Remove unsafe script tag replace (#1716)

mvorisek · web-flow · commit a1eacc767832 · 2021-12-09T21:08:00.000+01:00
diff --git a/js/src/services/api.service.js b/js/src/services/api.service.js
@@ -102,7 +102,7 @@ class ApiService {
                 }
                 if (response && response.atkjs) {
                     // Call evalResponse with proper context, js code and jQuery as $ var.
-                    atk.apiService.evalResponse.call(this, response.atkjs.replace(/<\/?script>/g, ''), jQuery);
+                    atk.apiService.evalResponse.call(this, response.atkjs, jQuery);
                 }
                 if (atk.apiService.afterSuccessCallbacks.length > 0) {
                     const self = this;
diff --git a/public/atkjs-ui.min.js b/public/atkjs-ui.min.js
diff --git a/src/App.php b/src/App.php
@@ -576,7 +576,7 @@ public function run()
 
             $this->html->template->set('title', $this->title);
             $this->html->renderAll();
-            $this->html->template->dangerouslyAppendHtml('HEAD', $this->html->getJs());
+            $this->html->template->dangerouslyAppendHtml('HEAD', $this->getTag('script', null, $this->html->getJs()));
             $this->is_rendering = false;
 
             if (isset($_GET[Callback::URL_QUERY_TARGET]) && $this->catch_runaway_callbacks) {
diff --git a/src/View.php b/src/View.php
@@ -743,7 +743,9 @@ public function render(bool $forceReturn = true): string
     {
         $this->renderAll();
 
-        return $this->getJs($forceReturn)
+        $js = $this->getJs($forceReturn);
+
+        return ($js !== '' ? $this->getApp()->getTag('script', null, $js) : '')
                . $this->renderTemplateToHtml();
     }
 
@@ -1199,7 +1201,7 @@ public function getJs(bool $forceReturn = false)
             }
         }
 
-        if (!$actions) {
+        if (count($actions) === 0) {
             return '';
         }
 
@@ -1218,7 +1220,7 @@ public function getJs(bool $forceReturn = false)
 
         $ready = new JsFunction($actions);
 
-        return '<script>' . "\n" . (new Jquery($ready))->jsRender() . "\n" . '</script>';
+        return (new Jquery($ready))->jsRender();
     }
 
     // }}}
diff --git a/src/VirtualPage.php b/src/VirtualPage.php
@@ -110,7 +110,7 @@ public function getHtml()
             if ($mode === 'popup') {
                 $this->getApp()->html->template->set('title', $this->getApp()->title);
                 $this->getApp()->html->template->dangerouslySetHtml('Content', parent::getHtml());
-                $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getJs());
+                $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->getTag('script', null, $this->getJs()));
 
                 $this->getApp()->terminateHtml($this->getApp()->html->template);
             }
@@ -142,7 +142,7 @@ public function getHtml()
 
         $this->getApp()->html->template->dangerouslySetHtml('Content', $this->getApp()->layout->template->renderToHtml());
 
-        $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->layout->getJs());
+        $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->getTag('script', null, $this->getApp()->layout->getJs()));
 
         $this->getApp()->terminateHtml($this->getApp()->html->template);
     }
diff --git a/tests/JsIntegrationTest.php b/tests/JsIntegrationTest.php
@@ -50,11 +50,9 @@ public function testBasicChain2(): void
         $j = $v->js(true)->hide();
         $v->getHtml();
 
-        $this->assertSame('<script>
-$(function() {
+        $this->assertSame('$(function() {
   $("#b").hide();
-})
-</script>', $v->getJs());
+})', $v->getJs());
     }
 
     /**
@@ -66,13 +64,11 @@ public function testBasicChain3(): void
         $v->js('click')->hide();
         $v->getHtml();
 
-        $this->assertSame('<script>
-$(function() {
+        $this->assertSame('$(function() {
   $("#b").bind("click",function() {
     $("#b").hide();
   });
-})
-</script>', $v->getJs());
+})', $v->getJs());
     }
 
     /**
@@ -87,14 +83,12 @@ public function testBasicChain4(): void
         $b1->on('click', $b2->js()->hide());
         $bb->getHtml();
 
-        $this->assertSame('<script>
-$(function() {
+        $this->assertSame('$(function() {
   $("#b1").on("click",function(event) {
     event.preventDefault();
     event.stopPropagation();
     $("#b2").hide();
   });
-})
-</script>', $bb->getJs());
+})', $bb->getJs());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ class ApiService {`
`102`	`102`	`}`
`103`	`103`	`if (response && response.atkjs) {`
`104`	`104`	`// Call evalResponse with proper context, js code and jQuery as $ var.`
`105`		`- atk.apiService.evalResponse.call(this, response.atkjs.replace(/<\/?script>/g, ''), jQuery);`
	`105`	`+ atk.apiService.evalResponse.call(this, response.atkjs, jQuery);`
`106`	`106`	`}`
`107`	`107`	`if (atk.apiService.afterSuccessCallbacks.length > 0) {`
`108`	`108`	`const self = this;`
Original file line number	Diff line number	Diff line change
`@@ -743,7 +743,9 @@ public function render(bool $forceReturn = true): string`
`743`	`743`	`{`
`744`	`744`	`$this->renderAll();`
`745`	`745`
`746`		`- return $this->getJs($forceReturn)`
	`746`	`+ $js = $this->getJs($forceReturn);`
	`747`	`+`
	`748`	`+ return ($js !== '' ? $this->getApp()->getTag('script', null, $js) : '')`
`747`	`749`	`. $this->renderTemplateToHtml();`
`748`	`750`	`}`
`749`	`751`
`@@ -1199,7 +1201,7 @@ public function getJs(bool $forceReturn = false)`
`1199`	`1201`	`}`
`1200`	`1202`	`}`
`1201`	`1203`
`1202`		`- if (!$actions) {`
	`1204`	`+ if (count($actions) === 0) {`
`1203`	`1205`	`return '';`
`1204`	`1206`	`}`
`1205`	`1207`
`@@ -1218,7 +1220,7 @@ public function getJs(bool $forceReturn = false)`
`1218`	`1220`
`1219`	`1221`	`$ready = new JsFunction($actions);`
`1220`	`1222`
`1221`		`- return '<script>' . "\n" . (new Jquery($ready))->jsRender() . "\n" . '</script>';`
	`1223`	`+ return (new Jquery($ready))->jsRender();`
`1222`	`1224`	`}`
`1223`	`1225`
`1224`	`1226`	`// }}}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ public function getHtml()`
`110`	`110`	`if ($mode === 'popup') {`
`111`	`111`	`$this->getApp()->html->template->set('title', $this->getApp()->title);`
`112`	`112`	`$this->getApp()->html->template->dangerouslySetHtml('Content', parent::getHtml());`
`113`		`- $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getJs());`
	`113`	`+ $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->getTag('script', null, $this->getJs()));`
`114`	`114`
`115`	`115`	`$this->getApp()->terminateHtml($this->getApp()->html->template);`
`116`	`116`	`}`
`@@ -142,7 +142,7 @@ public function getHtml()`
`142`	`142`
`143`	`143`	`$this->getApp()->html->template->dangerouslySetHtml('Content', $this->getApp()->layout->template->renderToHtml());`
`144`	`144`
`145`		`- $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->layout->getJs());`
	`145`	`+ $this->getApp()->html->template->dangerouslyAppendHtml('HEAD', $this->getApp()->getTag('script', null, $this->getApp()->layout->getJs()));`
`146`	`146`
`147`	`147`	`$this->getApp()->terminateHtml($this->getApp()->html->template);`
`148`	`148`	`}`