Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

toggle visibility changes time field to current time #15

Closed
fritzmg opened this issue Jul 18, 2017 · 1 comment
Closed

toggle visibility changes time field to current time #15

fritzmg opened this issue Jul 18, 2017 · 1 comment
Assignees
@leofeyer
Labels
defect

Comments

@fritzmg
Copy link
Contributor

fritzmg commented Jul 18, 2017
edited

Reproduction

  1. Create a news entry, set the date to an arbitrary value and the time to 01:00 for example (or anything that is not "now").
  2. In the list view of the news archive, hit the toggle visibility button (green or grey eye).
  3. Now go into the settings of the previously generated news entry and note it's time setting. It will be set to the current time.

screen-shot-2017-07-18-at-13 08 30
@fritzmg fritzmg changed the title toggle visibility changes changes time field to current time toggle visibility changes time field to current time Jul 18, 2017
leofeyer added a commit that referenced this issue Jul 18, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
aceaa68 
…#15).
@leofeyer leofeyer self-assigned this Jul 18, 2017
leofeyer added a commit to contao/newsletter-bundle that referenced this issue Jul 18, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
da00c22 
…contao/news-bundle#15).
leofeyer added a commit to contao/faq-bundle that referenced this issue Jul 18, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
33f813b 
…contao/news-bundle#15).
leofeyer added a commit to contao/core-bundle that referenced this issue Jul 18, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
59129c5 
…contao/news-bundle#15).
leofeyer added a commit to contao/comments-bundle that referenced this issue Jul 18, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
e4f74b4 
…contao/news-bundle#15).
leofeyer added a commit to contao/calendar-bundle that referenced this issue Jul 18, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
f3753d6 
…contao/news-bundle#15).
@leofeyer
Copy link
Member

Fixed in aceaa68 (and others).

agoat pushed a commit to agoat/contao-core-bundle that referenced this issue Aug 1, 2017
@leofeyer
Correctly update the timestamp in the toggleVisibility() function (see
c1c480c 
…contao/news-bundle#15).
leofeyer pushed a commit that referenced this issue Aug 20, 2018
@ausi @leofeyer
Fix dependencies (see #15)
3f4a028 
Description
-----------

IMO it’s better to increase the required versions in the `require-dev` config of all splits instead of adding special requirements only for `contao/contao`.

Commits
-------

3970c8ca Fix dependencies
leofeyer added a commit that referenced this issue Jan 22, 2024
@Toflar @ausi @leofeyer
Support CSP on WYSIWYG editors like TinyMCE (see #6719)
9ad584c 
Description
-----------

Now that CSP has landed in contao/contao#6631 (❤️ 🥳 ) we can properly prevent inline styles from being applied randomly which adds yet another layer of security to Contao.

My local tests showed that everything is working perfectly fine, except for inline style attributes on our RTE/tinyMCE/WYSIWYG editor fields. Obviously, if you use something like

```html
<p style="text-decoration: underline">Foobar</p>
```

this won't work anymore now, as this is possibly forbidden if you do not allow inline styles in your CSP (which you shouldn't as it weakens the policy).

Here's a quick draft of how we could improve on this. I thought I'd code it real quick as it's easier to understand for everybody if there's code to look at 😊 
The logic is pretty simple: extract the `style` attributes from HTML and if they match an allow-list of pre-defined properties (for security reasons), auto-generate CSP hashes for them.

Commits
-------

af729ce9 Support CSP on WYSIWYG editors like tinyMCE
737f2d2f Combine multiple identical styles to one CSS class
343a656d Switch to hashing implementation
e920800b Remove library
5d49663a Switch to regex implementation
9f7cd5af Finished implementation preparing for @ausi
7bd17a47 Update core-bundle/src/Twig/Extension/ContaoExtension.php
7cd9d160 Adjust the pull request template
3e5cf53c CSP WYSIWYG (#15)
a327b522 Added calls on all templates
5e3f6477 Fixed tests
054c0eb1 Make method nullable
347c77f4 Revert changes
f1a4a314 Fix regex
0e9e2158 Decode HTML entities before parsing the styles
db67dc12 Test TemplateTrait::extractStyleAttributesForCsp()
8cda64e4 Fix font regex
11b55607 Rename extract_styles_for_csp to csp_inline_styles
f991bbdc Rename extractStyleAttributesForCsp to cspInlineStyles
6de2fdd1 Rename inlineStyle to cspInlineStyle

Co-authored-by: ausi <martin@auswoeger.com>
Co-authored-by: leofeyer <1192057+leofeyer@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leofeyer leofeyer

Labels
defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leofeyer @fritzmg