Loading...

XML

Word

Printable

Type: New Feature
Resolution: Fixed
Priority: Critical
Fix Version/s: 10.1.0
Affects Version/s: 10.0.0
Component/s: None
Security Level: Jimmy
Labels:
- security
- zk10todo

User Story

As an application developer, I hope zk framework contains no inline javascript, so that I can apply stricter content security policy.

Current State

_zk._Erbx = class _Erbx extends ZKObject { //used in HTML tags
	id: string;
	dg?: zk.Draggable;
	constructor(msg: string) {
		super();
		var id = 'zk_err',
			$id = '#' + id,
			click = _zk.mobile ? ' ontouchstart' : ' onclick',
			// Use zUtl.encodeXML -- Bug 1463668: security
			html = '<div class="z-error" id="' + id + '">'
			+ '<div id="' + id + '-p">'
			+ '<div class="errornumbers">' + (++_errcnt) + ' Errors</div>'
			+ '<div class="button"' + click + '="zk._Erbx.remove()">'
			+ '<i class="z-icon-times"></i></div>'
			+ '<div class="button"' + click + '="zk._Erbx.redraw()">'
			+ '<i class="z-icon-refresh"></i></div></div>'
			+ '<div class="messagecontent"><div class="messages">'
			+ zUtl.encodeXML(msg, {multiline: true}) + '</div></div></div>';

Current Result

inline script for event handler

zk._Erbx.remove()
zk._Erbx.redraw()

Expected Result

eliminate this because it violates the content security policy

Other inline script

href="javascript

search with href="javascript

zk/src/main/resources/web/js/zk/dom.ts
zul/src/main/resources/web/js/zul/wgt/Area.ts
zul/src/main/resources/web/js/zul/mesh/Paging.ts
zul/src/main/resources/web/js/zul/wgt/A.ts
za11y/src/main/resources/web/js/za11y/dom-a11y.ts

Workaround

unsafe-hash

Assignee:: jumperchen

Reporter:: hawk

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 22/May/24 10:00 AM

Updated:: 07/Oct/24 3:35 AM

Resolved:: 13/Sep/24 9:40 AM

Details

Description

User Story

Current State

Current Result

Expected Result

Other inline script

href="javascript

Workaround

Attachments

Activity

People

Dates