Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP issues #102

Closed
Lueders-Martin opened this issue Mar 16, 2022 · 1 comment
Closed

CSP issues #102

Lueders-Martin opened this issue Mar 16, 2022 · 1 comment

Comments

@Lueders-Martin
Copy link

I am trying to make my django project, which is using crispy_bootstrap5, as tight as possible wrt CSP.
However, I noticed one CSP problem inside crispy_forms, which tracks down to a template in crispy_bootstrap5.

In templates/bootstrap5/layout/field_file.html

    <div class="form-control d-flex h-auto">
        <span class="text-break" style="flex-grow:1;min-width:0">
            <a href="{{ field.value.url }}">{{ field.value.name }}</a>

you use an inline-style, which is strongly would require the strongly discouraged CSP Option:
style-src = 'unsafe-inline'

An alternative to fix this would be to replace the explicit style attribute by an extended class="text-break flex-grow-1" or similar.

Would it be possible to consider this, so that web pages using crispy_forms can be made more secure?

Thanks for the consideration
@smithdc1
Copy link
Member

Thanks for the report, a PR making the change would be welcomed.

@smithdc1 smithdc1 linked a pull request Apr 14, 2022 that will close this issue
removed inline style for CSP compliancy #103
Closed
smithdc1 added a commit that referenced this issue Jul 6, 2022
@smithdc1
Fixed CSP issues #102
682bdfb
smithdc1 added a commit that referenced this issue Jul 6, 2022
@smithdc1
Fixed CSP issues #102 (#115)
31f1166
@smithdc1 smithdc1 closed this as completed Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

removed inline style for CSP compliancy Lueders-Martin/crispy-bootstrap5
2 participants
@smithdc1 @Lueders-Martin