You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/03/14 17:48:26 UTC
[allura] 01/01: [#8504] added new csp into middleware and removed onclick inline events from html templates
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 16b958f8ec09912b2ab70aaedd64db4f6edd76e6
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Tue Mar 14 12:48:08 2023 -0500
[#8504] added new csp into middleware and removed onclick inline events from html templates
---
.../templates/sections/projects.html | 2 +-
.../user_profile/templates/sections/projects.html | 2 +-
Allura/allura/lib/custom_middleware.py | 6 ++++
.../templates/jinja_master/sidebar_menu.html | 2 +-
Allura/allura/templates/widgets/post_widget.html | 10 ++++++-
Allura/allura/templates/widgets/vote.html | 4 +--
.../jinja_master/sidebar_menu.html | 2 +-
Allura/development.ini | 3 ++
.../templates/discussionforums/admin_forums.html | 7 ++++-
.../templates/feedback/common_feedback.html | 15 ++++++++--
.../templates/feedback/edit_feedback.html | 13 +++++----
.../templates/feedback/new_feedback.html | 14 +++++----
ForgeFiles/forgefiles/templates/files.html | 34 ++++++++++++++++++++--
ForgeSVN/forgesvn/templates/svn/checkout_url.html | 6 +++-
.../templates/tracker_widgets/options_admin.html | 10 ++++++-
15 files changed, 104 insertions(+), 26 deletions(-)
diff --git a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index 5616ce096..bd6b799ab 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
@@ -58,7 +58,7 @@
</ul>
{% if projects|length > 5 %}
<div class="show-more-projects">
- <button onclick="$(this).hide().closest('.section-body').find('li.hidden').show()">
+ <button id="show-more-profile-projects">
{{ g.icons['add'].render(title='Show More', show_title=True, tag='b') }}
</button>
</div>
diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html b/Allura/allura/ext/user_profile/templates/sections/projects.html
index 00e789b19..90acd3822 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html
@@ -58,7 +58,7 @@
</ul>
{% if projects|length > 5 %}
<div class="show-more-projects">
- <button onclick="$(this).hide().closest('.section-body').find('li.hidden').show()">
+ <button id="show-more-profile-projects">
{{ g.icons['add'].render(title='Show More', show_title=True, tag='b') }}
</button>
</div>
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 72fd7677f..4d8e51c56 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -514,6 +514,12 @@ class ContentSecurityPolicyMiddleware:
else:
report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
+ if self.config.get('csp.script_src_attr'):
+ if asbool(self.config.get('csp.script_src_attr_enforce', False)):
+ rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+ else:
+ report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+
rules.add("object-src 'none'")
rules.add("frame-ancestors 'self'")
if rules:
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html b/Allura/allura/templates/jinja_master/sidebar_menu.html
index e7ed0e797..2c4cc37d2 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -68,7 +68,7 @@
{% set admin_menu = c.app.admin_menu() %}
{% endif %}
{% if admin_menu %}
- <a id='sidebar-admin-header' onclick='$("#sidebar-admin-menu").toggleClass("hidden");$("#sidebar-admin-header").toggleClass("expanded");return false;'
+ <a id='sidebar-admin-header'
href='#' {% if request.path.startswith(c.app.admin_url) %}class="expanded"{% endif %}>
{{sidebar_item(c.app.admin_menu_collapse_button)}}
</a>
diff --git a/Allura/allura/templates/widgets/post_widget.html b/Allura/allura/templates/widgets/post_widget.html
index d986d5f5d..ef205bcba 100644
--- a/Allura/allura/templates/widgets/post_widget.html
