setting CSP attributes needed by CKeditor now automatic when egw_ckeditor_config::get_ckeditor_config(_array) get called

This commit is contained in:
Ralf Becker 2013-10-14 10:42:36 +00:00
parent 69a809cb3f
commit 38504680b7
4 changed files with 37 additions and 11 deletions

View File

@ -32,9 +32,6 @@ class etemplate_widget_htmlarea extends etemplate_widget
{
$form_name = self::form_name($cname, $this->id);
// tell framework CK Editor needs eval and inline javascript :(
egw_framework::csp_script_src_attrs(array('unsafe-eval', 'unsafe-inline'));
$config = egw_ckeditor_config::get_ckeditor_config_array($this->attrs['mode'], $this->attrs['height'],
$this->attrs['expand_toolbar'],$this->attrs['base_href']
);

View File

@ -1,6 +1,6 @@
<?php
/**
* eGroupWare - Class which generates JSON encoded configuration for the ckeditor
* EGroupware - Class which generates JSON encoded configuration for the ckeditor
*
* @link http://www.egroupware.org
* @author RalfBecker-AT-outdoor-training.de
@ -11,6 +11,9 @@
* @version $Id$
*/
/**
* CK-Editor configuration
*/
class egw_ckeditor_config
{
private static $lang = null;
@ -350,6 +353,9 @@ class egw_ckeditor_config
*/
public static function get_ckeditor_config_array($mode = '', $height = 400, $expanded_toolbar = true, $start_path = '')
{
// set for CK-Editor necessary CSP script-src attributes
self::set_csp_script_src_attrs();
// If not explicitly set, use preference for toolbar mode
if(!$mode || trim($mode) == '') $mode = $GLOBALS['egw_info']['user']['preferences']['common']['rte_features'];
$config = array();
@ -374,4 +380,23 @@ class egw_ckeditor_config
{
return json_encode(self::get_ckeditor_config_array($mode, $height, $expanded_toolbar, $start_path));
}
/**
* Set for CK-Editor necessary CSP script-src attributes
*
* Get's called automatic from get_ckeditor_config(_array)
*/
public static function set_csp_script_src_attrs()
{
$attrs = array('unsafe-eval', 'unsafe-inline');
// if webspellchecker is enabled in EGroupware config, allow access to it's url
if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
{
$attrs[] = 'http://svc.webspellchecker.net';
}
//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
// tell framework CK Editor needs eval and inline javascript :(
egw_framework::csp_script_src_attrs($attrs);
}
}

View File

@ -84,11 +84,13 @@ abstract class egw_framework
}
/**
* Additional attributes for CSP script-src 'self'
* Additional attributes or urls for CSP script-src 'self'
*
* 'unsafe-eval' is currently allways added, as it is used in a couple of places.
*
* @var array
*/
private static $csp_script_src_attrs = array('unsafe-eval');
private static $csp_script_src_attrs = array("'unsafe-eval'");
/**
* Set/get Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'
@ -106,13 +108,18 @@ abstract class egw_framework
{
foreach((array)$set as $attr)
{
if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))
{
$attr = "'$attr'"; // automatic add quotes
}
if (!in_array($attr, self::$csp_script_src_attrs))
{
self::$csp_script_src_attrs[] = $attr;
//error_log(__METHOD__."() swiching CSP OFF for script-src '$attr' ".function_backtrace());
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
return self::$csp_script_src_attrs ? "'".implode("' '", self::$csp_script_src_attrs)."'" : '';
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_script_src_attrs);
}
/**

View File

@ -531,9 +531,6 @@ class html
return self::textarea($_name,$_content,'style="width: '.$_width.'; height: '.$_height.';" id="'.htmlspecialchars($_name).'"');
}
// tell framework CK Editor needs eval and inline javascript :(
egw_framework::csp_script_src_attrs(array('unsafe-eval', 'unsafe-inline'));
//include the ckeditor js file
egw_framework::validate_file('ckeditor','ckeditor','phpgwapi');