-
-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Export Excel with enable CSP #194
Comments
Thanks for letting me know about that. I'll dig into it next week. It might require the XML to be created using nodes rather than just a string :( |
I haven't been able to reproduce this error I'm afraid. If I add a simple meta tag to enable CSP:
And setup the table to allow Excel file creation - then it works okay: https://live.datatables.net/wociliya/1/edit . What am I missing? |
It my mistake. use DOMPurify
Soo xml past to DOM sanitize. |
Sorry I/m not quite following allong. Can you let me know what I need to set the CSP to to see this error please? Or perhaps you could update this example to demonstrate the issue? |
yes
And have error If fix this error if (window.trustedTypes && window.trustedTypes.createPolicy) { Need use sanitize for XML Excel too |
Thanks. The error is actually coming from jQuery there. Interestingly enough, Firefox doesn't implement that CSP and it runs fine. It fails in Chrome though. It looks like there is an open issue on the jQuery repo for this. |
Looking in on this again, and if you have window.trustedTypes.createPolicy('default', {
createScriptURL: (s) => s,
createHTML: s => s,
}); Although obviously that negates any security. Don't do it! However, if you are specifying tight security for writing to the DOM, you need to provide a sanitizer, and this is the construct you'd used for it. I don't think it is the responsibility of this library to provide that (in the same way that it doesn't set the CSP), therefore going to close as out of scope. |
It get error in console
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-fvLdnKXmxntehxxIMVSB5YnK+8d92LveagzKckkSwX8=' 'sha256-GNRobwOTyGkozwJdtGT1E9I56OarlRhieZn/F+TNgE8=' 'sha256-vK1+3up6XZFYcAPUBBXM6GUs17xUZBHFVfTOuf9gmng=' 'sha256-glb80g0YSZJ4+Iqv0pIJEIZkAgKUqpLrDc+LvKAGqkk=' 'sha256-j5x3OyPLy5hpwkYnV9YYltBj+QRBKmkbfNzoXl0gchA=' 'sha256-WR7qzNkY4rs4D8buIweX2fTWpDKTBiTFUwg2dtOWHxo=' 'sha256-OYqGOQCX6Gi3nDyz8GKw3p5VbYdq44yqXgoDgvVJdPU=' 'sha256-RvAvREUHojDuwHylTVWZp9DhleqLs6ml8G7LpjCF+EY=' 'sha256-OzRQ42XE++h1N4x+cOYeQE8s9BxAfc45zdfTkIfO8LM='". Either the 'unsafe-inline' keyword, a hash ('sha256-ICa0DhwZQJsOd/Rn0N8H6FdQ71GfNL+op2zhAQ+Y4mM='), or a nonce ('nonce-...') is required to enable inline execution.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-fvLdnKXmxntehxxIMVSB5YnK+8d92LveagzKckkSwX8=' 'sha256-GNRobwOTyGkozwJdtGT1E9I56OarlRhieZn/F+TNgE8=' 'sha256-vK1+3up6XZFYcAPUBBXM6GUs17xUZBHFVfTOuf9gmng=' 'sha256-glb80g0YSZJ4+Iqv0pIJEIZkAgKUqpLrDc+LvKAGqkk=' 'sha256-j5x3OyPLy5hpwkYnV9YYltBj+QRBKmkbfNzoXl0gchA=' 'sha256-WR7qzNkY4rs4D8buIweX2fTWpDKTBiTFUwg2dtOWHxo=' 'sha256-OYqGOQCX6Gi3nDyz8GKw3p5VbYdq44yqXgoDgvVJdPU=' 'sha256-RvAvREUHojDuwHylTVWZp9DhleqLs6ml8G7LpjCF+EY=' 'sha256-OzRQ42XE++h1N4x+cOYeQE8s9BxAfc45zdfTkIfO8LM='". Either the 'unsafe-inline' keyword, a hash ('sha256-ZD0chCyBaNHl+4UwQHJIHGoYhKwMeyCXGgJTKW5/67E='), or a nonce ('nonce-...') is required to enable inline execution.
function to parse xml dont work
var rels = getXml('xl/worksheets/sheet1.xml');
this xml.
I text free stile xml use Jquery it get error too.
But well know xml like rss work good
$.parseXML( "<rss version='2.0'><channel><title>RSS Title</title></channel></rss>" );
The text was updated successfully, but these errors were encountered: