You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/03/14 17:48:25 UTC
[allura] branch gc/8504 created (now 16b958f8e)
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a change to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
at 16b958f8e [#8504] added new csp into middleware and removed onclick inline events from html templates
This branch includes the following new commits:
new 16b958f8e [#8504] added new csp into middleware and removed onclick inline events from html templates
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[allura] 01/01: [#8504] added new csp into middleware and removed onclick inline events from html templates
Posted by gc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 16b958f8ec09912b2ab70aaedd64db4f6edd76e6
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Tue Mar 14 12:48:08 2023 -0500
[#8504] added new csp into middleware and removed onclick inline events from html templates
---
.../templates/sections/projects.html | 2 +-
.../user_profile/templates/sections/projects.html | 2 +-
Allura/allura/lib/custom_middleware.py | 6 ++++
.../templates/jinja_master/sidebar_menu.html | 2 +-
Allura/allura/templates/widgets/post_widget.html | 10 ++++++-
Allura/allura/templates/widgets/vote.html | 4 +--
.../jinja_master/sidebar_menu.html | 2 +-
Allura/development.ini | 3 ++
.../templates/discussionforums/admin_forums.html | 7 ++++-
.../templates/feedback/common_feedback.html | 15 ++++++++--
.../templates/feedback/edit_feedback.html | 13 +++++----
.../templates/feedback/new_feedback.html | 14 +++++----
ForgeFiles/forgefiles/templates/files.html | 34 ++++++++++++++++++++--
ForgeSVN/forgesvn/templates/svn/checkout_url.html | 6 +++-
.../templates/tracker_widgets/options_admin.html | 10 ++++++-
15 files changed, 104 insertions(+), 26 deletions(-)
diff --git a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index 5616ce096..bd6b799ab 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
@@ -58,7 +58,7 @@
</ul>
{% if projects|length > 5 %}
<div class="show-more-projects">
- <button onclick="$(this).hide().closest('.section-body').find('li.hidden').show()">
+ <button id="show-more-profile-projects">
{{ g.icons['add'].render(title='Show More', show_title=True, tag='b') }}
</button>
</div>
diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html b/Allura/allura/ext/user_profile/templates/sections/projects.html
index 00e789b19..90acd3822 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html
@@ -58,7 +58,7 @@
</ul>
{% if projects|length > 5 %}
<div class="show-more-projects">
- <button onclick="$(this).hide().closest('.section-body').find('li.hidden').show()">
+ <button id="show-more-profile-projects">
{{ g.icons['add'].render(title='Show More', show_title=True, tag='b') }}
</button>
</div>
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 72fd7677f..4d8e51c56 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -514,6 +514,12 @@ class ContentSecurityPolicyMiddleware:
else:
report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
+ if self.config.get('csp.script_src_attr'):
+ if asbool(self.config.get('csp.script_src_attr_enforce', False)):
+ rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+ else:
+ report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+
rules.add("object-src 'none'")
rules.add("frame-ancestors 'self'")
if rules:
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html b/Allura/allura/templates/jinja_master/sidebar_menu.html
index e7ed0e797..2c4cc37d2 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -68,7 +68,7 @@
{% set admin_menu = c.app.admin_menu() %}
{% endif %}
{% if admin_menu %}
- <a id='sidebar-admin-header' onclick='$("#sidebar-admin-menu").toggleClass("hidden");$("#sidebar-admin-header").toggleClass("expanded");return false;'
+ <a id='sidebar-admin-header'
href='#' {% if request.path.startswith(c.app.admin_url) %}class="expanded"{% endif %}>
{{sidebar_item(c.app.admin_menu_collapse_button)}}
</a>
diff --git a/Allura/allura/templates/widgets/post_widget.html b/Allura/allura/templates/widgets/post_widget.html
index d986d5f5d..ef205bcba 100644
--- a/Allura/allura/templates/widgets/post_widget.html
+++ b/Allura/allura/templates/widgets/post_widget.html
@@ -133,7 +133,7 @@
<div class="attachment_toolbar">
<form method="POST" action="{{att.url()}}">
{% if can_moderate_post %}
- <a href="javascript: void(0)" onclick="$(this).closest('form').submit();" title="Remove Attachment" class="btn ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
+ <a href="javascript: void(0)" id="remove-attachment" title="Remove Attachment" class="btn ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
<span><i class="fa fa-trash-o" aria-hidden="true"></i></span>
</a>
{% endif %}
@@ -187,3 +187,11 @@
</ul>
</div>
</div>
+
+{% block extra_js %}
+<script>
+$('.attachment_toolbar #remove-attachment').on('click', function(e){
+ $(this).closest('form').submit();
+})
+</script>
+{% endblock %}
\ No newline at end of file
diff --git a/Allura/allura/templates/widgets/vote.html b/Allura/allura/templates/widgets/vote.html
index 533ada519..3dc856bf3 100644
--- a/Allura/allura/templates/widgets/vote.html
+++ b/Allura/allura/templates/widgets/vote.html
@@ -24,10 +24,10 @@
{% if can_vote %}
<div id="vote" class="gray">
<span class="btn-set duo">
- <a href="" class="btn {% if voted == 1 %}active{% endif %} {% if can_vote %}js-vote-up{% endif %}" onclick="javascript:return false;">
+ <a href="" class="btn {% if voted == 1 %}active{% endif %} {% if can_vote %}js-vote-up{% endif %}">
{{ g.icons['vote_up'].render(tag='b', style="color:green;") }}
</a>
- <a href="" class="btn {% if voted == -1 %}active{% endif %} {% if can_vote %}js-vote-down{% endif %}" onclick="javascript:return false;">
+ <a href="" class="btn {% if voted == -1 %}active{% endif %} {% if can_vote %}js-vote-down{% endif %}">
{{ g.icons['vote_down'].render(tag='b', style="color:red;") }}
</a>
</span>
diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
index 5323bb1da..c98cf6a7b 100644
--- a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
@@ -68,7 +68,7 @@
{% set admin_menu = c.app.admin_menu() %}
{% endif %}
{% if admin_menu %}
- <a id='sidebar-admin-header' onclick='$("#sidebar-admin-menu").toggleClass("hidden");$("#sidebar-admin-header").toggleClass("expanded");return false;'
+ <a id='sidebar-admin-header'
href='#' {% if request.path.startswith(c.app.admin_url) %}class="expanded"{% endif %}>
{{sidebar_item(c.app.admin_menu_collapse_button)}}
</a>
diff --git a/Allura/development.ini b/Allura/development.ini
index d6ac0c80b..3b41bdf65 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -683,6 +683,9 @@ csp.form_action_urls = 'self'
csp.script_src = 'self' www.google-analytics.com
csp.script_src.extras = 'unsafe-inline' 'unsafe-eval'
+; to enable enforce mode on script-src-attr
+;csp.script_src_attr_enforce = true
+csp.script_src_attr = 'self'
;
; Settings for comment reactions
;
diff --git a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
index fc72f790e..ddfad95c5 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
@@ -89,7 +89,7 @@
<td>{{lib.post_summary(forum.last_post)}}</td>
<td>
<input name="{{'forum-%s.id' % loop.index0}}" type="hidden" value="{{forum._id}}"/>
- <input type="submit" name="{{'forum-%s.delete' % loop.index0}}" value="Delete" onclick="return confirm('Really delete this forum?');" /><br/>
+ <input type="submit" name="{{'forum-%s.delete' % loop.index0}}" class="delete-forum" value="Delete" /><br/>
</td>
</tr>
{% endfor %}
@@ -115,5 +115,10 @@
return false;
});
});
+ $('.delete-forum').each(function(el, index){
+ $(this).on('click', function(e){
+ return confirm('Really delete this forum?');
+ })
+ })
</script>
{% endblock %}
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html
index 6bd6634a2..5cb838e26 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html
@@ -22,7 +22,7 @@
<!-- macro for feedback textarea -->
{% macro feed_textarea(name='description',id='description',placeholder='',description='') %}
-<textarea class="textbox" name="{{name}}" id="{{id}}" maxlength=100 onkeyup="manage()" placeholder="{{placeholder}}">{{description}}</textarea>
+<textarea class="textbox" name="{{name}}" id="{{id}}" maxlength=100 placeholder="{{placeholder}}">{{description}}</textarea>
{% endmacro %}
<!-- macro for feedback alert message -->
@@ -60,10 +60,13 @@ function manage()
</script>
<script>
+ $("#description").on('keyup', function(e){
+ manage()
+ })
$('#feedback_form').submit(function(event){
event.preventDefault();
var description = $("#description").val();
-
+
$.ajax({
context: this,
url:'{{url}}feedback_check',
@@ -83,6 +86,14 @@ function manage()
});
});
+
+ function setupRatingEvent(){
+ $('.rating > input').each(function(el,index){
+ $(this).on('click', function(e){
+ manage();
+ })
+ })
+ }
</script>
{% endmacro %}
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html
index bf6ec7548..ff3d29489 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html
@@ -51,11 +51,11 @@ p {
<div class="col-75">
<fieldset class="rating">
- <input type="radio" id="star5" name="rating" value="5" {% if rating == '5' %} checked="checked" {% endif %} onclick="manage()" /><label for="star5" title="Excellent"></label>
- <input type="radio" id="star4" name="rating" value="4" {% if rating == '4' %} checked="checked" {% endif %} onclick="manage()" /><label for="star4" title="Great"></label>
- <input type="radio" id="star3" name="rating" value="3" {% if rating == '3' %} checked="checked" {% endif %} onclick="manage()" /><label for="star3" title="Good"></label>
- <input type="radio" id="star2" name="rating" value="2" {% if rating == '2' %} checked="checked" {% endif %} onclick="manage()" /><label for="star2" title="Average"></label>
- <input type="radio" id="star1" name="rating" value="1" {% if rating == '1' %} checked="checked" {% endif %} onclick="manage()" /><label for="star1" title="Poor"></label>
+ <input type="radio" id="star5" name="rating" value="5" {% if rating == '5' %} checked="checked" {% endif %} /><label for="star5" title="Excellent"></label>
+ <input type="radio" id="star4" name="rating" value="4" {% if rating == '4' %} checked="checked" {% endif %} /><label for="star4" title="Great"></label>
+ <input type="radio" id="star3" name="rating" value="3" {% if rating == '3' %} checked="checked" {% endif %} /><label for="star3" title="Good"></label>
+ <input type="radio" id="star2" name="rating" value="2" {% if rating == '2' %} checked="checked" {% endif %} /><label for="star2" title="Average"></label>
+ <input type="radio" id="star1" name="rating" value="1" {% if rating == '1' %} checked="checked" {% endif %} /><label for="star1" title="Poor"></label>
</fieldset>
</div>
@@ -79,6 +79,9 @@ p {
{% block extra_js %}
<!-- profanity script's macro -->
{{ common_feed.profanity_scripts(url=c.app.url) }}
+ <script>
+ setupRatingEvent()
+ </script>
{% endblock %}
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html
index bf93b3bb5..f8d87d7b5 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html
@@ -48,11 +48,11 @@ p {
</div>
<div class="col-75">
<fieldset class="rating" id="sar">
- <input type="radio" id="star5" name="rating" value="5" onclick="manage()" /><label for="star5" title="Excellent">5 stars</label>
- <input type="radio" id="star4" name="rating" value="4" onclick="manage()" /><label for="star4" title="Great">4 stars</label>
- <input type="radio" id="star3" name="rating" value="3" onclick="manage()" /><label for="star3" title="Good">3 stars</label>
- <input type="radio" id="star2" name="rating" value="2" onclick="manage()" /><label for="star2" title="Average">2 stars</label>
- <input type="radio" id="star1" name="rating" value="1" onclick="manage()" /><label for="star1" title="Poor">1 star</label>
+ <input type="radio" id="star5" name="rating" value="5" /><label for="star5" title="Excellent">5 stars</label>
+ <input type="radio" id="star4" name="rating" value="4" /><label for="star4" title="Great">4 stars</label>
+ <input type="radio" id="star3" name="rating" value="3" /><label for="star3" title="Good">3 stars</label>
+ <input type="radio" id="star2" name="rating" value="2" /><label for="star2" title="Average">2 stars</label>
+ <input type="radio" id="star1" name="rating" value="1" /><label for="star1" title="Poor">1 star</label>
</fieldset>
</div>
</div>
@@ -68,10 +68,12 @@ p {
</div>
{% endblock %}
-
{% block extra_js %}
<!-- profanity script's macro -->
{{ common_feed.profanity_scripts(url=c.app.url) }}
+ <script>
+ setupRatingEvent()
+ </script>
{% endblock %}
diff --git a/ForgeFiles/forgefiles/templates/files.html b/ForgeFiles/forgefiles/templates/files.html
index af002b947..064be02eb 100755
--- a/ForgeFiles/forgefiles/templates/files.html
+++ b/ForgeFiles/forgefiles/templates/files.html
@@ -117,7 +117,7 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e
<a data-toggle="tooltip " {% if not folder.disabled %} class="delete_icon admin_modal" href="{{c.app.url}}get_deletable_object?object_id={{folder._id}}" title="Delete" {% else %} class="disable_object" {% endif %}><i class="fa fa-trash-o" data-toggle='modal'></i></a>
- <a href="#" data-toggle="tooltip" {% if folder.disabled %} title="Enable" {% else %} title="Disable" {% endif %} onclick="ConfirmDisableFolder('{{ folder._id }}', '{{folder.disabled}}', '{{folder.parent_folder.disabled}}','{{c.app.url}}disable_folder')" ><i {% if folder.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
+ <a href="#" data-toggle="tooltip" {% if folder.disabled %} title="Enable" {% else %} title="Disable" {% endif %} class="confirm-disable-folder" data-folder-id="{{ folder._id }}" data-folder-disabled="{{folder.disabled}}" data-folder-parent-disabled="{{folder.parent_folder.disabled}}" data-folder-disable-url="{{c.app.url}}disable_folder" ><i {% if folder.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
</div>
@@ -144,12 +144,12 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e
{% if h.has_access(c.project, 'admin')() %}
<td>
<div class="file_actions">
- <a data-toggle="tooltip" {% if not file.disabled %} href= "#" {% if not file.linked_to_download%} title="Link" {% else %} title="Unlink" {% endif %} class="link_icon" onclick="ConfirmLinkFile('{{ file._id }}', '{{ file.linked_to_download }}', '{{c.app.url}}link_file')" {% else %} class="disable_object" {% endif %} ><i class= "fa fa-link" {% if file.linked_to_download %} id="disable_link" {% endif %}></i></a>
+ <a data-toggle="tooltip" {% if not file.disabled %} href= "#" {% if not file.linked_to_download%} title="Link" {% else %} title="Unlink" {% endif %} class="link_icon confirm-link-file" data-file-id="{{ file._id }}" data-linked-download="{{ file.linked_to_download }}" data-linked-url="{{c.app.url}}link_file" {% else %} class="disable_object" {% endif %} ><i class= "fa fa-link" {% if file.linked_to_download %} id="disable_link" {% endif %}></i></a>
<a data-toggle="tooltip " {% if not file.disabled %} class="edit_icon admin_modal" href="{{c.app.url}}get_editable_object?object_id={{file._id}}" title="Edit" {% else %} class="disable_object" {% endif %}><i class="fa fa-edit" data-toggle='modal' ></i></a>
<a data-toggle="tooltip " {% if not file.disabled %} class="delete_icon admin_modal" href="{{c.app.url}}get_deletable_object?object_id={{file._id}}" title="Delete" {% else %} class="disable_object" {% endif %}><i class="fa fa-trash-o" data-toggle='modal' {% if not file.disabled %} {% endif %} ></i></a>
- <a href="#" data-toggle="tooltip" {% if file.disabled %} title="Enable" {% else %} title="Disable" {% endif %} onclick="ConfirmDisableFile('{{ file._id }}', '{{file.disabled}}', '{{file.parent_folder.disabled}}','{{c.app.url}}disable_file')" ><i {% if file.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
+ <a href="#" data-toggle="tooltip" {% if file.disabled %} title="Enable" {% else %} title="Disable" {% endif %} class="confirm-disable-file" data-file-id="{{ file._id }}" data-file-disabled="{{file.disabled}}" data-file-parent-folder-disabled="parent_folder.disabled" data-file-url="{{c.app.url}}disable_file" ><i {% if file.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
</div>
</td>
@@ -185,6 +185,34 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e
{% block extra_js %}
<script type="text/javascript" src="{{g.app_static('js/files.js')}}"></script>
+<script>
+$('.confirm-disable-folder').each(function(el,index){
+ $(this).on('click', function(e){
+ var folder_id = $(this).data('folder-id');
+ var folder_disabled = $(this).data('folder-disabled');
+ var folder_parent_disabled = $(this).data('folder-parent-disabled');
+ var folder_disable_url = $(this).data('folder-disable-url');
+ ConfirmDisableFolder(folder_id, folder_disabled, folder_parent_disabled, folder_disable_url);
+ });
+});
+$('.confirm-link-file').each(function(el, index){
+ $(this).on('click', function(e){
+ var file_id = $(this).data('file-id');
+ var linked_download = $(this).data('linked-download');
+ var linked_url = $(this).data('linked-url');
+ ConfirmLinkFile(file_id,linked_download, linked_url);
+ });
+});
+$('.confirm-disable-file').each(function(el,index){
+ $(this).on('click', function(e){
+ var file_id = $(this).data('file-id');
+ var file_disabled = $(this).data('file-disabled');
+ var file_parent_folder_disabled = $(this).data('file-parent-folder-disabled');
+ var file_url = $(this).data('file-url');
+ ConfirmDisableFile(file_id, file_disabled, file_parent_folder_disabled, file_url);
+ });
+});
+</script>
{% endblock %}
diff --git a/ForgeSVN/forgesvn/templates/svn/checkout_url.html b/ForgeSVN/forgesvn/templates/svn/checkout_url.html
index ee06a632d..63a79a8d7 100644
--- a/ForgeSVN/forgesvn/templates/svn/checkout_url.html
+++ b/ForgeSVN/forgesvn/templates/svn/checkout_url.html
@@ -47,7 +47,7 @@
<hr>
<div class="grid-13"> </div>
<div class="grid-13">
- <input type="button" onclick="save_checkout_url()" value="Save">
+ <input type="button" id="save-checkout-url" value="Save">
<a href="#" class="close">Cancel</a>
</div>
{% endif %}
@@ -65,6 +65,10 @@
location.reload();
});
}
+ $('#save-checkout-url').on('click', function(e){
+ save_checkout_url();
+ e.preventDefault();
+ })
</script>
{% endif %}
{% endblock %}
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
index e07cb372c..0e5120de8 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
@@ -43,7 +43,15 @@
{% for b in buttons %}
{{b.display()}}
{% endfor %}
- <a href="#" onclick="window.history.back(); return false;" class="close">Cancel</a>
+ <a href="#" id="tracker-options-cancel" class="close">Cancel</a>
</div>
{% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
+{% block extra_js %}
+<script>
+$('#tracker-options-cancel').on('click', function(e){
+ window.history.back();
+ e.preventDefault();
+})
+</script>
+{% endblock %}