[buddypress-trac] [BuddyPress Trac] #7663: Allow using Content-Security-Policy without unsafe-inline

buddypress-trac noreply at wordpress.org
Fri Jan 19 09:33:01 UTC 2018


#7663: Allow using Content-Security-Policy without unsafe-inline
-------------------------+-----------------------------
 Reporter:  bymiki       |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  (not sure)   |    Version:  2.9.2
 Severity:  normal       |   Keywords:
-------------------------+-----------------------------
 Currently when using Content-Security-Policy with BuddyPress, you must use
 the unsafe-inline directive because there are some blocks of inline
 JavaScript in BuddypPress core. This means that the browser cannot protect
 the user from attacks using XSS vulnerabilities. This is an unsatisfying
 situation because XSS vulnerabilities can be found in a great number of
 other WordPress plugins.

 I found at least two inline JavaScript:


 /* <![CDATA[ */
 var BP_Confirm = {"are_you_sure":"\xxxxx"};
 /* ]]> */


 And


 /* <![CDATA[ */
 var BP_DTheme = {"accepted":"xxxr"};
 /* ]]> */

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7663>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac


More information about the buddypress-trac mailing list