-
Notifications
You must be signed in to change notification settings - Fork 19.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 19570 tree chart not compliant strict csp styles #19717
base: master
Are you sure you want to change the base?
Fix 19570 tree chart not compliant strict csp styles #19717
Conversation
Thanks for your contribution! To reviewers: If this PR is going to be described in the changelog in the future release, please make sure this PR has one of the following labels: This message is shown because the PR description doesn't contain the document related template. |
`background-color:${backgroundColor};` | ||
]; | ||
|
||
return `<div style="${styleCss.join('')}"></div>`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enabling a strict policy for the style-src directive in CSP offers several security benefits for your web application:
- XSS attacks aim to inject malicious scripts into your website. By restricting stylesheet sources, you prevent attackers from embedding malicious code within stylesheets and potentially compromising user data or website functionality.
- A strict policy grants you more control over the styles applied to your website. You determine the legitimate sources for stylesheets, preventing unauthorized styles from altering your website's appearance or behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
styles properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript. e.g. this, document.body.style.background = 'green'; won't cause an unsafe-inline violation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @Ovilia ,
Could you review this PR or help me find the right person?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
met the same issue , insert a styled item to dom will violate the unsafe-inline policy
`background-color:${backgroundColor};` | ||
]; | ||
|
||
return `<div style="${styleCss.join('')}"></div>`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
styles properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript. e.g. this, document.body.style.background = 'green'; won't cause an unsafe-inline violation.
@gooroodev review |
Summary of Changes
Issues, Bugs, and Typos
Proposed Code Improvements
General Review of Code Quality and Style
Overall, the pull request significantly improves the compliance with strict CSP by removing inline styles and using CSS classes. The proposed changes enhance the maintainability and readability of the code. Yours, Gooroo.dev. To receive reviews automatically, install Github App |
2d34f88
to
8221d35
Compare
@gooroodev review |
Appreciate the mention, @Manviel!
Summary of Incoming Changes
Identified Issues
Code Snippets for Fixes
General ReviewThe incoming changes significantly improve the codebase by introducing modular functions and replacing inline styles with CSS classes, which enhances compliance with CSP. However, there are minor issues related to security, performance, and readability that need attention. The code quality is generally good, but a few optimizations and better naming conventions can further improve it. -- |
The changes brought by this PR can be previewed at: https://echarts.apache.org/examples/editor?version=PR-19717@8221d35 |
@plainheart Could you reivew this issue ASAP, please. |
Brief Information
This pull request is in the type of:
What does this PR do?
This pull request addresses a specific limitation concerning Content Security Policy (CSP). When CSP is enabled, direct assignments to an element's style property using a string are disallowed. However it is possible to use className instead.
Basically, innerHTML causes the violation because it inserts html that contains inline styles.
Fixed issues
Tree chart with tooltips is not compliant with strict CSP directives for styles
Details
Before: What was the problem?
CSP violation errors are thrown into browser console:
After: How does it behave after the fixing?
It no longer uses inline styles.
Document Info
One of the following should be checked.
ZRender Changes
Others
Tried to apply a similar solution as in ecomfe/zrender#1030