Skip to content

Spreadsheet component not working with 0.35.0 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ToniJ123 opened this issue May 22, 2025 · 7 comments
Open

Spreadsheet component not working with 0.35.0 #2

ToniJ123 opened this issue May 22, 2025 · 7 comments
Labels
bug Something isn't working

Comments

@ToniJ123
Copy link

Introduction

Offline version of latest spreadsheet component not working at all with this latest 0.35.0 release

To Reproduce

-Latest SQLPage
-Latest spreadsheet component

Actual behavior

No errors, spreadsheet component just keeps loading circle in the page and never gets spreadsheet component loaded on the page.
@ToniJ123 ToniJ123 added the bug Something isn't working label May 22, 2025
@ToniJ123
Copy link
Author

Image

@ToniJ123
Copy link
Author

Otherwise, great work making great improvements and very happy to see some major jumps in development! 👍

@ToniJ123
Copy link
Author

Quick view with developers tools tells that there is problems with bootstrap / tabler / apex chart colors/style libraries not founding. This may have something to do why spreadsheet component also isn't working.

@lovasoa lovasoa transferred this issue from sqlpage/SQLPage May 22, 2025
@lovasoa
Copy link
Collaborator

lovasoa commented May 22, 2025

I'll release a new version of the spreadsheet component very soon :)

@lovasoa
Copy link
Collaborator

lovasoa commented May 22, 2025

I just released v0.6 with compatibility for the latest sqlpage: https://github.com/sqlpage/sqlpage-spreadsheet/releases/tag/v0.6.0

@ToniJ123
Copy link
Author

ToniJ123 commented May 23, 2025
edited
Loading

Note that this version requires updating your sqlpage settings to allow code execution from inside the component. See https://github.com/sqlpage/sqlpage-spreadsheet/blob/main/demo/sqlpage/sqlpage.json

"content_security_policy": "script-src 'self' 'nonce-{NONCE}' 'unsafe-eval'"

Is every part of this necessary? This seems like an security risk, at least the last one? In what level this allows this CSP? Somehow internally in SQLpage / spreadsheet processes or does this effect the real user browser level when using producted web app?

@lovasoa
Copy link
Collaborator

lovasoa commented May 23, 2025

unsafe-eval in CSP permits dynamic code execution via eval(), new Function(), etc. It's flagged as risky due to potential XSS if untrusted or improperly sanitized input reaches those calls.

However, it's not inherently unsafe. All web pages without a CSP—most of the web—implicitly allow unsafe-eval. In our case, it’s required by a trusted dependency, and all eval usage is internal and isolated from user input. Since there’s no injection vector, enabling unsafe-eval is safe here.

I'll still check whether we can do without it in future versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lovasoa @ToniJ123