-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: adding nonce as a option in wavesurfer parameters to solve CSP problems #3858
Fix: adding nonce as a option in wavesurfer parameters to solve CSP problems #3858
Conversation
src/renderer.ts
Outdated
shadow.innerHTML = ` | ||
<style> | ||
<style ${nonce ? `nonce="${nonce}"` : ''}> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be sanitized for XSS. Something like nonce.replace(/"/g, '')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like this you mean?
<style ${nonce ? `nonce="${nonce.replace(/"/g, '')}"` : ''}>There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better above where you do const nonce
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@katspaugh I've also added some type validation just to avoid any errors
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you! ❤️
Short description
Resolves #3602
Implementation details
I've added the nonce property as a new parameter in the WaveSurferOptions type. In the renderer.ts it checks if it was passed, and if it was, it adds it to the style being injected. This assumes you have the nonce value in your frontend to be able to be passed as a option.
How to test it
Try adding a valid nonce value to your WaveSurfer element like this: {nonce: 'example-value'}
Screenshots
Checklist