+++ b/Allura/allura/templates/widgets/post_widget.html
@@ -133,7 +133,7 @@
<div class="attachment_toolbar">
<form method="POST" action="{{att.url()}}">
{% if can_moderate_post %}
- <a href="javascript: void(0)" onclick="$(this).closest('form').submit();" title="Remove Attachment" class="btn ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
+ <a href="javascript: void(0)" id="remove-attachment" title="Remove Attachment" class="btn ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only">
<span><i class="fa fa-trash-o" aria-hidden="true"></i></span>
</a>
{% endif %}
@@ -187,3 +187,11 @@
</ul>
</div>
</div>
+
+{% block extra_js %}
+<script>
+$('.attachment_toolbar #remove-attachment').on('click', function(e){
+ $(this).closest('form').submit();
+})
+</script>
+{% endblock %}
\ No newline at end of file
diff --git a/Allura/allura/templates/widgets/vote.html b/Allura/allura/templates/widgets/vote.html
index 533ada519..3dc856bf3 100644
--- a/Allura/allura/templates/widgets/vote.html
+++ b/Allura/allura/templates/widgets/vote.html
@@ -24,10 +24,10 @@
{% if can_vote %}
<div id="vote" class="gray">
<span class="btn-set duo">
- <a href="" class="btn {% if voted == 1 %}active{% endif %} {% if can_vote %}js-vote-up{% endif %}" onclick="javascript:return false;">
+ <a href="" class="btn {% if voted == 1 %}active{% endif %} {% if can_vote %}js-vote-up{% endif %}">
{{ g.icons['vote_up'].render(tag='b', style="color:green;") }}
</a>
- <a href="" class="btn {% if voted == -1 %}active{% endif %} {% if can_vote %}js-vote-down{% endif %}" onclick="javascript:return false;">
+ <a href="" class="btn {% if voted == -1 %}active{% endif %} {% if can_vote %}js-vote-down{% endif %}">
{{ g.icons['vote_down'].render(tag='b', style="color:red;") }}
</a>
</span>
diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
index 5323bb1da..c98cf6a7b 100644
--- a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html
@@ -68,7 +68,7 @@
{% set admin_menu = c.app.admin_menu() %}
{% endif %}
{% if admin_menu %}
- <a id='sidebar-admin-header' onclick='$("#sidebar-admin-menu").toggleClass("hidden");$("#sidebar-admin-header").toggleClass("expanded");return false;'
+ <a id='sidebar-admin-header'
href='#' {% if request.path.startswith(c.app.admin_url) %}class="expanded"{% endif %}>
{{sidebar_item(c.app.admin_menu_collapse_button)}}
</a>
diff --git a/Allura/development.ini b/Allura/development.ini
index d6ac0c80b..3b41bdf65 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -683,6 +683,9 @@ csp.form_action_urls = 'self'
csp.script_src = 'self' www.google-analytics.com
csp.script_src.extras = 'unsafe-inline' 'unsafe-eval'
+; to enable enforce mode on script-src-attr
+;csp.script_src_attr_enforce = true
+csp.script_src_attr = 'self'
;
; Settings for comment reactions
;
diff --git a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
index fc72f790e..ddfad95c5 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
@@ -89,7 +89,7 @@
<td>{{lib.post_summary(forum.last_post)}}</td>
<td>
<input name="{{'forum-%s.id' % loop.index0}}" type="hidden" value="{{forum._id}}"/>
- <input type="submit" name="{{'forum-%s.delete' % loop.index0}}" value="Delete" onclick="return confirm('Really delete this forum?');" /><br/>
+ <input type="submit" name="{{'forum-%s.delete' % loop.index0}}" class="delete-forum" value="Delete" /><br/>
</td>
</tr>
{% endfor %}
@@ -115,5 +115,10 @@
return false;
});
});
+ $('.delete-forum').each(function(el, index){
+ $(this).on('click', function(e){
+ return confirm('Really delete this forum?');
+ })
+ })
</script>
{% endblock %}
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html
index 6bd6634a2..5cb838e26 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html
@@ -22,7 +22,7 @@
<!-- macro for feedback textarea -->
{% macro feed_textarea(name='description',id='description',placeholder='',description='') %}
-<textarea class="textbox" name="{{name}}" id="{{id}}" maxlength=100 onkeyup="manage()" placeholder="{{placeholder}}">{{description}}</textarea>
+<textarea class="textbox" name="{{name}}" id="{{id}}" maxlength=100 placeholder="{{placeholder}}">{{description}}</textarea>
{% endmacro %}
<!-- macro for feedback alert message -->
@@ -60,10 +60,13 @@ function manage()
</script>
<script>
+ $("#description").on('keyup', function(e){
+ manage()
+ })
$('#feedback_form').submit(function(event){
event.preventDefault();
var description = $("#description").val();
-
+
$.ajax({
context: this,
url:'{{url}}feedback_check',
@@ -83,6 +86,14 @@ function manage()
});
});
+
+ function setupRatingEvent(){
+ $('.rating > input').each(function(el,index){
+ $(this).on('click', function(e){
+ manage();
+ })
+ })
+ }
</script>
{% endmacro %}
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html
index bf6ec7548..ff3d29489 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html
@@ -51,11 +51,11 @@ p {
<div class="col-75">
<fieldset class="rating">
- <input type="radio" id="star5" name="rating" value="5" {% if rating == '5' %} checked="checked" {% endif %} onclick="manage()" /><label for="star5" title="Excellent"></label>
- <input type="radio" id="star4" name="rating" value="4" {% if rating == '4' %} checked="checked" {% endif %} onclick="manage()" /><label for="star4" title="Great"></label>
- <input type="radio" id="star3" name="rating" value="3" {% if rating == '3' %} checked="checked" {% endif %} onclick="manage()" /><label for="star3" title="Good"></label>
- <input type="radio" id="star2" name="rating" value="2" {% if rating == '2' %} checked="checked" {% endif %} onclick="manage()" /><label for="star2" title="Average"></label>
- <input type="radio" id="star1" name="rating" value="1" {% if rating == '1' %} checked="checked" {% endif %} onclick="manage()" /><label for="star1" title="Poor"></label>
+ <input type="radio" id="star5" name="rating" value="5" {% if rating == '5' %} checked="checked" {% endif %} /><label for="star5" title="Excellent"></label>
+ <input type="radio" id="star4" name="rating" value="4" {% if rating == '4' %} checked="checked" {% endif %} /><label for="star4" title="Great"></label>
+ <input type="radio" id="star3" name="rating" value="3" {% if rating == '3' %} checked="checked" {% endif %} /><label for="star3" title="Good"></label>
+ <input type="radio" id="star2" name="rating" value="2" {% if rating == '2' %} checked="checked" {% endif %} /><label for="star2" title="Average"></label>
+ <input type="radio" id="star1" name="rating" value="1" {% if rating == '1' %} checked="checked" {% endif %} /><label for="star1" title="Poor"></label>
</fieldset>
</div>
@@ -79,6 +79,9 @@ p {
{% block extra_js %}
<!-- profanity script's macro -->
{{ common_feed.profanity_scripts(url=c.app.url) }}
+ <script>
+ setupRatingEvent()
+ </script>
{% endblock %}
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html
index bf93b3bb5..f8d87d7b5 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html
@@ -48,11 +48,11 @@ p {
</div>
<div class="col-75">
<fieldset class="rating" id="sar">
- <input type="radio" id="star5" name="rating" value="5" onclick="manage()" /><label for="star5" title="Excellent">5 stars</label>
- <input type="radio" id="star4" name="rating" value="4" onclick="manage()" /><label for="star4" title="Great">4 stars</label>
- <input type="radio" id="star3" name="rating" value="3" onclick="manage()" /><label for="star3" title="Good">3 stars</label>
- <input type="radio" id="star2" name="rating" value="2" onclick="manage()" /><label for="star2" title="Average">2 stars</label>
- <input type="radio" id="star1" name="rating" value="1" onclick="manage()" /><label for="star1" title="Poor">1 star</label>
+ <input type="radio" id="star5" name="rating" value="5" /><label for="star5" title="Excellent">5 stars</label>
+ <input type="radio" id="star4" name="rating" value="4" /><label for="star4" title="Great">4 stars</label>
+ <input type="radio" id="star3" name="rating" value="3" /><label for="star3" title="Good">3 stars</label>
+ <input type="radio" id="star2" name="rating" value="2" /><label for="star2" title="Average">2 stars</label>
+ <input type="radio" id="star1" name="rating" value="1" /><label for="star1" title="Poor">1 star</label>
</fieldset>
</div>
</div>
@@ -68,10 +68,12 @@ p {
</div>
{% endblock %}
-
{% block extra_js %}
<!-- profanity script's macro -->
{{ common_feed.profanity_scripts(url=c.app.url) }}
+ <script>
+ setupRatingEvent()
+ </script>
{% endblock %}
diff --git a/ForgeFiles/forgefiles/templates/files.html b/ForgeFiles/forgefiles/templates/files.html
index af002b947..064be02eb 100755
--- a/ForgeFiles/forgefiles/templates/files.html
+++ b/ForgeFiles/forgefiles/templates/files.html
@@ -117,7 +117,7 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e
<a data-toggle="tooltip " {% if not folder.disabled %} class="delete_icon admin_modal" href="{{c.app.url}}get_deletable_object?object_id={{folder._id}}" title="Delete" {% else %} class="disable_object" {% endif %}><i class="fa fa-trash-o" data-toggle='modal'></i></a>
- <a href="#" data-toggle="tooltip" {% if folder.disabled %} title="Enable" {% else %} title="Disable" {% endif %} onclick="ConfirmDisableFolder('{{ folder._id }}', '{{folder.disabled}}', '{{folder.parent_folder.disabled}}','{{c.app.url}}disable_folder')" ><i {% if folder.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
+ <a href="#" data-toggle="tooltip" {% if folder.disabled %} title="Enable" {% else %} title="Disable" {% endif %} class="confirm-disable-folder" data-folder-id="{{ folder._id }}" data-folder-disabled="{{folder.disabled}}" data-folder-parent-disabled="{{folder.parent_folder.disabled}}" data-folder-disable-url="{{c.app.url}}disable_folder" ><i {% if folder.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
</div>
@@ -144,12 +144,12 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e
{% if h.has_access(c.project, 'admin')() %}
<td>
<div class="file_actions">
- <a data-toggle="tooltip" {% if not file.disabled %} href= "#" {% if not file.linked_to_download%} title="Link" {% else %} title="Unlink" {% endif %} class="link_icon" onclick="ConfirmLinkFile('{{ file._id }}', '{{ file.linked_to_download }}', '{{c.app.url}}link_file')" {% else %} class="disable_object" {% endif %} ><i class= "fa fa-link" {% if file.linked_to_download %} id="disable_link" {% endif %}></i></a>
+ <a data-toggle="tooltip" {% if not file.disabled %} href= "#" {% if not file.linked_to_download%} title="Link" {% else %} title="Unlink" {% endif %} class="link_icon confirm-link-file" data-file-id="{{ file._id }}" data-linked-download="{{ file.linked_to_download }}" data-linked-url="{{c.app.url}}link_file" {% else %} class="disable_object" {% endif %} ><i class= "fa fa-link" {% if file.linked_to_download %} id="disable_link" {% endif %}></i></a>
<a data-toggle="tooltip " {% if not file.disabled %} class="edit_icon admin_modal" href="{{c.app.url}}get_editable_object?object_id={{file._id}}" title="Edit" {% else %} class="disable_object" {% endif %}><i class="fa fa-edit" data-toggle='modal' ></i></a>
