"onclick" handler in template violates default content security policy
brotkrueml opened this issue · 0 comments
brotkrueml commented
Please give us a description of what happened.
I am seeing violations of content security policies (activated in v12.4 via the feature flag for backend):
Blocked inline script attribute from 'inline:'
Because of this in Cornerstone.html:
<input id="{data.elementBaseName}" type="checkbox" data-formengine-input-name="data{data.elementBaseName}" value="1"
{f:if(condition: data.databaseRow.tx_yoastseo_cornerstone, then: 'checked="checked"')}
onclick="document.editform['data{data.elementBaseName}'].value=this.checked?(document.editform['data{data.elementBaseName}'].value|1):(document.editform['data{data.elementBaseName}'].value&0);TBE_EDITOR.fieldChanged('{data.tableName}','{data.vanillaUid}','{data.fieldName}','data{data.elementBaseName}');">
Please describe what you expected to happen and why.
No CSP violation with the default rules provided by TYPO3.
How can we reproduce this behavior?
Don't know, just saw the error on my Sentry instance.
But obviously, move the logic of the inline handler into a dedicated script file.
Technical info
- TYPO3 version: 12.4.14
- Yoast SEO version: 9.0.3