Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Fix AJAX Loading of Inline Scripts in editFile #3976

Merged
merged 4 commits into from
Jan 30, 2025
Merged

[security] Fix AJAX Loading of Inline Scripts in editFile #3976

merged 4 commits into from
Jan 30, 2025

Conversation

tabraiz12
Copy link
Collaborator

What changes were proposed in this pull request?

Issue: Inline scripts from AJAX responses aren't executed due to CSP restrictions when unsafe-inline is removed.
Fix: Manually process and append scripts from AJAX responses to ensure execution.

How was this patch tested?

  • tested in local

  • (Please explain how this patch was tested. Ex: unit tests, manual tests)

  • (If this patch involves UI changes, please attach a screen-shot; otherwise, remove this)

Please review Hue Contributing Guide before opening a pull request.

@tabraiz12 tabraiz12 enabled auto-merge (squash) January 30, 2025 04:45
JohanAhlen
JohanAhlen approved these changes Jan 30, 2025
View reviewed changes
Copy link
Contributor

@JohanAhlen JohanAhlen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

bjornalm
bjornalm approved these changes Jan 30, 2025
View reviewed changes
Copy link
Collaborator

@bjornalm bjornalm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, can you also update the contributing-frontend.md readme file about react integrations so that we no longer encourage inline scripts the old way?

@JohanAhlen
Copy link
Contributor

Nice work, can you also update the contributing-frontend.md readme file about react integrations so that we no longer encourage inline scripts the old way?

Better yet, perhaps CI can detect additions of new unsafe-inline js/css?

@tabraiz12 tabraiz12 merged commit 92719cc into master Jan 30, 2025
5 of 6 checks passed
@tabraiz12 tabraiz12 deleted the bug-bash-fixes branch January 30, 2025 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramprasadagarwal ramprasadagarwal ramprasadagarwal approved these changes

@bjornalm bjornalm bjornalm approved these changes

@JohanAhlen JohanAhlen JohanAhlen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tabraiz12 @JohanAhlen @bjornalm @ramprasadagarwal