Send comment bug

[jio3252]

What is going wrong?

When sending a comment on a poll, the arrow button just spinns indefinitely.
The comment is send though.

To Reproduce
Steps to reproduce the behavior:

1. Create new poll
2. Write a comment (as guest or registered user)
3. Press on the arrow to send the comment
4. See error

Expected behavior
After sending a comment, the comment should appear.

Screenshots

Information about your polls installation

Current version

Fresh installation or update from a prior version (from which one)?
Fresh installation

How did you install this version?(Appstore or describe installation)
Appstore

Information about your Instance of Nextcloud/ownCloud

Nextcloud 15

Which Version?
15.0.10

List of activated apps:
Default apps plus Calender and Polls

Server configuration

Operating system:
Debian stretch

Web server:
apache

Database:
Mariadb

Client configuration

Device:
Desktop

Browser:
Firefox 64

Operating system:
Win 10

[dartcafe]

It is somehow strange. I don't have this issue. Like #461. Seems to be the same effect.

[jio3252]

I just setup a new local nexcloud server and the issue reappeared.

[jio3252]

Also tested possible differences between Firefox and Chromium. The issue appears in both cases.

[jio3252]

To reproduce the issue, you can use the following docker compose file:

create "docker-compose.yml" with the following

version: '2'

volumes:
nextcloud:
db:

services:
db:
image: mariadb
restart: always
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=test123
- MYSQL_PASSWORD=test123
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud

app:
image: nextcloud
ports:
- 80:80
links:
- db
volumes:
- nextcloud:/var/www/html
restart: always

install and run "docker-compose up"

Connect to your ip in Browser.

[v1r0x]

Is there an error in your browser's console? or nextcloud.log?

[jio3252]

Is there an error in your browser's console? or nextcloud.log?

Nice hint, found the error:

EvalError: call to Function() blocked by CSP

Its the Content Security Policy

Since the docker setup enables this protection and nextcloud itself works just fine, it is probably an issue of poll. Is there a way for nextcloud apps to whitelist this?

[v1r0x]

Is there some more information where this happens? E.g. line number, file name, ...

It is (at least around NC 10/11) possible to whitelist certain functions/types in the CSP. To whitelist them, I need the type (image-src, script-src, ...) of the blocked content. Thus, I need some more information about the error.

Thanks for investigating!

[dartcafe]

I get these messages on another firefox instance and with chrome:

The entered message got saved and I see it after a reload.

EvalError: call to Function() blocked by CSP core.js:552:26865
	createFunctionContext https://nextcloud.yagst.de/core/vendor/core.js:552:26865
	compile https://nextcloud.yagst.de/core/vendor/core.js:552:25477
	d https://nextcloud.yagst.de/core/vendor/core.js:552:15946
	e https://nextcloud.yagst.de/core/vendor/core.js:552:16019
	<anonym> https://nextcloud.yagst.de/apps/polls/js/vote.js:232:28
	j https://nextcloud.yagst.de/core/vendor/core.js:2:26920
	fireWith https://nextcloud.yagst.de/core/vendor/core.js:2:27738
	x https://nextcloud.yagst.de/core/vendor/core.js:4:11251
	b/< https://nextcloud.yagst.de/core/vendor/core.js:4:14765

and
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf eval blockiert ("script-src"). core.js:552:26864

[v1r0x]

Can't find use of eval in the code. Only in create-poll.js. Looks like an external component/script uses eval

[dartcafe]

Seems, that this error only occurs on public pages. I suspect the avatar... But this is just a guess.

[dartcafe]

Recall: happens also when logged in.

[dartcafe]

Output from chrome's console:

core.js?v=e934ec74-2:552 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-R3R[...]FBldz0='".

    at e.Function (<anonymous>)
    at e.createFunctionContext (core.js?v=e934ec74-2:552)
    at e.compile (core.js?v=e934ec74-2:552)
    at d (core.js?v=e934ec74-2:552)
    at e (core.js?v=e934ec74-2:552)
    at Object.success (vote.js?v=e934ec74-2:232)
    at j (core.js?v=e934ec74-2:2)
    at Object.fireWith [as resolveWith] (core.js?v=e934ec74-2:2)
    at x (core.js?v=e934ec74-2:4)
    at XMLHttpRequest.<anonymous> (core.js?v=e934ec74-2:4)
createFunctionContext @ core.js?v=e934ec74-2:552
compile @ core.js?v=e934ec74-2:552
d @ core.js?v=e934ec74-2:552
e @ core.js?v=e934ec74-2:552
(anonymous) @ vote.js?v=e934ec74-2:232
j @ core.js?v=e934ec74-2:2
fireWith @ core.js?v=e934ec74-2:2
x @ core.js?v=e934ec74-2:4
(anonymous) @ core.js?v=e934ec74-2:4
load (async)
send @ core.js?v=e934ec74-2:4
ajax @ core.js?v=e934ec74-2:4
n.(anonymous function) @ core.js?v=e934ec74-2:4
(anonymous) @ vote.js?v=e934ec74-2:231
dispatch @ core.js?v=e934ec74-2:3
r.handle @ core.js?v=e934ec74-2:3

[dartcafe]

On debugging, the error is thrown after executing this line

polls/js/vote.js

Line 252 in 408cccd

}).error(function () {

[dartcafe]

Seems to be a problem in using handlebars.
After removing

polls/js/vote.js

Line 232 in 408cccd

$('#no-comments').after(tmpl_comment(data));

the CSP error does not occur anymore (besides, that the comment is not inserted visually).

[dartcafe]

replacing hte line with

$('#no-comments').after(
	'<li class="comment flex-column"> ' +
	'<div class="authorRow user-cell flex-row"> ' +
	'<div class="avatar missing" title="' + data.userId + '"></div> ' +
	'<div class="author">' + data.displayName + '</div>' +
	'<div class="date has-tooltip live-relative-timestamp datespan" data-timestamp="' + data.timeStamp + '" title="' + data.date + '">' + data.relativeNow + '</div>' +
	'</div>' +
	'<div class="message wordwrap comment-content">' + data.comment + '</div>' +
	'</li>'
);

works. Not beautiful, but a quick fix before the vue migration.