's introduction first). But if we leave it in it should work

[zero-24]

It seems to be there since more than 11 years: https://github.com/joomla/joomla-cms/blame/ac1822ffb8368d1e6be4c356d45088fd196c5e81/libraries/joomla/document/html/renderer/head.php#L105

Do you know how to go deeper than that commit here: 83939b8?

[wilsonge]

I mean in terms of out of scope I assume if you're running an xhtml mime type it won't work with csp ;)

[roland-d]

Does this mean it can be removed?

[roland-d]

@wilsonge @zero-24 ^^

[wilsonge]

I honestly have no clue. It’s probably safe. But I’m not certain either. I certainly have no clue if the CDATA tag has any use anymore - again I suspect it’s legacy. But I’m not certain

[zero-24]

I mean in terms of out of scope I assume if you're running an xhtml mime type it won't work with csp ;)

Right we would not try to add hashes there we only do for HTML: https://github.com/joomla/joomla-cms/blob/4.0-dev/plugins/system/httpheaders/httpheaders.php#L140

[vlaucht]

I have tested this item ✅ successfully on 169e33e

Tested with Chrome on Win64

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28719.}

[jmeintrup]

I have tested this item ✅ successfully on 169e33e

Tested successfully.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28719.}

[richard67]

@wilsonge @zero-24 I'm waiting with RTC until your above discussion is resolved.

[Fedik]

CDATA for xhtml/xml document, and as long as Document may be used for render XML I would keep it. Even if we never used it 😄

https://stackoverflow.com/a/66865/1000711

[zero-24]

Ok right now to me this PR looks ready than given that I do not touch the CDATA thing and that we only apply hashes on HTML sites anyway.

[wilsonge]

I'm still not 100% we're getting this right - but let's give it a go

[zero-24]

Thanks please merge the backport too: #28720