Add custom html code to head #3693
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
|
I personally ok with this, but:
|
|
For the XSS attack: In many cases the person with login to the status page might also edit the html files on the server itself. For the other cases a env variable could be added that disables the new setting, so the server admin can restrict the kuma admin. |
mueller-ma
changed the title
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
Using
From my side this is ready to merge. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
chakflying
added
help wanted
|
Can I do something to get this merged? |
|
I've addressed the security concerns mentioned in the previous review. Could you please take another look at the PR? Thanks! |
There was a problem hiding this comment.
Currently, setting it to false or 0 would activate this feature.
=> lets not check the environment variable this way ^^
I have also left some remarks about how we communicate this feature.
I think the communication of this is not quite where it needs to be mergable.
| <!-- Custom HTML --> | ||
| <div class="my-3"> | ||
| <div class="mb-1">{{ $t("Custom HTML") }}</div> | ||
| <prism-editor v-model="config.customHtml" class="css-editor" :highlight="highlighter" line-numbers></prism-editor> |
There was a problem hiding this comment.
I think the frontend should be disabled if said environment variable is not present and enabled when it is.
This would also enable baving a better helptext, communicating that adding stuff here is inherently kind of dangerous as said code is not vetted by security reviews.
There was a problem hiding this comment.
To do this would most likely involve creating a setting on server, then the status page edit page would have to fetch that setting and enable/disable accordingly. A bit complicated IMO.
Maybe having a remark in the description is good enough?
There was a problem hiding this comment.
Since vite also supports environment variables, I am not convinced that would be necessary.
Needs figuring out if this linked correctly though.
There was a problem hiding this comment.
Haven't tested this but I think these only work at build time.
There was a problem hiding this comment.
Also have not tested, but arent we using SSR for this feature?
=> the environment variables should be covered...
With this PR a new text field will be added that allows setting custom html code to the `<head>` of a status page. The implementation will be similar to https://github.com/louislam/uptime-kuma/pull/2567/files, but with a multi-line text field and without escaping any special chars. For security reasons the env var `UPTIME_KUMA_ALLOW_CUSTOM_HTML` must be set to `1` to enable this feature. This will allow tracking with most analytic platforms and has been requested several times. Closes #2818
CommanderStorm
added
the
pr:please address review comments
|
Reworked the PR to adress my concerns: #4817 |
|
Thanks a lot for the contribution. |
https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md#can-i-create-a-pull-request-for-uptime-kuma
Tick the checkbox if you understand [x]:
Description
With this PR a new text field will be added that allows setting custom html code to the
<head>of a status page.The implementation will be similar to
https://github.com/louislam/uptime-kuma/pull/2567/files, but with a multi-line text field and without escaping any special chars.
This will allow tracking with most analytic platforms and has been requested several times.
Closes #2818
Type of change
Please delete any options that are not relevant.
Checklist
(including JSDoc for methods)
Screenshots (if any)
Please do not use any external image service. Instead, just paste in or drag and drop the image here, and it will be uploaded automatically.