Skip to content

Remove unsave inline scripts and styles #1445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 6, 2021
Merged

Remove unsave inline scripts and styles #1445

merged 2 commits into from
Mar 6, 2021
+32 −6

Conversation

xi
Copy link
Contributor

@xi xi commented Feb 2, 2021
edited
Loading

Fixes #1248

As a first step I pushed a test. It works locally but I was not sure whether it would work with CI, so I pushed it. I hope that is OK. For some reason CI does not run so I have no clue whether the test I added actually works.

@xi xi changed the title [WIP] Remove unsave inline scripts and styles Remove unsave inline scripts and styles Feb 2, 2021
tim-schilling
tim-schilling reviewed Feb 2, 2021
View reviewed changes
Copy link
Member

@tim-schilling tim-schilling left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR. My comments vary between discussions and change requests.

  • I'd like to see the scripts moved to the panel classes.
  • I also feel pretty strongly about moving the check to the Makefile.
  • The comment regarding the applyStyle approach is more of a discussion.

.github/workflows/test.yml Outdated
@@ -220,3 +220,6 @@ jobs:

- name: Test with tox
run: tox -e docs,style,readme
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's more appropriate for this check of inline styles or scripts to exist in the Makefile, then including it here with the other static checks run by tox.

Doing so will also make it easier for developers to run this check before pushing to github and having CI catch it.

debug_toolbar/static/debug_toolbar/js/toolbar.profiling.js Outdated
@@ -0,0 +1,3 @@
(function () {
djdt.applyStyle('padding-left');
})();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'd be more in favor of an approach that would find all elements that have a class such as djdt-dynamic-style, then have it apply the styles listed in the data attribute. That way the javascript doesn't need to know anything about the specific styles that the HTML elements are having applied.

@xi
Copy link
Contributor Author

xi commented Feb 2, 2021

Thanks for the quick feedback. I had tried to simply revert 87364f7 which I now realize was a bit naive.

I would like to avoid making applyStyles() more generic. It is just meant to be compatibility code until a better solution is found. New code should ideally not use it IMHO.

@xi xi force-pushed the fix-1248 branch 3 times, most recently from 926f727 to 7bf8686 Compare February 2, 2021 21:33
@codecov
Copy link

codecov bot commented Feb 2, 2021
edited
Loading

Codecov Report

Merging #1445 (9025ab6) into master (0b58338) will decrease coverage by 0.87%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1445      +/-   ##
==========================================
- Coverage   87.68%   86.80%   -0.88%     
==========================================
  Files          29       29              
  Lines        1591     1591              
  Branches      224      224              
==========================================
- Hits         1395     1381      -14     
- Misses        145      153       +8     
- Partials       51       57       +6
Impacted Files Coverage Δ
debug_toolbar/panels/history/panel.py 89.58% <0.00%> (-6.25%) ⬇️
debug_toolbar/panels/templates/views.py 62.79% <0.00%> (-4.66%) ⬇️
debug_toolbar/panels/signals.py 81.81% <0.00%> (-4.55%) ⬇️
debug_toolbar/panels/headers.py 95.45% <0.00%> (-4.55%) ⬇️
debug_toolbar/toolbar.py 88.75% <0.00%> (-2.50%) ⬇️
debug_toolbar/panels/cache.py 82.26% <0.00%> (-2.13%) ⬇️
debug_toolbar/middleware.py 95.00% <0.00%> (-1.67%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0b58338...905e572. Read the comment docs.

@xi @tim-schilling
check for unsave inline script or styles in Makefile

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: DDC5DD810DBA776C
Learn about vigilant mode
763a008
@tim-schilling
Copy link
Member

@xi I squashed your commits and converted the applyStyles function to something I'd prefer to maintain. I understand your concern regarding "It is just meant to be compatibility code until a better solution is found.", but I don't think there's a great solution out there. I find this approach more flexible than having to call applyStyles per dynamic style desired.

@matthiask
Copy link
Member

I'm afraid I don't understand how this works. Does element.style["background-color"] really set the background color of an element? Shouldn't this be element.style["backgroundColor"]? I did a quick local test and it seems to work but I'm surprised that it does.

(applyStyles is ugly, yes, but I don't have a better idea.)

@tim-schilling
Copy link
Member

@matthiask There's a brief mention of using the dashed names here in the docs of CSSStyleDeclaration. However, you're right, it's probably best to avoid using the dashed names.

@tim-schilling
Copy link
Member

I updated the applyStyles function to mention the expected format and switched background-color to backgroundColor.

@xi
Copy link
Contributor Author

xi commented Feb 8, 2021

For completeness' sake:

Setting the dashed attribute attribute must invoke setProperty() with the first argument being dashed attribute, as second argument the given value, and no third argument. Any exceptions thrown must be re-thrown.
https://www.w3.org/TR/2016/WD-cssom-1-20160317/#the-cssstyledeclaration-interface

So apperantly element.style["background-color"] is fine. That spec is a draft though, so no clue how widely this is supported.

@tim-schilling
Apply inline styles via data-djdt-styles attribute.

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: DDC5DD810DBA776C
Learn about vigilant mode
905e572
@tim-schilling
Copy link
Member

I missed padding-left. This should be good to go now.

Base automatically changed from master to main February 11, 2021 15:01
@matthiask matthiask merged commit 5a3ccd9 into django-commons:main Mar 6, 2021
@matthiask
Copy link
Member

Thank you! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tim-schilling tim-schilling

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Regression: Broken inline styles with CSP
3 participants
@xi @tim-schilling @matthiask