You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts. However, the Doks-custom email shortcode leverages unsafe inline JS which renders the shortcode unusable. Adding a risky unsafe-inline as a source to the CSP header comes at the risk of script injection via injection of HTML script elements.
Steps to reproduce
Use the email shortcode on a page like {{< email user="hello" domain="example.com" >}}
Description
The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts. However, the Doks-custom email shortcode leverages unsafe inline JS which renders the shortcode unusable. Adding a risky
unsafe-inline
as a source to the CSP header comes at the risk of script injection via injection of HTML script elements.Steps to reproduce
Use the email shortcode on a page like
{{< email user="hello" domain="example.com" >}}
Expected result
The email should get rendered on the page.
Actual result
No email is rendered as CSP is denying inline JS.
Environment
The text was updated successfully, but these errors were encountered: