Help would be greatly appreciated, first time contributor, not 100% sure what I’m doing.
Got stuck with the test suite over the week but back on track now. There is a github repo here with my work [1]. The tests seem to be passing but I haven’t created any new ones. What is the best approach a simple regression test against the views I’ve changed or would it be possible to have a test that checked any potential view in the admin and made sure there was no inline javascript ie no script without a src tag unless it had a different type. The logic I can do, the all admin views is the bit I’m not sure about. I also haven’t done the escaping the way you suggested, just coz the suggestion came in after I’d done the work but it’s an easy enough change. Also haven’t removed all anchor links with javascript event.preventDefault calls which would me and Florian agreed would be nicer. Haven’t done inline styles either, much less of them so should be easier task. So work to do but would appreciate a review from someone who knows what they are doing. James [1] https://github.com/blighj/django/commit/ffc40d0cd904840ea77a34f640df2a3512a349db > On 26 Sep 2015, at 03:41, Gavin Wahl <[email protected]> wrote: > > I'm very interested in getting this into 1.10. I can devote some time to it > to help. > > When I looked at it before, based on the time I had available, it didn't seem > feasible for me to remove every single inline script. Especially with form > widgets that include templated javascript. Instead I was looking at the two > ways to whitelist scripts with CSP, namely script-nonce and script hash > sources. The disadvantage with either of these approaches is that they need > to be integrated with the middleware adding the CSP header, to communicate > the current page nonce or the list of hashes. script-nonces also totally > destroy caching, because each response has to have a unique nonce that's > referenced by each inline script. > > Ideally django admin would just be compatible with whatever CSP header the > user wants, without any specific integration, so removing all inline scripts > and styles is certainly preferable if you have the time. > > > Oh, btw please do not handwrite JSON in templates, > > Absolutely, the view should build a data structure representing the data to > be encoded as JSON rather than templating it. > > > which then only needs to go through the autoescape filter I think > > This is actually incorrect. <script> tags in HTML5 are Raw Text elements, so > Django's autoescaping doesn't work because HTML entities are not decoded > inside Raw Text elements [1]. I use the json filter from django-argonauts[2] > in all my projects to do json encoding. > > > [1]: http://www.w3.org/TR/html5/syntax.html#raw-text-elements > [2]: https://github.com/fusionbox/django-argonauts#filter > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at http://groups.google.com/group/django-developers > <http://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/087a439b-0933-43a3-a4ae-e55182d33ca2%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/087a439b-0933-43a3-a4ae-e55182d33ca2%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0C9C7BD5-E913-4173-98EC-26D073DC4F00%40gmail.com. For more options, visit https://groups.google.com/d/optout.
