Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#8290 closed bug (duplicate)

Datepicker inline "onclick" handler causes CSP violations

Reported by: dmethvin Owned by:
Priority: minor Milestone: 1.9.0
Component: ui.datepicker Version: 1.8.20
Keywords: Cc:
Blocked by: Blocking:

Description

Datepicker injects some HTML into the page using $() that has an inline JavaScript onclick handler. In environments that support Content Security Policy or other script injection measures, this causes a security exception. Datepicker throws an exception when initialized in a Windows 8 Metro environment, for example. This appears to be the only UI widget using inline handlers.

https://github.com/jquery/jquery-ui/blob/1.8.20/ui/jquery.ui.datepicker.js#L1447

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-src

https://wiki.mozilla.org/Security/CSP/Specification#No_inline_scripts_will_execute

http://msdn.microsoft.com/en-us/library/windows/apps/hh849625.aspx

Change History (2)

comment:1 Changed 8 years ago by Scott González

Resolution: duplicate
Status: newclosed

comment:2 Changed 8 years ago by Scott González

Duplicate of #3945.

Note: See TracTickets for help on using tickets.