Merge pull request #1620 from jezen/master

Move JavaScript form submission to script block
yesodweb · Aug 20, 2019 · 56e8557 · 56e8557
2 parents d8ebb95 + d385ada
commit 56e8557
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
@@ -1,5 +1,10 @@
 # ChangeLog for yesod-core
 
+## 1.6.15
+
+* Move `redirectToPost` JavaScript form submission from HTML element to
+  `<script>` tag for CSP reasons [#1620](https://github.com/yesodweb/yesod/pull/1620)
+
 ## 1.6.14
 
 * Introduce `JSONResponse`. [issue #1481](https://github.com/yesodweb/yesod/issues/1481) and [PR #1592](https://github.com/yesodweb/yesod/pull/1592)

diff --git a/yesod-core/src/Yesod/Core/Handler.hs b/yesod-core/src/Yesod/Core/Handler.hs
@@ -1069,13 +1069,15 @@ $doctype 5
 <html>
     <head>
         <title>Redirecting...
-    <body onload="document.getElementById('form').submit()">
+    <body>
         <form id="form" method="post" action=#{urlText}>
             $maybe token <- reqToken req
                 <input type=hidden name=#{defaultCsrfParamName} value=#{token}>
             <noscript>
                 <p>Javascript has been disabled; please click on the button below to be redirected.
             <input type="submit" value="Continue">
+        <script>
+          window.onload = function() { document.getElementById('form').submit(); };
 |] >>= sendResponse
 
 -- | Wraps the 'Content' generated by 'hamletToContent' in a 'RepHtml'.

diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.6.14
+version:         1.6.15
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>