Question T3125
Visible to All Users

Survey.JS - Pen Test Results

created 5 years ago

Hi,

We have a number of customers looking at our solution that leverages portal js.  However some are doing their own pen test / web application testing and the unsafe-inline and unsafe-eval csp direct is coming up.

The main issue are the inline scripts……one solution is to move all scripting to a separate resource file……so then there is NO inline scripts and we can lock this down with the content seuciryt policy.

Any thoughts on how we can address this?

Thanks!!!

Oscar Sadder | Project Director – PowerObjects an HCL Company | Office: 612.339.3355 | Email: Oscar.sadder@HCL-PowerObjects.com

email-signatureSmall

::DISCLAIMER::


The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.


Comments (3)

    Hello,

    Could you please specify - how we can reproduce the issue on our side?
    What platform are you talking about?

    Thanks, Serge
    SurveyJS Team

      Hi,
      I am adding @Saswat Gorkhali for more information.

      SG SG
      saswat.gorkhali 5 years ago

        Hi,

        Please refer to this blog to learn more about Content Security Policy:https://developers.google.com/web/fundamentals/security/csp

        You can reproduce this on your end by adding the content security policy to the web config of your server where you host survey JS. You will notice that if you skip “unsafe-eval” in the CSP, survey js will stop working. I think it’s because survey js might be using eval() functions and other functions that CSP regards harmful.

        From: Oscar A Sadder <oscar.sadder@hcl-powerobjects.com> Sent: Thursday, December 19, 2019 9:24 AM To: Support Support <support@surveyjs.io>; Saswat Gorkhali <saswat.gorkhali@hcl-powerobjects.com> Subject: RE: Survey.JS - Pen Test Results [T3125]

        Answers approved by surveyjs Support

        created 5 years ago

        Hello,

        This is the known issue (https://github.com/surveyjs/survey-library/issues/877) related to the KnockoutJS, AngularJS and jQuery survey libraries and I guess to the SurveyJS Creator as well.
        We're using KnockoutJS for this libraries and the eval is used inside the KnockoutJS library. Thus at this moment we can't fix this issue for this platforms.

        Thanks, Serge
        SurveyJS Team

          Show previous comments (1)

            Hello Oscar,
            The main differences between knockout and others are:

            1. Knockout version is using in SurveyJS Creator
            2. Knockout version is used as wrappers in jQuery and Angular versions. We are thinking about making Angular version without knockout.

            Regarding functionality and events, if we are not talking about platform specific things, then they are same. We have SurveyJS Core that is platform independent and then platform specific code for knockout, react and vue. All events, custom properties and other functionalities are in SurveyJS Core. Even onAfterRenderXXX events are working in the same way and custom widgets have the same code for react and knockout.

            Thank you,
            Andrew
            SurveyJS Team

            SG SG
            saswat.gorkhali 5 years ago

              Hi,

              1. From what I’m understanding, the Survey JS Creator uses knockout, but the JSON created will work for the survey in all platforms, correct?
              2. If we change our dependency from knockout to react for Survey, we shouldn’t face any complications, correct? Any part of the survey that we should be testing in depth if we change our dependency?

              Thanks,
              Saswat

                1. Yes, it does. JSON will work for all platforms and even the most part of code will work in all platforms.
                2. Yes, it should. In most cases, people use SurveyJS react version when they develop web application on react. However, you may use just a small portion of react for rendering SurveyJS using react libraries.

                Thank you,
                Andrew
                SurveyJS Team