You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Symfony\Component\VarDumper\Dumper\HtmlDumper returns inline <script> tags in both getDumpHeader() and dumpLine() functions. On a site with a content security policy, this leads to csp errors.
How to reproduce
<?php
use Symfony\Component\VarDumper\Dumper\HtmlDumper;
/**
* We have to extend the base HtmlDumper class in order to get access to the protected-only
* getDumpHeader function.
*/
class DebugBarHtmlDumper extends HtmlDumper
{
public function getDumpHeaderByDebugBar() {
// getDumpHeader is protected:
return $this->getDumpHeader();
}
}
$dumper = new DebugBarHtmlDumper;
echo $dumper->getDumpHeaderByDebugBar();
To fix this, I can see two options (IMO, it makes sense to implement both)
provide the getDumpHeader() <script> and <style> elements as .js and .css files, so they can be included without triggering CSP errors (using elements). For the individual dumpLine() elements, the <script> element is not really necessary, the Sfdump call can also be achieved by using the main javascript.
allow to provide a nonce for the script/style elements
Additional Context
No response
The text was updated successfully, but these errors were encountered:
Yannik, thanks for reporting this issue. A few months ago, we received a report about the same error in #49068. So, we're closing this issue as a duplicate of the earlier issue. Thanks!
Symfony version(s) affected
latest
Description
Symfony\Component\VarDumper\Dumper\HtmlDumper
returns inline<script>
tags in bothgetDumpHeader()
anddumpLine()
functions. On a site with a content security policy, this leads to csp errors.How to reproduce
results in
<script> Sfdump = window.Sfdump || (function (doc) { doc.documentElement.classList.add('sf-js-enabled'); var rxEsc = /([.*+?^${}()|\[\]\/\\])/g, idRx = /\bsf-dump-\d+-ref[012]\w+\b/, keyHint = 0 <= navigator.platform.toUpperCase().indexOf('MAC') ? 'Cmd' : 'Ctrl', addEventListener.....
Possible Solution
To fix this, I can see two options (IMO, it makes sense to implement both)
getDumpHeader()
<script> and <style> elements as.js
and.css
files, so they can be included without triggering CSP errors (using elements). For the individualdumpLine()
elements, the <script> element is not really necessary, the Sfdump call can also be achieved by using the main javascript.Additional Context
No response
The text was updated successfully, but these errors were encountered: