Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP breaks the form fields #6722

Closed
aschempp opened this issue Jan 16, 2024 · 1 comment · Fixed by #6723
Closed

CSP breaks the form fields #6722

aschempp opened this issue Jan 16, 2024 · 1 comment · Fixed by #6723
Assignees
@fritzmg
Labels
bug
Milestone
5.3

Comments

@aschempp
Copy link
Member

Affected version(s)

5.3

Description

The new CSP features seem to break form fields in the front end.

Attempted to call an undefined method named "attr" of class "Contao\FormCaptcha".

https://github.com/contao/contao/blob/5.x/core-bundle/contao/templates/forms/form_captcha.html5#L25

This is probably because widget templates do not extend from Template but from Widget.
@aschempp aschempp added this to the 5.3 milestone Jan 16, 2024
@fritzmg fritzmg mentioned this issue Jan 16, 2024
Merged
@fritzmg
Copy link
Contributor

fritzmg commented Jan 16, 2024
edited

Closing in favour of #6723

@fritzmg fritzmg closed this as completed Jan 16, 2024
leofeyer pushed a commit that referenced this issue Jan 17, 2024
@fritzmg
Introduce TemplateTrait to fix missing method in Widget (see #6723)
1bcc89a 
Description
-----------

This PR fixes the following things:

* Added the missing template methods to `Contao\Widget` (fixes #6722) by introducing a new `TemplateTrait` that contains all public member methods that are independent from the `Template` abstract class.
* Fixing that also revealed another issue: two of our (front end) templates use hard coded `style` attributes by default, which will cause a CSP violation. This is fixed by adding hashes for these inline styles. 

_Note:_ for CSP Level 3 capable browsers this also requires the `unsafe-hashes` source to be present in the directive, otherwise CSP hashes do not work for inline style _attributes_.

_Note:_ many of our PHP front end templates also still have

```php
<?php if ($this->style): ?> style="<?= $this->style ?>"<?php endif; ?>
```

in them, but I deliberately disregarded those, as these are mostly there only for BC.

Commits
-------

9271c80 introduce TemplateTrait
157bea7 also add hash function to Twig runtime
6520ce7 Apply suggestions from code review
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@fritzmg fritzmg

Labels
bug
Projects
None yet
Milestone
5.3
Development

Successfully merging a pull request may close this issue.

Introduce TemplateTrait to fix missing method in Widget fritzmg/contao
2 participants
@aschempp @fritzmg