Quill: Use of style attribute violates Content-Security-Policy inline style prevention.

Created on 8 Jun 2017  路  4Comments  路  Source: quilljs/quill

When using Content Security Policy restricting inline style modifications, the style will not be applied and Developer Tools will return a warning:

Refused to apply inline style because it violates the following Content Security Policy directive: (etc)

The line responsible:

var contents = this.clipboard.convert('<div class=\'ql-editor\' **style="white-space: normal;"**>' + html + '<p><br></p></div>');

Steps for Reproduction

  1. Can't demonstrate it on something like Codepen, but this should do it:
    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src https://cdn.quilljs.com; script-src 'self' https://cdn.quilljs.com;" />
  1. Initialize as normal.

Expected behavior:
That is expected behaviour.

Actual behavior:
n/a

Platforms:
Chrome/Windows 10/Cross-platform.

Version:
1.2.6

picture changelogsorg
👍1

Most helpful comment

This should be reopened, because even if it's not for public consumption, the function is still called which causes a CSP error.

picture GarrettGeorge on 9 May 2019
👍2

All 4 comments

clipboard.convert is an internal method not meant for public consumption. The public interface for this functionality is dangerouslyPasteHTML, which allows arbitrary HTML input, and as its name suggests it may be dangerous and trip security warnings.

jhchen picture jhchen on 9 Jun 2017
👎1

This should be reopened, because even if it's not for public consumption, the function is still called which causes a CSP error.

GarrettGeorge picture GarrettGeorge on 9 May 2019
👍2

I'm running in the same problem with recent version of quill. Currently looking for a workaround or a solution. This should indeed be reopened.

oliverniessen picture oliverniessen on 12 Nov 2019

@oliverniessen Unfortunately the only workaround is to change the code yourself and use npm patch-package to have your changes checked into source control for your application. This also means that you'll have to include Quill into your build pipeline. With Webpack 4, you also get some reduced build size from this.

GarrettGeorge picture GarrettGeorge on 12 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rsdrsd picture rsdrsd  路  3Comments
visore picture visore  路  3Comments
aletorrado picture aletorrado  路  3Comments
benbro picture benbro  路  3Comments
scottfr picture scottfr  路  3Comments