This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch gc/8504 in repository https://gitbox.apache.org/repos/asf/allura.git
commit 16b958f8ec09912b2ab70aaedd64db4f6edd76e6 Author: Guillermo Cruz <[email protected]> AuthorDate: Tue Mar 14 12:48:08 2023 -0500 [#8504] added new csp into middleware and removed onclick inline events from html templates --- .../templates/sections/projects.html | 2 +- .../user_profile/templates/sections/projects.html | 2 +- Allura/allura/lib/custom_middleware.py | 6 ++++ .../templates/jinja_master/sidebar_menu.html | 2 +- Allura/allura/templates/widgets/post_widget.html | 10 ++++++- Allura/allura/templates/widgets/vote.html | 4 +-- .../jinja_master/sidebar_menu.html | 2 +- Allura/development.ini | 3 ++ .../templates/discussionforums/admin_forums.html | 7 ++++- .../templates/feedback/common_feedback.html | 15 ++++++++-- .../templates/feedback/edit_feedback.html | 13 +++++---- .../templates/feedback/new_feedback.html | 14 +++++---- ForgeFiles/forgefiles/templates/files.html | 34 ++++++++++++++++++++-- ForgeSVN/forgesvn/templates/svn/checkout_url.html | 6 +++- .../templates/tracker_widgets/options_admin.html | 10 ++++++- 15 files changed, 104 insertions(+), 26 deletions(-) diff --git a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html index 5616ce096..bd6b799ab 100644 --- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html +++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html @@ -58,7 +58,7 @@ </ul> {% if projects|length > 5 %} <div class="show-more-projects"> - <button onclick="$(this).hide().closest('.section-body').find('li.hidden').show()"> + <button id="show-more-profile-projects"> {{ g.icons['add'].render(title='Show More', show_title=True, tag='b') }} </button> </div> diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html b/Allura/allura/ext/user_profile/templates/sections/projects.html index 00e789b19..90acd3822 100644 --- a/Allura/allura/ext/user_profile/templates/sections/projects.html +++ b/Allura/allura/ext/user_profile/templates/sections/projects.html @@ -58,7 +58,7 @@ </ul> {% if projects|length > 5 %} <div class="show-more-projects"> - <button onclick="$(this).hide().closest('.section-body').find('li.hidden').show()"> + <button id="show-more-profile-projects"> {{ g.icons['add'].render(title='Show More', show_title=True, tag='b') }} </button> </div> diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 72fd7677f..4d8e51c56 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -514,6 +514,12 @@ class ContentSecurityPolicyMiddleware: else: report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}") + if self.config.get('csp.script_src_attr'): + if asbool(self.config.get('csp.script_src_attr_enforce', False)): + rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}") + else: + report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}") + rules.add("object-src 'none'") rules.add("frame-ancestors 'self'") if rules: diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html b/Allura/allura/templates/jinja_master/sidebar_menu.html index e7ed0e797..2c4cc37d2 100644 --- a/Allura/allura/templates/jinja_master/sidebar_menu.html +++ b/Allura/allura/templates/jinja_master/sidebar_menu.html @@ -68,7 +68,7 @@ {% set admin_menu = c.app.admin_menu() %} {% endif %} {% if admin_menu %} - <a id='sidebar-admin-header' onclick='$("#sidebar-admin-menu").toggleClass("hidden");$("#sidebar-admin-header").toggleClass("expanded");return false;' + <a id='sidebar-admin-header' href='#' {% if request.path.startswith(c.app.admin_url) %}class="expanded"{% endif %}> {{sidebar_item(c.app.admin_menu_collapse_button)}} </a> diff --git a/Allura/allura/templates/widgets/post_widget.html b/Allura/allura/templates/widgets/post_widget.html index d986d5f5d..ef205bcba 100644 --- a/Allura/allura/templates/widgets/post_widget.html +++ b/Allura/allura/templates/widgets/post_widget.html @@ -133,7 +133,7 @@ <div class="attachment_toolbar"> <form method="POST" action="{{att.url()}}"> {% if can_moderate_post %} - <a href="javascript: void(0)" onclick="$(this).closest('form').submit();" title="Remove Attachment" class="btn ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only"> + <a href="javascript: void(0)" id="remove-attachment" title="Remove Attachment" class="btn ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only"> <span><i class="fa fa-trash-o" aria-hidden="true"></i></span> </a> {% endif %} @@ -187,3 +187,11 @@ </ul> </div> </div> + +{% block extra_js %} +<script> +$('.attachment_toolbar #remove-attachment').on('click', function(e){ + $(this).closest('form').submit(); +}) +</script> +{% endblock %} \ No newline at end of file diff --git a/Allura/allura/templates/widgets/vote.html b/Allura/allura/templates/widgets/vote.html index 533ada519..3dc856bf3 100644 --- a/Allura/allura/templates/widgets/vote.html +++ b/Allura/allura/templates/widgets/vote.html @@ -24,10 +24,10 @@ {% if can_vote %} <div id="vote" class="gray"> <span class="btn-set duo"> - <a href="" class="btn {% if voted == 1 %}active{% endif %} {% if can_vote %}js-vote-up{% endif %}" onclick="javascript:return false;"> + <a href="" class="btn {% if voted == 1 %}active{% endif %} {% if can_vote %}js-vote-up{% endif %}"> {{ g.icons['vote_up'].render(tag='b', style="color:green;") }} </a> - <a href="" class="btn {% if voted == -1 %}active{% endif %} {% if can_vote %}js-vote-down{% endif %}" onclick="javascript:return false;"> + <a href="" class="btn {% if voted == -1 %}active{% endif %} {% if can_vote %}js-vote-down{% endif %}"> {{ g.icons['vote_down'].render(tag='b', style="color:red;") }} </a> </span> diff --git a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html index 5323bb1da..c98cf6a7b 100644 --- a/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html +++ b/Allura/allura/templates_responsive/jinja_master/sidebar_menu.html @@ -68,7 +68,7 @@ {% set admin_menu = c.app.admin_menu() %} {% endif %} {% if admin_menu %} - <a id='sidebar-admin-header' onclick='$("#sidebar-admin-menu").toggleClass("hidden");$("#sidebar-admin-header").toggleClass("expanded");return false;' + <a id='sidebar-admin-header' href='#' {% if request.path.startswith(c.app.admin_url) %}class="expanded"{% endif %}> {{sidebar_item(c.app.admin_menu_collapse_button)}} </a> diff --git a/Allura/development.ini b/Allura/development.ini index d6ac0c80b..3b41bdf65 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -683,6 +683,9 @@ csp.form_action_urls = 'self' csp.script_src = 'self' www.google-analytics.com csp.script_src.extras = 'unsafe-inline' 'unsafe-eval' +; to enable enforce mode on script-src-attr +;csp.script_src_attr_enforce = true +csp.script_src_attr = 'self' ; ; Settings for comment reactions ; diff --git a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html index fc72f790e..ddfad95c5 100644 --- a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html +++ b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html @@ -89,7 +89,7 @@ <td>{{lib.post_summary(forum.last_post)}}</td> <td> <input name="{{'forum-%s.id' % loop.index0}}" type="hidden" value="{{forum._id}}"/> - <input type="submit" name="{{'forum-%s.delete' % loop.index0}}" value="Delete" onclick="return confirm('Really delete this forum?');" /><br/> + <input type="submit" name="{{'forum-%s.delete' % loop.index0}}" class="delete-forum" value="Delete" /><br/> </td> </tr> {% endfor %} @@ -115,5 +115,10 @@ return false; }); }); + $('.delete-forum').each(function(el, index){ + $(this).on('click', function(e){ + return confirm('Really delete this forum?'); + }) + }) </script> {% endblock %} diff --git a/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html index 6bd6634a2..5cb838e26 100755 --- a/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html +++ b/ForgeFeedback/forgefeedback/templates/feedback/common_feedback.html @@ -22,7 +22,7 @@ <!-- macro for feedback textarea --> {% macro feed_textarea(name='description',id='description',placeholder='',description='') %} -<textarea class="textbox" name="{{name}}" id="{{id}}" maxlength=100 onkeyup="manage()" placeholder="{{placeholder}}">{{description}}</textarea> +<textarea class="textbox" name="{{name}}" id="{{id}}" maxlength=100 placeholder="{{placeholder}}">{{description}}</textarea> {% endmacro %} <!-- macro for feedback alert message --> @@ -60,10 +60,13 @@ function manage() </script> <script> + $("#description").on('keyup', function(e){ + manage() + }) $('#feedback_form').submit(function(event){ event.preventDefault(); var description = $("#description").val(); - + $.ajax({ context: this, url:'{{url}}feedback_check', @@ -83,6 +86,14 @@ function manage() }); }); + + function setupRatingEvent(){ + $('.rating > input').each(function(el,index){ + $(this).on('click', function(e){ + manage(); + }) + }) + } </script> {% endmacro %} diff --git a/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html index bf6ec7548..ff3d29489 100755 --- a/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html +++ b/ForgeFeedback/forgefeedback/templates/feedback/edit_feedback.html @@ -51,11 +51,11 @@ p { <div class="col-75"> <fieldset class="rating"> - <input type="radio" id="star5" name="rating" value="5" {% if rating == '5' %} checked="checked" {% endif %} onclick="manage()" /><label for="star5" title="Excellent"></label> - <input type="radio" id="star4" name="rating" value="4" {% if rating == '4' %} checked="checked" {% endif %} onclick="manage()" /><label for="star4" title="Great"></label> - <input type="radio" id="star3" name="rating" value="3" {% if rating == '3' %} checked="checked" {% endif %} onclick="manage()" /><label for="star3" title="Good"></label> - <input type="radio" id="star2" name="rating" value="2" {% if rating == '2' %} checked="checked" {% endif %} onclick="manage()" /><label for="star2" title="Average"></label> - <input type="radio" id="star1" name="rating" value="1" {% if rating == '1' %} checked="checked" {% endif %} onclick="manage()" /><label for="star1" title="Poor"></label> + <input type="radio" id="star5" name="rating" value="5" {% if rating == '5' %} checked="checked" {% endif %} /><label for="star5" title="Excellent"></label> + <input type="radio" id="star4" name="rating" value="4" {% if rating == '4' %} checked="checked" {% endif %} /><label for="star4" title="Great"></label> + <input type="radio" id="star3" name="rating" value="3" {% if rating == '3' %} checked="checked" {% endif %} /><label for="star3" title="Good"></label> + <input type="radio" id="star2" name="rating" value="2" {% if rating == '2' %} checked="checked" {% endif %} /><label for="star2" title="Average"></label> + <input type="radio" id="star1" name="rating" value="1" {% if rating == '1' %} checked="checked" {% endif %} /><label for="star1" title="Poor"></label> </fieldset> </div> @@ -79,6 +79,9 @@ p { {% block extra_js %} <!-- profanity script's macro --> {{ common_feed.profanity_scripts(url=c.app.url) }} + <script> + setupRatingEvent() + </script> {% endblock %} diff --git a/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html b/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html index bf93b3bb5..f8d87d7b5 100755 --- a/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html +++ b/ForgeFeedback/forgefeedback/templates/feedback/new_feedback.html @@ -48,11 +48,11 @@ p { </div> <div class="col-75"> <fieldset class="rating" id="sar"> - <input type="radio" id="star5" name="rating" value="5" onclick="manage()" /><label for="star5" title="Excellent">5 stars</label> - <input type="radio" id="star4" name="rating" value="4" onclick="manage()" /><label for="star4" title="Great">4 stars</label> - <input type="radio" id="star3" name="rating" value="3" onclick="manage()" /><label for="star3" title="Good">3 stars</label> - <input type="radio" id="star2" name="rating" value="2" onclick="manage()" /><label for="star2" title="Average">2 stars</label> - <input type="radio" id="star1" name="rating" value="1" onclick="manage()" /><label for="star1" title="Poor">1 star</label> + <input type="radio" id="star5" name="rating" value="5" /><label for="star5" title="Excellent">5 stars</label> + <input type="radio" id="star4" name="rating" value="4" /><label for="star4" title="Great">4 stars</label> + <input type="radio" id="star3" name="rating" value="3" /><label for="star3" title="Good">3 stars</label> + <input type="radio" id="star2" name="rating" value="2" /><label for="star2" title="Average">2 stars</label> + <input type="radio" id="star1" name="rating" value="1" /><label for="star1" title="Poor">1 star</label> </fieldset> </div> </div> @@ -68,10 +68,12 @@ p { </div> {% endblock %} - {% block extra_js %} <!-- profanity script's macro --> {{ common_feed.profanity_scripts(url=c.app.url) }} + <script> + setupRatingEvent() + </script> {% endblock %} diff --git a/ForgeFiles/forgefiles/templates/files.html b/ForgeFiles/forgefiles/templates/files.html index af002b947..064be02eb 100755 --- a/ForgeFiles/forgefiles/templates/files.html +++ b/ForgeFiles/forgefiles/templates/files.html @@ -117,7 +117,7 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e <a data-toggle="tooltip " {% if not folder.disabled %} class="delete_icon admin_modal" href="{{c.app.url}}get_deletable_object?object_id={{folder._id}}" title="Delete" {% else %} class="disable_object" {% endif %}><i class="fa fa-trash-o" data-toggle='modal'></i></a> - <a href="#" data-toggle="tooltip" {% if folder.disabled %} title="Enable" {% else %} title="Disable" {% endif %} onclick="ConfirmDisableFolder('{{ folder._id }}', '{{folder.disabled}}', '{{folder.parent_folder.disabled}}','{{c.app.url}}disable_folder')" ><i {% if folder.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a> + <a href="#" data-toggle="tooltip" {% if folder.disabled %} title="Enable" {% else %} title="Disable" {% endif %} class="confirm-disable-folder" data-folder-id="{{ folder._id }}" data-folder-disabled="{{folder.disabled}}" data-folder-parent-disabled="{{folder.parent_folder.disabled}}" data-folder-disable-url="{{c.app.url}}disable_folder" ><i {% if folder.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a> </div> @@ -144,12 +144,12 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e {% if h.has_access(c.project, 'admin')() %} <td> <div class="file_actions"> - <a data-toggle="tooltip" {% if not file.disabled %} href= "#" {% if not file.linked_to_download%} title="Link" {% else %} title="Unlink" {% endif %} class="link_icon" onclick="ConfirmLinkFile('{{ file._id }}', '{{ file.linked_to_download }}', '{{c.app.url}}link_file')" {% else %} class="disable_object" {% endif %} ><i class= "fa fa-link" {% if file.linked_to_download %} id="disable_link" {% endif %}></i></a> + <a data-toggle="tooltip" {% if not file.disabled %} href= "#" {% if not file.linked_to_download%} title="Link" {% else %} title="Unlink" {% endif %} class="link_icon confirm-link-file" data-file-id="{{ file._id }}" data-linked-download="{{ file.linked_to_download }}" data-linked-url="{{c.app.url}}link_file" {% else %} class="disable_object" {% endif %} ><i class= "fa fa-link" {% if file.linked_to_download %} id="disable_link" {% endif %}></i></a> <a data-toggle="tooltip " {% if not file.disabled %} class="edit_icon admin_modal" href="{{c.app.url}}get_editable_object?object_id={{file._id}}" title="Edit" {% else %} class="disable_object" {% endif %}><i class="fa fa-edit" data-toggle='modal' ></i></a> <a data-toggle="tooltip " {% if not file.disabled %} class="delete_icon admin_modal" href="{{c.app.url}}get_deletable_object?object_id={{file._id}}" title="Delete" {% else %} class="disable_object" {% endif %}><i class="fa fa-trash-o" data-toggle='modal' {% if not file.disabled %} {% endif %} ></i></a> - <a href="#" data-toggle="tooltip" {% if file.disabled %} title="Enable" {% else %} title="Disable" {% endif %} onclick="ConfirmDisableFile('{{ file._id }}', '{{file.disabled}}', '{{file.parent_folder.disabled}}','{{c.app.url}}disable_file')" ><i {% if file.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a> + <a href="#" data-toggle="tooltip" {% if file.disabled %} title="Enable" {% else %} title="Disable" {% endif %} class="confirm-disable-file" data-file-id="{{ file._id }}" data-file-disabled="{{file.disabled}}" data-file-parent-folder-disabled="parent_folder.disabled" data-file-url="{{c.app.url}}disable_file" ><i {% if file.disabled %} class="fa fa-undo" {% else %} class="fa fa-ban" {% endif %}></i></a> </div> </td> @@ -185,6 +185,34 @@ Files {% if folder_object %} - {{path_links(folder_path.split('/'), urls)}} {% e {% block extra_js %} <script type="text/javascript" src="{{g.app_static('js/files.js')}}"></script> +<script> +$('.confirm-disable-folder').each(function(el,index){ + $(this).on('click', function(e){ + var folder_id = $(this).data('folder-id'); + var folder_disabled = $(this).data('folder-disabled'); + var folder_parent_disabled = $(this).data('folder-parent-disabled'); + var folder_disable_url = $(this).data('folder-disable-url'); + ConfirmDisableFolder(folder_id, folder_disabled, folder_parent_disabled, folder_disable_url); + }); +}); +$('.confirm-link-file').each(function(el, index){ + $(this).on('click', function(e){ + var file_id = $(this).data('file-id'); + var linked_download = $(this).data('linked-download'); + var linked_url = $(this).data('linked-url'); + ConfirmLinkFile(file_id,linked_download, linked_url); + }); +}); +$('.confirm-disable-file').each(function(el,index){ + $(this).on('click', function(e){ + var file_id = $(this).data('file-id'); + var file_disabled = $(this).data('file-disabled'); + var file_parent_folder_disabled = $(this).data('file-parent-folder-disabled'); + var file_url = $(this).data('file-url'); + ConfirmDisableFile(file_id, file_disabled, file_parent_folder_disabled, file_url); + }); +}); +</script> {% endblock %} diff --git a/ForgeSVN/forgesvn/templates/svn/checkout_url.html b/ForgeSVN/forgesvn/templates/svn/checkout_url.html index ee06a632d..63a79a8d7 100644 --- a/ForgeSVN/forgesvn/templates/svn/checkout_url.html +++ b/ForgeSVN/forgesvn/templates/svn/checkout_url.html @@ -47,7 +47,7 @@ <hr> <div class="grid-13"> </div> <div class="grid-13"> - <input type="button" onclick="save_checkout_url()" value="Save"> + <input type="button" id="save-checkout-url" value="Save"> <a href="#" class="close">Cancel</a> </div> {% endif %} @@ -65,6 +65,10 @@ location.reload(); }); } + $('#save-checkout-url').on('click', function(e){ + save_checkout_url(); + e.preventDefault(); + }) </script> {% endif %} {% endblock %} diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html index e07cb372c..0e5120de8 100644 --- a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html +++ b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html @@ -43,7 +43,15 @@ {% for b in buttons %} {{b.display()}} {% endfor %} - <a href="#" onclick="window.history.back(); return false;" class="close">Cancel</a> + <a href="#" id="tracker-options-cancel" class="close">Cancel</a> </div> {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %} </form> +{% block extra_js %} +<script> +$('#tracker-options-cancel').on('click', function(e){ + window.history.back(); + e.preventDefault(); +}) +</script> +{% endblock %}
