|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (20 fixed, 22 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (21 fixed, 21 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1750,6 +1750,25 @@
|
|
|
it executes. Combined with F24 (CSP `'unsafe-inline'`), live XSS.
|
|
|
Use `e('js')` for content interpolated into a JS-attribute.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed by the F24 fix (`193f646`). When the CSP dropped
|
|
|
+ `'unsafe-inline'` and `'unsafe-eval'`, all inline-eval Alpine
|
|
|
+ patterns had to be rewritten — the categories edit template now
|
|
|
+ reads:
|
|
|
+ ```html
|
|
|
+ <div x-data="decayPreview"
|
|
|
+ data-decay-fn="{{ category.decay_function }}"
|
|
|
+ data-decay-param="{{ category.decay_param }}">
|
|
|
+ ```
|
|
|
+ `x-data="decayPreview"` is the component name only (no inline JS
|
|
|
+ interpolation), and the value flows via Twig's default `e('html')`-
|
|
|
+ escaped HTML data attribute. The Alpine component reads it via
|
|
|
+ `this.$el.dataset.decayFn` — a string DOM read, never `eval`.
|
|
|
+ `app.js` further whitelists the value to the known enum:
|
|
|
+ `ds.decayFn === 'linear' ? 'linear' : 'exponential'` — so even if
|
|
|
+ a value somehow drifted, only the two known states map. No
|
|
|
+ Alpine-side regression test (no JS-interpreted Twig escaping path
|
|
|
+ remains in the template), but the rewritten pattern is one of the
|
|
|
+ CSP-build cases the F24 work covered.
|
|
|
|
|
|
### F54 — CSRF middleware lacks `Origin` / `Referer` defence in depth
|
|
|
- **File:** `ui/src/Http/CsrfMiddleware.php:30, 40-48, 62-74`
|
chiappa