New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Formly does not work with Content-Security-Policy header script-src 'self' because it contains a Function() constructor. #2157
Comments
This concern expressionProperties: {
- 'templateOptions.disabled': '!model.text',
+ 'templateOptions.disabled': (model) => !model.text,
}, |
Hello again. I traced the root cause of the problem to the implementation of the translation functionality as described in https://formly.dev/examples/advanced/i18n-alternative the problem lies in templateOptions.label ( as you described earlier )
I refactored this to provide a function directly as you suggested. However the problem still persists.
I have tried to handle this in a few different ways but nothing seems to work. Do you have any more suggestions about things I could try? Right now my next option would be to remove the translation extension and just perform my translations in my components directly. |
I figured out where the issue resides, I may try to provide a fix later when time allows (within a Week or two).
|
If there is anything I can do to help you with this please let me know. I would rather not refactor out the translation extension if I can avoid it :) |
the solution is to refactor evalExpressionValueSetter function |
Hey guys! Is there anything new about this issue ? It would be really nice to make it work with csp :) |
resolved locally still need to add some tests. I'll try to finish it at the end of this week, please remind me in the case I didn't ⌛ |
hey @aitboudad do you need some help with this issue ? :) |
why not :), I've pushed my initial work in https://github.com/aitboudad/ngx-formly/tree/2157, the remaining part is testing. |
@vojtesaak not sure if you've already started on this, if not I'll continue my work this afternoon so let me know! |
This issue has been fixed and released as part of v5.6.0 release. Please let us know, in case you are still encountering a similar issue/problem. |
Hi I am using json powered forms for my project and it doesnt support CSP because when I try to use function in "expressionProperties", it gives json parse error. Sample: Please help me out as whole project is built on this feature. Thank you. |
@coalman11 the "expressionProperties": {
- "templateOptions.label": function(formState) => { return formState.labels.email }
+ "templateOptions.label": function(model, formState) { return formState.labels.email; }
} |
Thanks for the reply @aitboudad. The thing is I am not able to use function directly in json. Please find below the screenshot. The json schema for form in saved in separate json file and loaded on a http service call. |
@coalman11 well that part should be done after loading the JSON form, kind of post-process see #1102 (comment) |
Description
Formly does not work with Content-Security-Policy header script-src 'self' because it contains a Function() constructor.
Minimal Reproduction
Set Content-Security-Policy header to script-src 'self' en use a formly form. You will get the following error.
Add 'unsave-eval' to the header and it will work.
Your Environment
Additional context
Please offer some advice on how to get Formly to work without removing the eval protection. Thank you.
The text was updated successfully, but these errors were encountered: