#8290 closed bug (duplicate)
Datepicker inline "onclick" handler causes CSP violations
| Reported by: | dmethvin | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | 1.9.0 |
| Component: | ui.datepicker | Version: | 1.8.20 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Datepicker injects some HTML into the page using $() that has an inline JavaScript onclick handler. In environments that support Content Security Policy or other script injection measures, this causes a security exception. Datepicker throws an exception when initialized in a Windows 8 Metro environment, for example. This appears to be the only UI widget using inline handlers.
https://github.com/jquery/jquery-ui/blob/1.8.20/ui/jquery.ui.datepicker.js#L1447
https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-src
https://wiki.mozilla.org/Security/CSP/Specification#No_inline_scripts_will_execute
http://msdn.microsoft.com/en-us/library/windows/apps/hh849625.aspx
Change History (2)
comment:1 Changed 11 years ago by
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:2 Changed 11 years ago by
Note: See
TracTickets for help on using
tickets.
Duplicate of #3945.