#8290 closed bug (duplicate)

Opened May 02, 2012 07:51PM UTC

Closed May 02, 2012 08:01PM UTC

Last modified May 02, 2012 08:01PM UTC

Datepicker inline "onclick" handler causes CSP violations

Reported by:	dmethvin	Owned by:
Priority:	minor	Milestone:	1.9.0
Component:	ui.datepicker	Version:	1.8.20
Keywords:		Cc:
Blocked by:		Blocking:

Description

Datepicker injects some HTML into the page using $() that has an inline JavaScript onclick handler. In environments that support Content Security Policy or other script injection measures, this causes a security exception. Datepicker throws an exception when initialized in a Windows 8 Metro environment, for example. This appears to be the only UI widget using inline handlers.

https://github.com/jquery/jquery-ui/blob/1.8.20/ui/jquery.ui.datepicker.js#L1447

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-src

https://wiki.mozilla.org/Security/CSP/Specification#No_inline_scripts_will_execute

http://msdn.microsoft.com/en-us/library/windows/apps/hh849625.aspx

Attachments (0)

Change History (2)

Changed May 02, 2012 08:01PM UTC by scottgonzalez comment:1

resolution:	→ duplicate
status:	new → closed

Changed May 02, 2012 08:01PM UTC by scottgonzalez comment:2

Duplicate of #3945.

Search and Top Navigation

#8290 closed bug (duplicate)

Datepicker inline "onclick" handler causes CSP violations

Description

Changed May 02, 2012 08:01PM UTC by scottgonzalez comment:1

Changed May 02, 2012 08:01PM UTC by scottgonzalez comment:2