Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: KINT d() visual error in debugging when activating CSP #5475

Closed
davidalmaraz opened this issue Dec 16, 2021 · 7 comments · Fixed by #5501
Closed

Bug: KINT d() visual error in debugging when activating CSP #5475

davidalmaraz opened this issue Dec 16, 2021 · 7 comments · Fixed by #5501
Labels
bug Verified issues on the current code behavior or pull requests that will fix them

Comments

@davidalmaraz
Copy link

PHP Version

7.4

CodeIgniter4 Version

4.1.5

CodeIgniter4 Installation Method

Manual (zip or tar.gz)

Which operating systems have you tested for this bug?

Windows

Which server did you use?

apache

Database

No response

What happened?

kint-rich-script and kint-rich-style in RichRenderer.php inside thirdparty KIN need to put {csp-style-nonce} and {csp-script-nonce} because when "CONTENT SECURITY POLICY" is activated it disables it for security for the same. What causes that being in debug mode with CSP activated disables its visual style.

Steps to Reproduce

Activate developer mode and CSP.

Use d('example'); in some controller to debug

Expected Output

Being able to see the theme used by kint in the web browser for debugging

Anything else?

into folder system/ThirdParty/Kint/Renderer/ in file RichRenderer.php into line 383 a 392

switch ($type) { case 'script': $output .= '<script class="kint-rich-script">'.$contents.'</script>'; break; case 'style': $output .= '<style class="kint-rich-style">'.$contents.'</style>'; break; default: $output .= $contents; }

replace by:

switch ($type) { case 'script': $output .= '<script {csp-script-nonce} class="kint-rich-script">'.$contents.'</script>'; break; case 'style': $output .= '<style {csp-style-nonce} class="kint-rich-style">'.$contents.'</style>'; break; default: $output .= $contents; }

To return the visual style of KINT when CSP is activated
@davidalmaraz davidalmaraz added the bug Verified issues on the current code behavior or pull requests that will fix them label Dec 16, 2021
@kenjis
Copy link
Member

kenjis commented Dec 18, 2021
edited
Loading

@davidalmaraz Thank you for reporitng.
I've confirm this behavior.

But Kint is a third party library, so we can't change files in it.

@kenjis
Copy link
Member

kenjis commented Dec 18, 2021

The workaround is to use dd() instead of d().

@kenjis
Copy link
Member

kenjis commented Dec 18, 2021

app/Common.php:

function d(...$vars)
{
    Kint::$aliases[] = 'd';

    ob_start();
    Kint::dump(...$vars);
    $output = ob_get_clean();

    /** @var \Config\App $config */
    $config = config('App');

    if ($config->CSPEnabled === true) {
        $output = str_replace('<script ', '<script {csp-script-nonce} ', $output);
        $output = str_replace('<style ', '<style {csp-style-nonce} ', $output);
    }

    echo $output;
}

@kenjis kenjis changed the title Bug: KINT visual error in debugging when activating CONTENT SECURITY POLICY Bug: KINT d() visual error in debugging when activating CONTENT SECURITY POLICY Dec 18, 2021
@kenjis kenjis mentioned this issue Dec 18, 2021
Closed
5 tasks
@kenjis kenjis added wontfix Current code behavior being reported or fixed is intentional and won't be changed and removed bug Verified issues on the current code behavior or pull requests that will fix them labels Dec 24, 2021
@kenjis
Copy link
Member

kenjis commented Dec 25, 2021
edited
Loading

Kint has magical Modifiers:
https://kint-php.github.io/kint/advanced/

If you use the wrapper functions (or CI4 provides them), the Modifiers do not work.

This should be handled by Kint.

@kenjis kenjis removed the wontfix Current code behavior being reported or fixed is intentional and won't be changed label Dec 25, 2021
@kenjis kenjis changed the title Bug: KINT d() visual error in debugging when activating CONTENT SECURITY POLICY Bug: KINT d() visual error in debugging when activating CSP Dec 25, 2021
@kenjis kenjis mentioned this issue Dec 25, 2021
Merged
5 tasks
@kenjis kenjis added the bug Verified issues on the current code behavior or pull requests that will fix them label Dec 25, 2021
@kenjis
Copy link
Member

kenjis commented Dec 25, 2021

@davidalmaraz
I created another PR. It works Kint Modifiers.
See #5501

@davidalmaraz
Copy link
Author

@kenjis
Thank you very much, it worked for me to overwrite the function inside the common controller but I liked the one in
override RichRenderer :: preRender () #5501

@kenjis kenjis reopened this Dec 29, 2021
@kenjis
Copy link
Member

kenjis commented Dec 30, 2021

#5501 was merged into develop.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified issues on the current code behavior or pull requests that will fix them
Projects
None yet
Milestone
No milestone
2 participants
@kenjis @davidalmaraz