Skip to content

fix(framework): improve themeRoot validation#13403

Merged
nnaydenow merged 3 commits intorelease-1.24from
theme-root-124
Apr 16, 2026
Merged

fix(framework): improve themeRoot validation#13403
nnaydenow merged 3 commits intorelease-1.24from
theme-root-124

Conversation

@nnaydenow
Copy link
Copy Markdown
Contributor

@nnaydenow nnaydenow commented Apr 16, 2026

Fix themeRoot validation to require explicit origin allowlist via meta tag and separate configuration storage from validated URL usage.

Problem:

  • themeRoot URLs were not properly validated for security
  • getThemeRoot() mixed raw configuration with validated URLs
  • Missing validation for relative paths and URL formats

Solution:

  1. Require meta tag for all themeRoot usage:

    • Comma-separated list of allowed origins
    • Wildcard "*" to allow any origin
    • Legacy "sap-allowedThemeOrigins" (camelCase) supported
    • Same-origin URLs allowed when meta tag present

  2. Separate configuration from validation:

    • getThemeRoot() returns raw configured value (unchanged)
    • validateThemeRoot() performs security checks and normalization
    • DOM link creation uses validated URL: {validatedRoot}/UI5/Base/baseLib/{theme}/css_variables.css

  3. Enhanced validation:

    • Absolute URLs: check origin against allowlist
    • Relative paths (./path, ../path): resolve to current origin
    • Absolute paths (/path): resolve to current origin
    • Add trailing slash if missing
    • Append /UI5/ to create proper theme asset path
    • Return undefined for invalid/unauthorized URLs

  4. Proper error handling:

    • Log warning when validation fails
    • No DOM link created for invalid themeRoot
    • Graceful fallback to default theme behavior

@nnaydenow
fix(framework): improve themeRoot validation (#13354)
d8e84cf 
Fix themeRoot validation to require explicit origin allowlist via meta tag
and separate configuration storage from validated URL usage.

Problem:
- themeRoot URLs were not properly validated for security
- getThemeRoot() mixed raw configuration with validated URLs
- Missing validation for relative paths and URL formats

Solution:
1. Require meta tag for all themeRoot usage:
    <meta name="sap-allowed-theme-origins" content="https://cdn.example.com">

    - Comma-separated list of allowed origins
    - Wildcard "*" to allow any origin
    - Legacy "sap-allowedThemeOrigins" (camelCase) supported
    - Same-origin URLs allowed when meta tag present

2. Separate configuration from validation:
    - getThemeRoot() returns raw configured value (unchanged)
    - validateThemeRoot() performs security checks and normalization
    - DOM link creation uses validated URL: {validatedRoot}/UI5/Base/baseLib/{theme}/css_variables.css

3. Enhanced validation:
    - Absolute URLs: check origin against allowlist
    - Relative paths (./path, ../path): resolve to current origin
    - Absolute paths (/path): resolve to current origin
    - Add trailing slash if missing
    - Append /UI5/ to create proper theme asset path
    - Return undefined for invalid/unauthorized URLs

4. Proper error handling:
    - Log warning when validation fails
    - No DOM link created for invalid themeRoot
    - Graceful fallback to default theme behavior
@nnaydenow nnaydenow changed the title fix(framework): improve themeRoot validation (#13354) fix(framework): improve themeRoot validation Apr 16, 2026
@nnaydenow nnaydenow merged commit bbdf3ca into release-1.24 Apr 16, 2026
9 checks passed
@nnaydenow nnaydenow deleted the theme-root-124 branch April 16, 2026 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ilhan007 ilhan007 ilhan007 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nnaydenow @ilhan007