[4.0] Make sure the renderer does not manipulate the inline CSS and JS#28719
[4.0] Make sure the renderer does not manipulate the inline CSS and JS#28719wilsonge merged 6 commits intojoomla:4.0-devfrom
Conversation
|
Here is the backport to 3.x: #28720 |
|
Pls overlook my ignorance, isn't it cassiopea on J4? |
|
Yes thanks fixed. I worked in parallel on protostar too :D |
richard67
changed the title
richard67
changed the title
|
This is going to make the source look much worse when debugging. But then again given everyone uses dev tools in browsers these days I guess it doesn't matter much either? |
I have not noticed any difference in the dev tools. |
|
BTW you should not use any inline JS or Inline CSS anyway so one more reason to not use them :D |
Thanks Tobias, I need a bit more info as running into some wierdness. |
|
Yes you can ignore it. That is an issue that has been patched here too when you apply the patch that Warning should be gone too. |
| // This is for full XHTML support. | ||
| if ($this->_doc->_mime !== 'text/html') | ||
| { | ||
| $buffer .= $tab . $tab . '//<
There was a problem hiding this comment.
Will this CData tag still work without the line break above? Honestly don't know enough here to be sure.
There was a problem hiding this comment.
How to trigger that stuff anyway? Does joomla actually support something different than html and json?
There was a problem hiding this comment.
In the template of your choice something like $this->setMimeEncoding('application/xhtml+xml')
There was a problem hiding this comment.
Technically it does support these things - but I think it dates back to XHTML support. We can probably get rid of it (we should try and track back it's introduction first). But if we leave it in it should work
There was a problem hiding this comment.
It seems to be there since more than 11 years: https://github.com/joomla/joomla-cms/blame/ac1822ffb8368d1e6be4c356d45088fd196c5e81/libraries/joomla/document/html/renderer/head.php#L105
Do you know how to go deeper than that commit here: 83939b8?
There was a problem hiding this comment.
I mean in terms of out of scope I assume if you're running an xhtml mime type it won't work with csp ;)
There was a problem hiding this comment.
Does this mean it can be removed?
There was a problem hiding this comment.
I honestly have no clue. It’s probably safe. But I’m not certain either. I certainly have no clue if the CDATA tag has any use anymore - again I suspect it’s legacy. But I’m not certain
There was a problem hiding this comment.
I mean in terms of out of scope I assume if you're running an xhtml mime type it won't work with csp ;)
Right we would not try to add hashes there we only do for HTML: https://github.com/joomla/joomla-cms/blob/4.0-dev/plugins/system/httpheaders/httpheaders.php#L140
|
I have tested this item ✅ successfully on 169e33e This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28719. |
|
I have tested this item ✅ successfully on 169e33e This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/28719. |
|
CDATA for xhtml/xml document, and as long as Document may be used for render XML I would keep it. Even if we never used it 😄 |
|
Ok right now to me this PR looks ready than given that I do not touch the CDATA thing and that we only apply hashes on HTML sites anyway. |
|
I'm still not 100% we're getting this right - but let's give it a go |
|
Thanks please merge the backport too: #28720 |
…om_templates * '4.0-dev' of github.com:joomla/joomla-cms: Add closing quote (joomla#30353) [4.0] Make sure the renderer does not manipulate the inline CSS and JS (joomla#28719) [4.0] Atum and Cassiopea Change alerts styling - space saving + (joomla#30294) Update editor versions (joomla#30340) [4.0][mod_menu] Add space for 'menu class' (joomla#30341) Optimize code for aria-current (joomla#30328) [4.0] Composer and npm updates 10 Aug (joomla#30334) [4.0] fix js code style (joomla#30335)
10 participants
Pull Request for Issue #28557
Summary of Changes
Make sure there renderer does not manipulate the inline CSS and JS
Testing Instructions
Add the following lines to the index.php of the cassiopea template:
Enable CSP (System -> Content-Security-Policy -> Options) and configure like this:
Expected result
inline script and inline style tags are not modified by the renderer and can be whitelisted via an csp.
Actual result
the style and script renderer add some spaces and line endings that breaks the CSP hash generation.
Documentation Changes Required
none
cc @wilsonge @SharkyKZ