Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-5716

Eliminate various inline script

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Critical Critical
    • 10.1.0
    • 10.0.0
    • None
    • Security Level: Jimmy
    • None

      User Story

      As an application developer, I hope zk framework contains no inline javascript, so that I can apply stricter content security policy.

      Current State

      _zk._Erbx = class _Erbx extends ZKObject { //used in HTML tags
      	id: string;
      	dg?: zk.Draggable;
      	constructor(msg: string) {
      		super();
      		var id = 'zk_err',
      			$id = '#' + id,
      			click = _zk.mobile ? ' ontouchstart' : ' onclick',
      			// Use zUtl.encodeXML -- Bug 1463668: security
      			html = '<div class="z-error" id="' + id + '">'
      			+ '<div id="' + id + '-p">'
      			+ '<div class="errornumbers">' + (++_errcnt) + ' Errors</div>'
      			+ '<div class="button"' + click + '="zk._Erbx.remove()">'
      			+ '<i class="z-icon-times"></i></div>'
      			+ '<div class="button"' + click + '="zk._Erbx.redraw()">'
      			+ '<i class="z-icon-refresh"></i></div></div>'
      			+ '<div class="messagecontent"><div class="messages">'
      			+ zUtl.encodeXML(msg, {multiline: true}) + '</div></div></div>';
      

      Current Result

      inline script for event handler

      • zk._Erbx.remove()
      • zk._Erbx.redraw()

      Expected Result

      eliminate this because it violates the content security policy

      Other inline script

      href="javascript

      search with href="javascript

      • zk/src/main/resources/web/js/zk/dom.ts
      • zul/src/main/resources/web/js/zul/wgt/Area.ts
      • zul/src/main/resources/web/js/zul/mesh/Paging.ts
      • zul/src/main/resources/web/js/zul/wgt/A.ts
      • za11y/src/main/resources/web/js/za11y/dom-a11y.ts

      Workaround

      unsafe-hash

            jumperchen jumperchen
            hawk hawk
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: