You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/03/17 23:42:35 UTC
[allura] branch gc/8504 updated (16b958f8e -> 40cda255b)
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a change to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
from 16b958f8e [#8504] added new csp into middleware and removed onclick inline events from html templates
new afc0868b8 [#8504] added 'report-sample' to report rules
new 40cda255b [#8504] removed more inline events
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
Allura/allura/lib/custom_middleware.py | 8 ++++----
.../templates/neighborhood_admin_accolades.html | 21 +++++++++++++++++++--
Allura/allura/templates/repo/merge_request.html | 12 ++++++++++--
Allura/allura/templates/widgets/attachment_add.html | 9 ++++++++-
.../allura/templates/widgets/attachment_list.html | 14 ++++++++++++--
Allura/development.ini | 2 +-
.../forgetracker/widgets/admin_custom_fields.py | 5 +++--
7 files changed, 57 insertions(+), 14 deletions(-)
[allura] 02/02: [#8504] removed more inline events
Posted by gc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 40cda255bea7858fe387978bbce79c7ca004a34d
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri Mar 17 18:42:21 2023 -0500
[#8504] removed more inline events
---
.../templates/neighborhood_admin_accolades.html | 21 +++++++++++++++++++--
Allura/allura/templates/repo/merge_request.html | 12 ++++++++++--
Allura/allura/templates/widgets/attachment_add.html | 9 ++++++++-
.../allura/templates/widgets/attachment_list.html | 14 ++++++++++++--
.../forgetracker/widgets/admin_custom_fields.py | 5 +++--
5 files changed, 52 insertions(+), 9 deletions(-)
diff --git a/Allura/allura/templates/neighborhood_admin_accolades.html b/Allura/allura/templates/neighborhood_admin_accolades.html
index 40b5bec76..74f89e0f2 100644
--- a/Allura/allura/templates/neighborhood_admin_accolades.html
+++ b/Allura/allura/templates/neighborhood_admin_accolades.html
@@ -47,7 +47,7 @@
<td><a href="{{award.longurl()}}">{{award.short}}</a></td>
<td>{{award.full}}</td>
<td>
- <form action="{{award.longurl()}}/delete" method="post" onsubmit="return confirm('Continue to delete this award?');">
+ <form action="{{award.longurl()}}/delete" method="post" class="delete-accolades" >
<input type="submit" value="Delete"/>
{{lib.csrf_token()}}
</form>
@@ -126,7 +126,7 @@
<td>{{grant.comment}}</td>
<td>
{% if grant.granted_to_project %}
- <form action="{{grant.longurl()}}/revoke" method="post" onsubmit="return confirm('Continue to revoke this award?');">
+ <form action="{{grant.longurl()}}/revoke" method="post" class="revoke-award">
<input type="submit" value="Revoke"/>
{{lib.csrf_token()}}
</form>
@@ -139,3 +139,20 @@
</p>
{% endif %}
{% endblock %}
+
+{% block extra_js %}
+ <script>
+ $('.delete-accolades, .revoke-award').each(function(el,index){
+ $(this).on('submit', function(e){
+ e.preventDefault();
+ if ($(this).attr('class') === 'delete-accolades') {
+ return confirm('Continue to delete this award?');
+ }
+ if ($(this).attr('class') === 'revoke-award') {
+ return confirm('Continue to revoke this award?');
+ }
+ }
+ })
+ })
+ </script>
+{% endblock %}
diff --git a/Allura/allura/templates/repo/merge_request.html b/Allura/allura/templates/repo/merge_request.html
index 61a4de8e3..59168eefd 100644
--- a/Allura/allura/templates/repo/merge_request.html
+++ b/Allura/allura/templates/repo/merge_request.html
@@ -91,7 +91,7 @@ Merge Request #{{req.request_number}}: {{req.summary}} ({{req.status}})
<div class="grid-19 merge-toolbar">
{% if req.merge_allowed(c.user) %}
- <form action="merge" method="POST" onsubmit="return confirm('Do you really want to Accept this Merge Request?');">
+ <form action="merge" method="POST" id="merge-accept">
{{ lib.csrf_token() }}
<button type="submit" id="merge-btn" {% if not can_merge or merge_status in ('ready', 'busy') %}disabled="disabled"{% endif %}>
<i class="fa fa-code-fork fa-flip-vertical" aria-hidden="true"></i> Merge
@@ -100,7 +100,7 @@ Merge Request #{{req.request_number}}: {{req.summary}} ({{req.status}})
{% endif %}
{% if req.creator == c.user and req.status == "open" %}
- <form action="save" method="POST" onsubmit="return confirm('Do you really want to Reject this Merge Request?');">
+ <form action="save" method="POST" id="merge-reject">
{{ lib.csrf_token() }}
<input type="hidden" value="rejected" name="status">
<button type="submit" id="reject-btn" type="submit" >
@@ -297,5 +297,13 @@ $(function() {
check_commits();
{% endif %}
});
+$('#merge-accept, #merge-reject').on('submit', function(e){
+ if ($(this).attr('id') === 'merge-accept'){
+ return confirm('Do you really want to Accept this Merge Request?');
+ }
+ if ($(this).attr('id') === 'merge-reject'){
+ return confirm('Do you really want to Reject this Merge Request?');
+ }
+})
</script>
{% endblock %}
diff --git a/Allura/allura/templates/widgets/attachment_add.html b/Allura/allura/templates/widgets/attachment_add.html
index cc8dbf7c6..b85289586 100644
--- a/Allura/allura/templates/widgets/attachment_add.html
+++ b/Allura/allura/templates/widgets/attachment_add.html
@@ -20,7 +20,6 @@
<form method="post"
id="attachment_form"
action="{{action}}"
- onsubmit="{{onsubmit}}"
enctype="multipart/form-data">
<a href="#" class="btn link attachment_form_add_button">Add attachments</a>
<div class="attachment_form_fields" style="display:none">
@@ -29,3 +28,11 @@
</div>
{{lib.csrf_token()}}
</form>
+
+{% block extra_js %}
+ <script>
+ $('#attachment_form').on('submit', function(e){
+ {{onsubmit}}
+ })
+ </script>
+{% endblock %}
diff --git a/Allura/allura/templates/widgets/attachment_list.html b/Allura/allura/templates/widgets/attachment_list.html
index c992659fb..abb03dac1 100644
--- a/Allura/allura/templates/widgets/attachment_list.html
+++ b/Allura/allura/templates/widgets/attachment_list.html
@@ -30,7 +30,7 @@
{{att.filename}}
</a>
{% if edit_mode %}
- <form method="post" action="{{att.url()}}" onsubmit="{{onsubmit}}">
+ <form method="post" action="{{att.url()}}" class="attachment-image" >
<input type="hidden" name="delete" value="True"/>
<input type="submit" value="Delete File"/>
{{lib.csrf_token()}}
@@ -42,7 +42,7 @@
<div class="attachment_files">
{% for att in attachments if not att.is_image() %}
<div>
- <form method="post" action="{{att.url()}}" onsubmit="{{onsubmit}}">
+ <form method="post" action="{{att.url()}}" class="attachment-file" >
<a href="{{att.url()}}">{{att.filename}}</a>
({{att.length}} bytes)
<input type="hidden" name="delete" value="True"/>
@@ -60,3 +60,13 @@
{% endif %}
<div style="clear:both"></div>
</div>
+
+{% block extra_js %}
+ <script>
+ $('.attachment-image, .attachment-file').each(function(el,index){
+ $(this).on('submit', function(e){
+ {{onsubmit}}
+ })
+ })
+ </script>
+{% endblock %}
diff --git a/ForgeTracker/forgetracker/widgets/admin_custom_fields.py b/ForgeTracker/forgetracker/widgets/admin_custom_fields.py
index e0e761924..2f21a6a9b 100644
--- a/ForgeTracker/forgetracker/widgets/admin_custom_fields.py
+++ b/ForgeTracker/forgetracker/widgets/admin_custom_fields.py
@@ -122,8 +122,9 @@ class TrackerFieldAdmin(f.ForgeForm):
save = ew.SubmitButton(label='Save')
cancel = ew.SubmitButton(
label="Cancel",
- css_class='cancel', attrs=dict(
- onclick='window.location.reload(); return false;'))
+ id='tracker-form-cancel',
+ css_class='tracker-form-cancel', attrs=dict(
+ ))
def resources(self):
yield from self.fields['custom_fields'].resources()
[allura] 01/02: [#8504] added 'report-sample' to report rules
Posted by gc...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
commit afc0868b8f1d67e0b21b927b51eb989677b908a9
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri Mar 17 15:27:53 2023 -0500
[#8504] added 'report-sample' to report rules
---
Allura/allura/lib/custom_middleware.py | 8 ++++----
Allura/development.ini | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 4d8e51c56..1ca8accc5 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -488,7 +488,7 @@ class ContentSecurityPolicyMiddleware:
if asbool(self.config.get('csp.frame_sources_enforce', False)):
rules.add(f"frame-src {self.config['csp.frame_sources']}")
else:
- report_rules.add(f"frame-src {self.config['csp.frame_sources']}")
+ report_rules.add(f"frame-src {self.config['csp.frame_sources']} 'report-sample'")
if self.config.get('csp.form_action_urls'):
srcs = self.config['csp.form_action_urls']
@@ -497,7 +497,7 @@ class ContentSecurityPolicyMiddleware:
if asbool(self.config.get('csp.form_actions_enforce', False)):
rules.add(f"form-action {srcs}")
else:
- report_rules.add(f"form-action {srcs}")
+ report_rules.add(f"form-action {srcs} 'report-sample'")
if self.config.get('csp.script_src'):
script_srcs = self.config['csp.script_src']
@@ -512,13 +512,13 @@ class ContentSecurityPolicyMiddleware:
if asbool(self.config.get('csp.script_src_enforce', False)):
rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
else:
- report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
+ report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')} 'report-sample'")
if self.config.get('csp.script_src_attr'):
if asbool(self.config.get('csp.script_src_attr_enforce', False)):
rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
else:
- report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+ report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')} 'report-sample'")
rules.add("object-src 'none'")
rules.add("frame-ancestors 'self'")
diff --git a/Allura/development.ini b/Allura/development.ini
index 3b41bdf65..b73c0173c 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -685,7 +685,7 @@ csp.script_src.extras = 'unsafe-inline' 'unsafe-eval'
; to enable enforce mode on script-src-attr
;csp.script_src_attr_enforce = true
-csp.script_src_attr = 'self'
+csp.script_src_attr = 'none'
;
; Settings for comment reactions
;