0030490: list.js library causing CSP violation in manage_proj_edit_page.php - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0030490	mantisbt	javascript	public	2022-06-07 08:52	2023-10-31 16:32

Reporter	atrol	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.26.0	Fixed in Version	2.26.0

Summary	0030490: list.js library causing CSP violation in manage_proj_edit_page.php
Description	This was reported by @atrol in https://github.com/mantisbt/mantisbt/pull/1821#issuecomment-1147325872: @dregad while you are on it you might want to fix a CSP violation on this page. There are buttons in section Manage Accounts for pagination of users. The buttons work in general, but I am seeing CSP errors in Firefox console when clicking the buttons. The browser's console reports the following error: `Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).`
Tags	No tags attached.

dregad 2022-06-07 08:53 developer ~0066698	The problem is caused by list.js library, which is adding javascript code in the page navigation buttons' href attribute. This is a known issue (https://github.com/javve/list.js/issues/498), which has been fixed in list.js 2.0.0. We should upgrade to the latest version.

dregad 2022-06-07 10:18 developer ~0066702	PR https://github.com/mantisbt/mantisbt/pull/1821

MantisBT: master 96ab85e3 2022-06-07 09:05 dregad Details Diff	Update list.js from 1.5.0 to 2.3.1 Fixes CSP violation when using navigation buttons. Fixes 0030490	Affected Issues 0030490
	mod - core/constant_inc.php	Diff File
	rm - js/list-1.5.0.js	Diff
	rm - js/list-1.5.0.min.js	Diff
	add - js/list-2.3.1.js	Diff File
	add - js/list-2.3.1.min.js	Diff File
	mod - library/README.md	Diff File

parent of	0030494	closed	dregad	list.js navigation buttons scrolling to top of page
child of	0030551	closed	dregad	Project Edit Page improvements