Merge pull request #1620 from jezen/master

Move JavaScript form submission to script block

yesod-core/ChangeLog.md

@@ -1,5 +1,10 @@
 # ChangeLog for yesod-core
 
+## 1.6.15
+
+* Move `redirectToPost` JavaScript form submission from HTML element to
+  `<script>` tag for CSP reasons [#1620](https://github.com/yesodweb/yesod/pull/1620)
+
 ## 1.6.14
 
 * Introduce `JSONResponse`. [issue #1481](https://github.com/yesodweb/yesod/issues/1481) and [PR #1592](https://github.com/yesodweb/yesod/pull/1592)

yesod-core/src/Yesod/Core/Handler.hs

@@ -1069,13 +1069,15 @@ $doctype 5
 <html>
     <head>
         <title>Redirecting...
-    <body onload="document.getElementById('form').submit()">
+    <body>
         <form id="form" method="post" action=#{urlText}>
             $maybe token <- reqToken req
                 <input type=hidden name=#{defaultCsrfParamName} value=#{token}>
             <noscript>
                 <p>Javascript has been disabled; please click on the button below to be redirected.
             <input type="submit" value="Continue">
+        <script>
+          window.onload = function() { document.getElementById('form').submit(); };
 |] >>= sendResponse
 
 -- | Wraps the 'Content' generated by 'hamletToContent' in a 'RepHtml'.

yesod-core/yesod-core.cabal

@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.6.14
+version:         1.6.15
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>