[buddypress-trac] [BuddyPress Trac] #7663: Allow using Content-Security-Policy without unsafe-inline
buddypress-trac
noreply at wordpress.org
Fri Jan 19 09:33:01 UTC 2018
#7663: Allow using Content-Security-Policy without unsafe-inline
-------------------------+-----------------------------
Reporter: bymiki | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: (not sure) | Version: 2.9.2
Severity: normal | Keywords:
-------------------------+-----------------------------
Currently when using Content-Security-Policy with BuddyPress, you must use
the unsafe-inline directive because there are some blocks of inline
JavaScript in BuddypPress core. This means that the browser cannot protect
the user from attacks using XSS vulnerabilities. This is an unsatisfying
situation because XSS vulnerabilities can be found in a great number of
other WordPress plugins.
I found at least two inline JavaScript:
/* <![CDATA[ */
var BP_Confirm = {"are_you_sure":"\xxxxx"};
/* ]]> */
And
/* <![CDATA[ */
var BP_DTheme = {"accepted":"xxxr"};
/* ]]> */
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7663>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list