I have a big legacy web app that needs to be made CSP (content security policy) compliant. It is full of inline event handlers, eg
onclick="alert(‘hello’)"
I am trying to write some js which will scan the page on load and replace all these inline handlers with dynamically assigned handlers, eg
var oc = $("#btn").attr("onclick");
$("#btn").on("click", function(){oc});
This obviously wont work, I don’t know what each inline event is ahead of time, so it needs to be added as a string. Trouble is there is no way of doing this I can find which is CSP compliant. I tried replace all the real inline handlers with pseudo events, eg onclick becomes zclick , then extracting these plsurdo handlers and creating real dynamic handlers:
var oc = $("#btn").attr("zclick");
var func = Function(oc);
btn.on("click", func);
but CSP caught this as "unsafe eval". I tried discovering how angular does it, as in how it converts ng-click to real onclick events but it seems to extreme low level custom compiling or some such. Does any one have any ideas as to how I may achieve this?
Thanks!
2
Answers
Since you say we can’t use eval() we can instead create a string of JS with all our event listeners and dynamically load it as script…
Notes:
1: Random number generating function not supplied.
2: The whole thing is totally untested code but it does compile.
3: An interesting challenge, thanks for the opportunity to exercise my brain.
Firstly, I agree 100% that this job should be automated so keep persevering in this direction.
However, eval() would be useless (actually catastrophic) because it doesn’t convert strings to code… it only EXECUTES strings as code, so you’d have tons of code suddenly firing away like Chinese firecrackers! 🙂
But anyway, we don’t need eval() for this job… we can always assemble a string of JS (lots of event listeners basically in string format) and load it dynamically as script as the code below does.
In the worst case scenario, if the loading was to fail we can still extract the string of all the event listeners (by saving it in a textarea) to save us from all that typing in the event that it has to be done manually… so keep going it’s a win-win!
Alright, so here’s an updated version that eliminates the need for a random number function and moves the ID creation line further down where it should be…