Skip to content

Dialog actions cause an "Invalid template" error when CSP is enabled #7414

New issue
New issue
Closed
Closed
Dialog actions cause an "Invalid template" error when CSP is enabled#7414
Assignees
gdenchevprog
Labels
BugC: DialogCSP ImprovementsFP: CompletedSync status with associated Feedback ItemSEV: MediumjQuery
Milestone
2024 Q1
@kendo-bot

Description

@kendo-bot
kendo-bot
opened on Jun 30, 2023

Bug report

When the Dialog is configured with actions and the Content Security Policy is enabled, it throws an "Invalid template" error.

Reproduction of the problem

  1. Configure a Dialog widget with actions and set the CSP with the following content:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' https://kendo.cdn.telerik.com https://code.jquery.com; style-src 'self' 'unsafe-inline' https://kendo.cdn.telerik.com;" />

  1. Open the browser console to review the error.

A Dojo sample for reproduction: https://dojo.telerik.com/ULOyazUC

Expected/desired behavior

The Dialog should be rendered correctly without using the 'unsafe-eval' keyword in the "script-src" directive.

Workaround

Insert the following script before the Dialog initialization:

 <script>
    kendo.ui.Dialog.fn._mergeTextWithOptions = function(action) { var text = action.text; if(text) { return kendo.isFunction(text) ? text(this.options) : text; } return ""; }
</script>

Environment

  • **Kendo UI version: 2023.2.606
  • **jQuery version: 3.4.1
  • **Browser: [all]

Metadata

Metadata

Assignees

Labels

BugC: DialogCSP ImprovementsFP: CompletedSync status with associated Feedback ItemSEV: MediumjQuery

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions