feat: CSP support (#58)

* Add pypi actions

* bump version

* feat: CSP support

* Update test requirements

* Update djangocms_attributes_field/widgets.py

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>

* Update test requirements

* Bump version

* Add media property

* Fix linitng

* Add tests

---------

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>

Author: fsbraun

.github/workflows/test.yml

@@ -10,13 +10,22 @@ jobs:
       matrix:
         python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         requirements-file:
-          [dj42_cms311.txt, dj42_cms41.txt, dj50_cms41.txt, dj51_cms41.txt]
-        os: [ubuntu-20.04]
+          [
+            dj42_cms311.txt,
+            dj42_cms41.txt,
+            dj42_cms50.txt,
+            dj50_cms50.txt,
+            dj51_cms50.txt,
+            dj52_cms50.txt
+        ]
+        os: [ubuntu-latest]
         exclude:
           - python-version: "3.9"
-            requirements-file: dj50_cms41.txt
+            requirements-file: dj50_cms50.txt
           - python-version: "3.9"
-            requirements-file: dj51_cms41.txt
+            requirements-file: dj51_cms50.txt
+          - python-version: "3.9"
+            requirements-file: dj52_cms50.txt
 
     steps:
       - uses: actions/checkout@v4

CHANGELOG.rst

@@ -2,6 +2,11 @@
 Changelog
 =========
 
+4.1.0 (2025-07-15)
+==================
+
+* Add CSP support (load JS and CSS from static files if installed in INSTALLED_APPS)
+
 4.0.0 (2024-11-19)
 ==================
 

README.rst

@@ -2,7 +2,7 @@
 django CMS Attributes Field
 ===========================
 
-|pypi| |coverage|  |python| |django| |djangocms| |djangocms4|
+|pypi| |coverage|  |python| |django| |djangocms|
 
 
 This project is an opinionated implementation of JSONField for arbitrary HTML
@@ -25,7 +25,8 @@ and provide sensible validation of the keys used.
 
 .. note::
 
-    This project is considered 3rd party (no supervision by the `django CMS Association <https://www.django-cms.org/en/about-us/>`_). Join us on `Slack                 <https://www.django-cms.org/slack/>`_ for more information.
+    This project is considered 3rd party (no supervision by the `django CMS Association <https://www.django-cms.org/en/about-us/>`_).
+    Join us on `Discord <https://www.django-cms.org/discord/>`_ for more information.
 
 
 .. image:: preview.gif
@@ -63,7 +64,7 @@ Installation
 For a manual install:
 
 * run ``pip install djangocms-attributes-field``
-* add ``djangocms_attributes_field`` to your ``INSTALLED_APPS``
+* add ``djangocms_attributes_field`` to your ``INSTALLED_APPS`` (at least for CSP support)
 * run ``python manage.py migrate djangocms_attributes_field``
 
 
@@ -174,11 +175,13 @@ You can run tests by executing::
     :target: http://badge.fury.io/py/djangocms-attributes-field
 .. |coverage| image:: https://codecov.io/gh/django-cms/djangocms-attributes-field/branch/master/graph/badge.svg
     :target: https://codecov.io/gh/divio/djangocms-attributes-field
-.. |python| image:: https://img.shields.io/badge/python-3.8+-blue.svg
+
+.. |python| image:: https://img.shields.io/pypi/pyversions/djangocms-attributes-field
+    :alt: PyPI - Python Version
     :target: https://pypi.org/project/djangocms-attributes-field/
-.. |django| image:: https://img.shields.io/badge/django-3.2,%204.0--%204.2-blue.svg
+.. |django| image:: https://img.shields.io/pypi/frameworkversions/django/djangocms-attributes-field
+    :alt: PyPI - Django Versions from Framework Classifiers
     :target: https://www.djangoproject.com/
-.. |djangocms| image:: https://img.shields.io/badge/django%20CMS-3.9%2B-blue.svg
-    :target: https://www.django-cms.org/
-.. |djangocms4| image:: https://img.shields.io/badge/django%20CMS-4-blue.svg
+.. |djangocms| image:: https://img.shields.io/pypi/frameworkversions/django-cms/djangocms-attributes-field
+    :alt: PyPI - django CMS Versions from Framework Classifiers
     :target: https://www.django-cms.org/

djangocms_attributes_field/__init__.py

@@ -1 +1 @@
-__version__ = '4.0.0'
+__version__ = '4.1.0'

djangocms_attributes_field/static/djangocms_attributes_field/widget.css

@@ -0,0 +1,40 @@
+body.djangocms-admin-style .delete-attributes-pair,
+body.djangocms-admin-style .add-attributes-pair {
+    border: 1px solid #ddd;
+    border-radius: 3px;
+    display: inline-block;
+    padding: 6px 5px 8px 10px;
+    line-height: inherit;
+}
+.delete-attributes-pair, .add-attributes-pair {
+    line-height: 2;
+}
+.attributes-pair {
+    display: table;
+    table-layout: fixed;
+    width: 100%;
+}
+.attributes-pair .field-box:first-child {
+    width: 25% !important;
+    display: table-cell !important;
+    vertical-align: top !important;
+    float: none !important;
+}
+.attributes-pair .field-box:last-child {
+    display: table-cell !important;
+    vertical-align: top !important;
+    width: 75% !important;
+    float: none !important;
+}
+body:not(.djangocms-admin-style) .attributes-pair .field-box:first-child input {
+    width: calc(100% - 1.3em);
+}
+.djangocms-attributes-field .attributes-pair .attributes-value {
+    width: 60% !important;
+    width: -webkit-calc(100% - 54px) !important;
+    width: -moz-calc(100% - 54px) !important;
+    width: calc(100% - 54px) !important;
+}
+.delete-attributes-pair {
+    margin-left: 16px;
+}

djangocms_attributes_field/static/djangocms_attributes_field/widget.js

@@ -0,0 +1,45 @@
+window.addEventListener('load', function () {
+    (function ($) {
+        function fixUpIds (fieldGroup) {
+            fieldGroup.find('.attributes-pair').each(function (idx, value) {
+                $(value).find('.attributes-key').attr('id', 'field-key-row-' + idx)
+                        .siblings('label').attr('for', 'field-key-row-' + idx);
+                $(value).find('.attributes-value').attr('id', 'field-value-row-' + idx)
+                        .siblings('label').attr('for', 'field-value-row-' + idx);
+            });
+        }
+
+        $(function () {
+            $('.djangocms-attributes-field').each(function () {
+                const that = $(this);
+
+                if (that.data('isAttributesFieldInitialized')) {
+                    return;
+                }
+
+                that.data('isAttributesFieldInitialized', true);
+
+                const emptyRow = that.find('.template');
+                const btnAdd = that.find('.add-attributes-pair');
+
+                btnAdd.on('click', function (event) {
+                    event.preventDefault();
+                    emptyRow.before(emptyRow.find('.attributes-pair').clone());
+                    fixUpIds(that);
+                });
+
+                that.on('click', '.delete-attributes-pair', function (event) {
+                    event.preventDefault();
+
+                    const removeButton = $(this);
+
+                    removeButton.closest('.attributes-pair').remove();
+                    fixUpIds(that);
+                });
+
+                fixUpIds(that);
+            });
+
+        });
+    }(django.jQuery));
+});

djangocms_attributes_field/widgets.py

@@ -1,8 +1,36 @@
-from django.forms import Widget
+import os
+
+from django.apps import apps
+from django.forms import Media, Widget
 from django.forms.utils import flatatt
 from django.utils.html import escape, mark_safe, strip_spaces_between_tags
 from django.utils.translation import gettext as _
 
+# NOTE: Inlining the CSS and JS code allows avoiding to register
+# djangocms_attributes_field in INSTALLED_APPS. It will, however,
+# potentially conflict with a CSP.
+# If "djangocms_attributes_field" is installed, then the media class
+# of the widget is used, otherwise the CSS and JS is inlined by reading from
+# file system at startup. This way, we support CSPs that do not allow
+# inline scripts/styles, but also support projects that historically do not use
+# djangocms_attributes_field as an app, but still want to use the widget.
+_inline_code = None
+
+def _read_inline_code():
+    if apps.is_installed('djangocms_attributes_field'):
+        _inline_code = ""
+    else:
+        def _read_static_files():
+            base_dir = os.path.dirname(os.path.abspath(__file__))
+            with open(os.path.join(base_dir, 'static/djangocms_attributes_field/widget.js'), 'r', encoding='utf-8') as f:
+                js_code = f.read()
+            with open(os.path.join(base_dir, 'static/djangocms_attributes_field/widget.css'), 'r', encoding='utf-8') as f:
+                css_code = f.read()
+            return css_code, js_code
+
+        _inline_code = "<style>{}</style><script>{}</script>".format(*_read_static_files())
+    return _inline_code
+
 
 class AttributesWidget(Widget):
     """
@@ -20,6 +48,31 @@ def __init__(self, *args, **kwargs):
         self.sorted = sorted if kwargs.pop('sorted', True) else lambda x: x
         super().__init__(*args, **kwargs)
 
