Make AshAdmin CSP compliant #375
Conversation
Schultzer
force-pushed
the
refactor-inline-style
branch
from
53a24b1 to
43268e8
Compare
Schultzer
force-pushed
the
refactor-inline-style
branch
from
43268e8 to
3e0944d
Compare
Schultzer
changed the title
|
👋 trying this out in my project there is some pretty wonky behavior with the behavior of the text input as a json editor. It seems to attempt to infinitely format/set the input value etc. Most importantly, AFAICT this removes effectively all of the benefits that we have from the other dependencies. There is no markdown preview, no structured editing for the json data. Can you tell me a bit more about the specifics of how these can't be made to be CSP compliant and alternatives you've considered? |
|
I see, I didn't do the best job at researching if there was a better alternative of the respective package, had a hard time even see how the markdown was used in the demo application, but I digress. I actually believe we could use https://github.com/josdejong/svelte-jsoneditor?tab=readme-ov-file#differences-between-josdejongsvelte-jsoneditor-and-josdejongjsoneditor which uses code mirror and get some of the structured functionality back. And I believe https://jefago.github.io/tiny-markdown-editor/ might be able to provide a CSP friendly markdown editor experience. The main issue is that the libraries are using inline styles and they have no way to propagate a nonce to potential style or script tags that they use. |
|
I don’t think it possible to fix the json editor, svelte is apparently notorious for being bad at CSP. The only solution to all of this would be to use some enterprise ready libraries like https://github.com/microsoft/monaco-editor and https://github.com/slab/quill/ or build a LV json editor. |
|
Could we maybe start with one at a time? What we can do for example is make it opt-in to support the json editor at compile time perhaps? So start with he markdown editor, and then we can merge that. Then we can add a toggle that removes the JSON editor in favor of just a text field. |
Sounds good to me, would you be cool with using https://github.com/slab/quill/ for markdown? |
|
I'm open to it, but I don't think that they have a preview. I'd definitely suggest trying out both json and markdown mode to see what needs to be supported for this to work. |
Quill is a WYSIWYG markdown editor, https://quilljs.com/playground/snow I would actually say it's a step up from easymde, in regards to UX 
|
|
Nice, that looks good to me! |
|
Actually, I'm not so sure. It's important to retain the original value as an editable thing, not editing a post-processed value. Rich text editors can reformat values for example. |
2 participants
Contributor checklist
Leave anything that you believe does not apply unchecked.
So this ended up a bit more complex then I liked, but unfortunately the JS dependency currently used is not CSP compliant and there is no way to propagate a nonce for them to use, so I've updated to use CodeMirror instead, I understand that this is a bigger change, but I think it would be ideal for AshAdmin to be enterprise ready, and explicitly allowing unsafe-inline certeinly isn't.