<a data-toggle="tooltip " {% if not file.disabled %} class="delete_icon admin_modal" href="{{c.app.url}}get_deletable_object?object_id={{file._id}}" title="Delete" {% else %} class="disable_object" {% endif %}><i class="fa fa-trash-o" data-toggle='modal' {% if not file.disabled %} {% endif %} ></i></a>
- <a href="#" data-toggle="tooltip" {% if file.disabled %} title="Enable" {% else %} title="Disable" {% endif %} onclick="ConfirmDisableFile('{{ file._id }}', '{{file.disabled}}', '{{file.parent_folder.disabled}}','{{c.app.url}}disable_file')" ><i {% if file.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
+ <a href="#" data-toggle="tooltip" {% if file.disabled %} title="Enable" {% else %} title="Disable" {% endif %} class="confirm-disable-file" data-file-id="{{ file._id }}" data-file-disabled="{{file.disabled}}" data-file-parent-folder-disabled="parent_folder.disabled" data-file-url="{{c.app.url}}disable_file" ><i {% if file.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a>
</div>
</td>
@@ -185,6 +185,34 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e
{% block extra_js %}
<script type="text/javascript" src="{{g.app_static('js/files.js')}}"></script>
+<script>
+$('.confirm-disable-folder').each(function(el,index){
+ $(this).on('click', function(e){
+ var folder_id = $(this).data('folder-id');
+ var folder_disabled = $(this).data('folder-disabled');
+ var folder_parent_disabled = $(this).data('folder-parent-disabled');
+ var folder_disable_url = $(this).data('folder-disable-url');
+ ConfirmDisableFolder(folder_id, folder_disabled, folder_parent_disabled, folder_disable_url);
+ });
+});
+$('.confirm-link-file').each(function(el, index){
+ $(this).on('click', function(e){
+ var file_id = $(this).data('file-id');
+ var linked_download = $(this).data('linked-download');
+ var linked_url = $(this).data('linked-url');
+ ConfirmLinkFile(file_id,linked_download, linked_url);
+ });
+});
+$('.confirm-disable-file').each(function(el,index){
+ $(this).on('click', function(e){
+ var file_id = $(this).data('file-id');
+ var file_disabled = $(this).data('file-disabled');
+ var file_parent_folder_disabled = $(this).data('file-parent-folder-disabled');
+ var file_url = $(this).data('file-url');
+ ConfirmDisableFile(file_id, file_disabled, file_parent_folder_disabled, file_url);
+ });
+});
+</script>
{% endblock %}
diff --git a/ForgeSVN/forgesvn/templates/svn/checkout_url.html b/ForgeSVN/forgesvn/templates/svn/checkout_url.html
index ee06a632d..63a79a8d7 100644
--- a/ForgeSVN/forgesvn/templates/svn/checkout_url.html
+++ b/ForgeSVN/forgesvn/templates/svn/checkout_url.html
@@ -47,7 +47,7 @@
<hr>
<div class="grid-13"> </div>
<div class="grid-13">
- <input type="button" onclick="save_checkout_url()" value="Save">
+ <input type="button" id="save-checkout-url" value="Save">
<a href="#" class="close">Cancel</a>
</div>
{% endif %}
@@ -65,6 +65,10 @@
location.reload();
});
}
+ $('#save-checkout-url').on('click', function(e){
+ save_checkout_url();
+ e.preventDefault();
+ })
</script>
{% endif %}
{% endblock %}
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
index e07cb372c..0e5120de8 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
@@ -43,7 +43,15 @@
{% for b in buttons %}
{{b.display()}}
{% endfor %}
- <a href="#" onclick="window.history.back(); return false;" class="close">Cancel</a>
+ <a href="#" id="tracker-options-cancel" class="close">Cancel</a>
</div>
{% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
+{% block extra_js %}
+<script>
+$('#tracker-options-cancel').on('click', function(e){
+ window.history.back();
+ e.preventDefault();
+})
+</script>
+{% endblock %}