Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Update datepicker to 2.5.18 to fix CSP errors due to eval()

See original GitHub issue

Would it be possible to switch from the current jquery datepicker for page live/expiry datetime to a non-jquery library that doesn’t rely on arbitray code execution? Right now wagtail requires running with unsafe-eval turned on for script CSP, which for production websites is an incredibly dangerous setting to have to enable.

This affects both 1.* and the just released 2.0

Issue Analytics

State:
Created 6 years ago
Comments:11 (9 by maintainers)

Top GitHub Comments

1reaction

Pomaxcommented, Mar 6, 2018

@thibaudcolas I’ve filed a PR that rolls the datetimepicker forward with a line in the changelog, let me know if there’s anything I can do in that PR as needed =)

1reaction

Pomaxcommented, Mar 5, 2018

Maybe, but it looks like no “different” widget is necessary here, just a version bump: I just dropped in v2.5.18-full rather than the current v2.3.8, because that more recent version does not rely on eval(), and I am no longer seeing CSP issues while I do see a perfectly working calendar widget for page publish/expiry, so it’s probably worth simply doing a version bump for it and have that automatically solve this particular CSP issue.

https://github.com/xdan/datetimepicker/blob/2.3.8/jquery.datetimepicker.js still has eval() at L1641, https://github.com/xdan/datetimepicker/blob/2.5.18/jquery.datetimepicker.js no longer does.

So that’s a super simple fix, thankfully!