• Login
  • Register

DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

dnnjsinclude gives script src integrity check

You are not authorized to post a reply.
Sort:


New Member


Posts:8
New Member

     

    I am using DontnetNuke 7.4, Visual Studio 2013 and .net framework 4.0

    I am referencing typekit.js in dnnjsinclude.

     

    <dnn:dnnjsinclude filepath="https://use.typekit.net/xie1khe.js" id="someID" runat="server">

    After a PCI scan, we are having a script src integrity check issue. I checked online and saw adding an integrity property with value as a key generated using https://www.srihash.org/ . However I think the integrity property here isn't recognized and all the interface gets messed up. Is there any way to set it ? Kindly let me know if my question is not clear. Thank you for your time in advance.

    Thanks



    Basic Member


    Posts:102
    Basic Member

      There is, in fact, a little known method for adding attributes to these script tags.  The DnnJsInclude control has a HtmlAttributesAsString property which can be used to add attributes.  In your example, that would look like this:

      
      <%@ Register TagPrefix="dnn" Namespace="DotNetNuke.Web.Client.ClientResourceManagement" Assembly="DotNetNuke.Web.Client" %>
      
      <dnn:DnnJsInclude runat="server" FilePath="https://use.typekit.net/xie1khe.js" HtmlAttributesAsString="integrity:sha384-cVzjI50ULMD2q5gObcDlRz+PX+kfeUHv+/Wv4WSV5DDVwYC2fOWGbkdUeaAFgcln,crossorigin:anonymous" />
      

      At one point I had found that setting multiple attributes this was wasn't working, and there was a fix in DNN 9.2 which addressed that; however, testing just now, this did work on my DNN 7.4.2 site, so hopefully this works for you. One caveat is that you do need to use the DnnJsInclude class from DotNetNuke.Web.Client.ClientResourceManagement (see the <%@ Register … %> directive above), rather than the skin/theme object by the same name.

      DNN partner specializing in custom, enterprise DNN development https://engagesoftware.com/showcase


      New Member


      Posts:8
      New Member

        Hi Brian,

        Thank you so much for your reply. I had tried adding the HtmlAttributesAsString in my website before. So my complete code was something as follows :

        <%@ Register TagPrefix="dnn" Namespace="DotNetNuke.Web.Client.ClientResourceManagement" Assembly="DotNetNuke.Web.Client" %>    (at the top of the page)

        then 

         

        <dnn:dnnjsinclude filepath="https://use.typekit.net/xie1khe.js" htmlattributesasstring="crossorigin:'anonymous',integrity:'sha384-cVzjI50ULMD2q5gObcDlRz+PX+kfeUHv+/Wv4WSV5DDVwYC2fOWGbkdUeaAFgcln'" id="SomeID" runat="server">

        But when I right click and inspect element and check the console, it gives me the following error :

        Error parsing 'integrity' attribute (''sha384-cVzjI50ULMD2q5gObcDlRz+PX+kfeUHv+/Wv4WSV5DDVwYC2fOWGbkdUeaAFgcln''). The specified hash algorithm must be one of 'sha256', 'sha384', or 'sha512' .

        Am I doing something wrong ? Is there any way to test if the added integrity constraint is working correctly ?

        KIndly let me know if I am not clear.

        Thanks !



        Basic Member


        Posts:102
        Basic Member

          It looks like the newer versions allow you to wrap the attribute values in single quotes, but the version in DNN 7.4.2 does not. If you remove the single quotes it should work.

          DNN partner specializing in custom, enterprise DNN development https://engagesoftware.com/showcase


          New Member


          Posts:8
          New Member

            It worked !!! :)  

            Thank you very much for helping me



            Basic Member


            Posts:83
            Basic Member

              Hmm, interesting, I did not know about this. Is that supported as a SPA token too ?


              Basic Member


              Posts:102
              Basic Member

                Nope, the SPA token only supports six properties https://github.com/dnnsoftware/Dnn.Platform/blob/83ee0001477f570e65b3883300199a81288769b8/DNN%20Platform/Library/Services/Tokens/PropertyAccess/JavaScriptPropertyAccess.cs
                DNN partner specializing in custom, enterprise DNN development https://engagesoftware.com/showcase


                Basic Member


                Posts:83
                Basic Member

                  Thanks for the link, I was wondering what code the tokens fired :)


                  Basic Member


                  Posts:83
                  Basic Member

                    Am I correct in assuming a module could extend this to use custom tokens by implementing IPropertyAccess or something like that ?


                    Basic Member


                    Posts:102
                    Basic Member

                      SPA modules have an extension mechanism, but typically the TokenReplace type will have a hard-coded list of IPropertyAccess implementations, see e.g. HtmlTokenReplace (which is the base class for the SPA module token replace, but also used for the HTML module).

                      For a SPA module, the module's business controller class can implement ICustomTokenProvider (here's where that's found and called).

                      DNN partner specializing in custom, enterprise DNN development https://engagesoftware.com/showcase
                      You are not authorized to post a reply.

                      These Forums are dedicated to discussion of DNN Platform.

                      For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

                      1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
                      2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
                      3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
                      4. No Flaming or Trolling.
                      5. No Profanity, Racism, or Prejudice.
                      6. Site Moderators have the final word on approving / removing a thread or post or comment.
                      7. English language posting only, please.

                      Would you like to help us?

                      Awesome! Simply post in the forums using the link below and we'll get you started.

                      Get Involved