modernize innreport HTML
Julien ÉLIE
julien at trigofacile.com
Fri May 15 18:39:27 UTC 2020
Hi Russ,
>> Why don't you use the html_css_url parameter in innreport.conf?
>> # html_css_url "innreport.css";
>>
>> If set, the HTML page will already contain:
>> <link rel="stylesheet" type="text/css" media="all" href="$css_url"/>
>>
>> I don't see well the use case of your patch.
>
> Inline styles are not allowed by a (good) Content-Security-Policy because
> they're vulnerable to XSS. It's become common practice to always
> externalize all CSS into a separate file. I think that's the intent of
> this patch.
>
> In other words, the goal is to generate an external CSS file in the normal
> case where the user has not defined a custom style. (I haven't looked in
> detail to see if this patch is the best way of doing that.)
We already have an external CSS file installed by default (which
contains the same style as the one that is generated inline):
https://inn.eyrie.org/trac/browser/trunk/samples/innreport.css
https://inn.eyrie.org/trac/changeset/8170
I believe we should just use that innreport.css file by default (instead
of generating this external CSS file when innreport is run).
Is there something I am missing?
Fresh INN installations will have the new behaviour.
Updates will keep the legacy behaviour unless they manually enable
html_css_url in innreport.conf. Richard's patch permits to force that
behaviour directly (which is an advantage). Maybe we should do both
(change default behaviour and apply Richard's patch).
--
Julien ÉLIE
« Hâte-toi de bien vivre et songe que chaque jour est à lui seul une
vie. » (Sénèque)
More information about the inn-workers
mailing list