+    @property
+    def media(self):
+        """
+        Returns the media required by this widget.
+        If djangocms_attributes_field is installed, it will use the media class
+        of the widget, otherwise it will inline the CSS and JS.
+        """
+
+        global _inline_code
+
+        if _inline_code is None:
+            _inline_code = _read_inline_code()
+
+        if _inline_code:
+            return Media()
+        else:
+            return Media(
+                css={
+                    'all': ('djangocms_attributes_field/widget.css',)
+                },
+                js=(
+                    'djangocms_attributes_field/widget.js',
+                )
+            )
+
     def _render_row(self, key, value, field_name, key_attrs, val_attrs):
         """
         Renders to HTML a single key/value pair row.
@@ -86,103 +139,7 @@ def render(self, name, value, attrs=None, renderer=None):
         """.format(
             title=_('Add another key/value pair'),
         )
-        output += '</div>'
-
-        # NOTE: This is very consciously being inlined into the HTML because
-        # if we use the Django "class Media()" mechanism to include this JS
-        # behaviour, then every project that uses any package that uses Django
-        # CMS Attributes Field will also have to add this package to its
-        # INSTALLED_APPS. By inlining the JS and CSS here, we avoid this.
-        output += """
-        <style>
-            body.djangocms-admin-style .delete-attributes-pair,
-            body.djangocms-admin-style .add-attributes-pair {
-                border: 1px solid #ddd;
-                border-radius: 3px;
-                display: inline-block;
-                padding: 6px 5px 8px 10px;
-                line-height: inherit;
-            }
-            .delete-attributes-pair, .add-attributes-pair {
-                line-height: 2;
-            }
-            .attributes-pair {
-                display: table;
-                table-layout: fixed;
-                width: 100%;
-            }
-            .attributes-pair .field-box:first-child {
-                width: 25% !important;
-                display: table-cell !important;
-                vertical-align: top !important;
-                float: none !important;
-            }
-            .attributes-pair .field-box:last-child {
-                display: table-cell !important;
-                vertical-align: top !important;
-                width: 75% !important;
-                float: none !important;
-            }
-            body:not(.djangocms-admin-style) .attributes-pair .field-box:first-child input {
-                width: calc(100% - 1.3em);
-            }
-            .djangocms-attributes-field .attributes-pair .attributes-value {
-                width: 60% !important;
-                width: -webkit-calc(100% - 54px) !important;
-                width: -moz-calc(100% - 54px) !important;
-                width: calc(100% - 54px) !important;
-            }
-            .delete-attributes-pair {
-                margin-left: 16px;
-            }
-        </style>
-        <script>
-            (function ($) {
-                function fixUpIds (fieldGroup) {
-                    fieldGroup.find('.attributes-pair').each(function (idx, value) {
-                        $(value).find('.attributes-key').attr('id', 'field-key-row-' + idx)
-                                .siblings('label').attr('for', 'field-key-row-' + idx);
-                        $(value).find('.attributes-value').attr('id', 'field-value-row-' + idx)
-                                .siblings('label').attr('for', 'field-value-row-' + idx);
-                    });
-                }
-
-                $(function () {
-                    $('.djangocms-attributes-field').each(function () {
-                        var that = $(this);
-
-                        if (that.data('isAttributesFieldInitialized')) {
-                            return;
-                        }
-
-                        that.data('isAttributesFieldInitialized', true);
-
-                        var emptyRow = that.find('.template');
-                        var btnAdd = that.find('.add-attributes-pair');
-                        var btnDelete = that.find('.delete-attributes-pair');
-
-                        btnAdd.on('click', function (event) {
-                            event.preventDefault();
-                            emptyRow.before(emptyRow.find('.attributes-pair').clone());
-                            fixUpIds(that);
-                        });
-
-                        that.on('click', '.delete-attributes-pair', function (event) {
-                            event.preventDefault();
-
-                            var removeButton = $(this);
-
-                            removeButton.closest('.attributes-pair').remove();
-                            fixUpIds(that);
-                        });
-
-                        fixUpIds(that);
-                    });
-
-                });
-            }(django.jQuery));
-        </script>
-        """
+        output += f'</div>{_inline_code}'
         return mark_safe(output)
 
     def value_from_datadict(self, data, files, name):

setup.py

@@ -17,20 +17,20 @@
     'Operating System :: OS Independent',
     'Programming Language :: Python',
     'Programming Language :: Python :: 3',
-    'Programming Language :: Python :: 3.8',
     'Programming Language :: Python :: 3.9',
     'Programming Language :: Python :: 3.10',
     'Programming Language :: Python :: 3.11',
+    'Programming Language :: Python :: 3.12',
+    'Programming Language :: Python :: 3.13',
     'Framework :: Django',
-    'Framework :: Django :: 3.2',
-    'Framework :: Django :: 4.0',
-    'Framework :: Django :: 4.1',
     'Framework :: Django :: 4.2',
+    'Framework :: Django :: 5.0',
+    'Framework :: Django :: 5.1',
+    'Framework :: Django :: 5.2',
     'Framework :: Django CMS',
-    'Framework :: Django CMS :: 3.9',
-    'Framework :: Django CMS :: 3.10',
     'Framework :: Django CMS :: 3.11',
     'Framework :: Django CMS :: 4.1',
+    'Framework :: Django CMS :: 5.0',
     'Topic :: Internet :: WWW/HTTP',
     'Topic :: Internet :: WWW/HTTP :: Dynamic Content',
     'Topic :: Software Development',

tests/requirements/base.txt

@@ -3,3 +3,4 @@ tox
 coverage
 isort
 flake8
+setuptools

tests/requirements/dj42_cms50.txt

@@ -0,0 +1,4 @@
+-r base.txt
+
+Django>=4.2,<5.0
+django-cms>=5.0,<5.1