extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-12-16 11:41:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove unsafe-eval CSP for CKEditor

Browse Source
This commit is contained in:
Hadi Nategh 2017-11-02 11:02:16 +01:00
parent a32162fa0b
commit 3465c40b50
1 changed files with 1 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
api/src/Html/CkEditorConfig.php
View File

@ -505,19 +505,8 @@ class CkEditorConfig
*/
public static function set_csp_script_src_attrs()
{
$attrs = array('unsafe-eval', 'unsafe-inline');
$url = ($_SERVER['HTTPS'] ? 'https://' : 'http://').self::WEBSPELLCHECK_HOST;
// if webspellchecker is enabled in EGroupware config, allow access to it's url
if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
{
$attrs[] = $url;
ContentSecurityPolicy::add('style-src', $url);
}
//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
// tell framework CK Editor needs eval and inline javascript :(
ContentSecurityPolicy::add('script-src', $attrs);
ContentSecurityPolicy::add('script-src', 'unsafe-inline');
}
/**