Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix 19570 tree chart not compliant strict csp styles #19717

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Fix 19570 tree chart not compliant strict csp styles #19717

wants to merge 11 commits into from

Conversation

Manviel
Copy link

@Manviel Manviel commented Mar 14, 2024
edited

Brief Information

This pull request is in the type of:

  • bug fixing.
  • refactoring.

What does this PR do?

This pull request addresses a specific limitation concerning Content Security Policy (CSP). When CSP is enabled, direct assignments to an element's style property using a string are disallowed. However it is possible to use className instead.

Basically, innerHTML causes the violation because it inserts html that contains inline styles.

Fixed issues

Tree chart with tooltips is not compliant with strict CSP directives for styles

Details

Before: What was the problem?

CSP violation errors are thrown into browser console:

image

After: How does it behave after the fixing?

It no longer uses inline styles.

image

Document Info

One of the following should be checked.

  • This PR doesn't relate to document changes

ZRender Changes

  • No.

Others

Tried to apply a similar solution as in ecomfe/zrender#1030

@Manviel
fix(tree): add CSP header to track violations. apache#19570
2775d0e
@Manviel
fix(tree): refactor setContent to get rid of unsafe inline styles. ap…
bfb0cdd 
…ache#19570
@Manviel
fix(tree): refactor wrapBlockHTML to get rid of unsafe-styles. apache…
32d1024 
…#19570
@Manviel
fix(tree): refactor getTooltipTextStyle to get rid of unsafe-styles. a…
ae825a9 
…pache#19570
@Manviel
fix(tree): refactor wrapInlineValueHTML to get rid of unsafe-styles. a…
ab0d920 
…pache#19570
@Manviel
fix(tree): move inline styles into stylesheet to get rid of unsafe st…
f623efa 
…yles. apache#19570
@Manviel
fix(tree): refactor wrapInlineNameHTML to get rid of unsafe styles. a…
22e0a59 
…pache#19570
@Manviel
fix(tree): tweak eslint to allow document methods. apache#19570
e35ad60
@Manviel
fix(tree): move basic stylesheet to follow convention. apache#19570
d967fa0
@Manviel
fix(tree): refactor getTooltipMarker to get rid of unsafe styles. apa…
81f3375 
…che#19570
@Manviel
fix(tree): refactor assembleArrow to get rid of unsafe styles. apache…
4136550 
…#19570
@echarts-bot ECharts Bot
Copy link

echarts-bot bot commented Mar 14, 2024

Thanks for your contribution!
The community will review it ASAP. In the meanwhile, please checkout the coding standard and Wiki about How to make a pull request.

To reviewers: If this PR is going to be described in the changelog in the future release, please make sure this PR has one of the following labels: PR: doc ready, PR: awaiting doc, PR: doc unchanged

This message is shown because the PR description doesn't contain the document related template.

Manviel
Manviel commented Apr 10, 2024
View reviewed changes
src/component/tooltip/TooltipHTMLContent.ts
`background-color:${backgroundColor};`
];

return `<div style="${styleCss.join('')}"></div>`;
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enabling a strict policy for the style-src directive in CSP offers several security benefits for your web application:

  • XSS attacks aim to inject malicious scripts into your website. By restricting stylesheet sources, you prevent attackers from embedding malicious code within stylesheets and potentially compromising user data or website functionality.
  • A strict policy grants you more control over the styles applied to your website. You determine the legitimate sources for stylesheets, preventing unauthorized styles from altering your website's appearance or behavior.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

styles properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript. e.g. this, document.body.style.background = 'green'; won't cause an unsafe-inline violation.

mmerezhko-hv
mmerezhko-hv approved these changes Apr 24, 2024
View reviewed changes
src/component/tooltip/TooltipHTMLContent.ts
`background-color:${backgroundColor};`
];

return `<div style="${styleCss.join('')}"></div>`;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

styles properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript. e.g. this, document.body.style.background = 'green'; won't cause an unsafe-inline violation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmerezhko-hv mmerezhko-hv mmerezhko-hv approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
PR: awaiting review PR: first-time contributor size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Manviel @mmerezhko-hv