Important-91132-AvoidJavaScriptInUserSettingsConfigurationOptions.rst 2.96 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
.. include:: ../../Includes.txt

===========================================================================
Important: #91132 - Avoid JavaScript in User Settings Configuration options
===========================================================================

See :issue:`91132`

Description
===========

User Settings Configuration options for buttons `onClick` and `onClickLabels`
(used to generate inline JavaScript `onclick` event) and `confirmData.jsCodeAfterOk`
(used to execute a JavaScript callback in modal confirmations) should be omitted.

New options `clickData.eventName` and `conformationData.eventName` should be used
containing an individual event name that has to be handled individually using a
static JavaScript module.

This step is advised to reduce the amount of inline JavaScript code towards
better support for Content-Security-Policy headers.

Applications having custom changes in :php:`$GLOBALS['TYPO3_USER_SETTINGS']`
24
and using mentioned options `onClick*` or `confirmData.jsCodeAfterOk`.
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

The following example show a potential migration path to avoid inline JavaScript.

.. code-block:: php

   $GLOBALS['TYPO3_USER_SETTINGS'] = [
       'columns' => [
           'customButton' => [
               'type' => 'button',
               'onClick' => 'alert("clicked the button")',
               'confirm' => true,
               'confirmData' => [
                   'message' => 'Please confirm...',
                   'jsCodeAfterOk' => 'alert("confirmed the modal dialog")',
               ]
            ],
            // ...

The above configuration can be replace by the the following.

.. code-block:: php

   $GLOBALS['TYPO3_USER_SETTINGS'] = [
       'columns' => [
           'customButton' => [
               'type' => 'button',
               'clickData' => [
                   'eventName' => 'setup:customButton:clicked',
               ],
               'confirm' => true,
               'confirmData' => [
                   'message' => 'Please confirm...',
                   'eventName' => 'setup:customButton:confirmed',
               ]
            ],
            // ...

Events declared in corresponding `eventName` options have to be handled by
a custom static JavaScript module. Following snippets show the relevant parts:

.. code-block:: javascript

   document.querySelectorAll('[data-event-name]')
       .forEach((element: HTMLElement) => {
           element.addEventListener('setup:customButton:clicked', (evt: Event) => {
               alert('clicked the button');
           });
       });
   document.querySelectorAll('[data-event-name]')
       .forEach((element: HTMLElement) => {
           element.addEventListener('setup:customButton:confirmed', (evt: Event) => {
               evt.detail.result && alert('confirmed the modal dialog');
           });
       });

PSR-14 event :php:`\TYPO3\CMS\Setup\Event\AddJavaScriptModulesEvent` can be used
to inject a JavaScript module to handle those custom JavaScript events.


.. index:: Backend, NotScanned, ext:setup