a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c
galt
  Mon Jan 30 16:18:41 2017 -0800
Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.

diff --git src/hg/hgCustom/hgCustom.c src/hg/hgCustom/hgCustom.c
index 8d7b620..50cbbea 100644
--- src/hg/hgCustom/hgCustom.c
+++ src/hg/hgCustom/hgCustom.c
@@ -78,34 +78,36 @@
 #ifdef PROGRESS_METER
 #define hgCtDoProgress	  hgCtDo "progress"
 #endif
 
 /* Global variables */
 struct cart *cart;
 struct hash *oldVars = NULL;
 char *excludeVars[] = {"Submit", "submit", "SubmitFile", NULL};
 char *database = NULL;
 char *organism = NULL;
 struct customTrack *ctList = NULL;
 
 void makeClearButton(char *field)
 /* UI button that clears a text field */
 {
+char id[256];
+safef(id, sizeof id, "%s_clear", field);
 char javascript[1024];
 safef(javascript, sizeof javascript,
         "document.mainForm.%s.value = '';", field);
-cgiMakeOnClickButton(javascript, " Clear ");
+cgiMakeOnClickButton(id, javascript, " Clear ");
 }
 
 void addIntro()
 /* display overview and help message for "add" screen */
 {
 puts(" Data must be formatted in\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bigBed.html'>bigBed</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bigChain.html'>bigChain</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bigGenePred.html'>bigGenePred</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bigMaf.html'>bigMaf</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bigPsl.html'>bigPsl</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bigWig.html'>bigWig</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/bam.html'>BAM</A>,\n"
 " <A TARGET=_BLANK HREF='../goldenPath/help/vcf.html'>VCF</A>,\n"
 " <A TARGET=_BLANK HREF='../FAQ/FAQformat.html#format1'>BED</A>,\n"
@@ -145,65 +147,66 @@
     {
     isUpdateForm = TRUE;
     dataUrl = ctDataUrl(ct);
     }
 else
     /* add form needs clade for assembly menu */
     gotClade = hGotClade();
 
 jsIncludeFile("jquery.js", NULL);
 jsIncludeFile("hgCustom.js", NULL);
 jsIncludeFile("utils.js", NULL);
 jsIncludeFile("ajax.js", NULL);
 
 /* main form */
 printf("<FORM ACTION=\"%s\" METHOD=\"%s\" "
-    " ENCTYPE=\"multipart/form-data\" NAME=\"mainForm\" onsubmit=\"$('input[name=Submit]').attr('disabled', 'disabled');\" >\n",
+    " ENCTYPE=\"multipart/form-data\" NAME=\"mainForm\" id='mainForm'>\n",
     hgCustomName(), cartUsualString(cart, "formMethod", "POST"));
+jsOnEventById("submit", "mainForm", "$('input[name=Submit]').attr('disabled', 'disabled');");
 cartSaveSession(cart);
 
 if (!isUpdateForm)
     {
     /* Print clade, genome and assembly  */
     /* NOTE: this uses an additional, hidden form (orgForm), below */
-    char *onChangeDb = "onchange=\"document.orgForm.db.value = document.mainForm.db.options[document.mainForm.db.selectedIndex].value; document.orgForm.submit();\"";
-    char *onChangeOrg = "onchange=\"document.orgForm.org.value = document.mainForm.org.options[document.mainForm.org.selectedIndex].value; document.orgForm.db.value = 0; document.orgForm.submit();\"";
-    char *onChangeClade = "onchange=\"document.orgForm.clade.value = document.mainForm.clade.options[document.mainForm.clade.selectedIndex].value; document.orgForm.org.value = 0; document.orgForm.db.value = 0; document.orgForm.submit();\"";
+    char *onChangeDb = "document.orgForm.db.value = document.mainForm.db.options[document.mainForm.db.selectedIndex].value; document.orgForm.submit();";
+    char *onChangeOrg = "document.orgForm.org.value = document.mainForm.org.options[document.mainForm.org.selectedIndex].value; document.orgForm.db.value = 0; document.orgForm.submit();";
+    char *onChangeClade = "document.orgForm.clade.value = document.mainForm.clade.options[document.mainForm.clade.selectedIndex].value; document.orgForm.org.value = 0; document.orgForm.db.value = 0; document.orgForm.submit();";
 
     if (hIsGsidServer())
         {
         printf("<span style='color:red;'>The Custom Track function and its documentation is "
                 "currently under development ...</span><BR><BR>\n");
         }
 
     puts("<TABLE BORDER=0>\n");
     if (gotClade)
         {
         puts("<TR><TD>clade\n");
-        printCladeListHtml(hOrganism(database), onChangeClade);
+        printCladeListHtml(hOrganism(database), "change", onChangeClade);
         puts("&nbsp;&nbsp;&nbsp;");
         puts("genome\n");
-        printGenomeListForCladeHtml(database, onChangeOrg);
+        printGenomeListForCladeHtml(database, "change", onChangeOrg);
         }
     else
         {
         puts("<TR><TD>genome\n");
-        printGenomeListHtml(database, onChangeOrg);
+        printGenomeListHtml(database, "change", onChangeOrg);
         }
     puts("&nbsp;&nbsp;&nbsp;");
     puts("assembly\n");
-    printAssemblyListHtml(database, onChangeDb);
+    printAssemblyListHtml(database, "change", onChangeDb);
     char *description = hFreezeFromDb(database);
     if ((description != NULL) && ! stringIn(database, description))
 	{
 	puts("&nbsp;&nbsp;&nbsp;");
 	printf("[%s]", trackHubSkipHubName(database));
 	}
     puts("</TD></TR></TABLE>\n");
     }
 
 /* intro text */
 puts("<P>");
 if (isUpdateForm)
     puts("Update your custom track configuration, data, and/or documentation.");
 else
     puts("Display your own data as custom annotation tracks in the browser.");
@@ -497,31 +500,31 @@
     showAllButtons = TRUE;
 
 tableHeaderFieldStart(showAllButtons ? 2 : 1);
 cgiMakeButtonWithMsg(hgCtDoDelete, "delete", "Remove custom track");
 cgiTableFieldEnd();
 
 /* add column with Update button if any custom tracks are updateable */
 if (updateCt)
     {
     tableHeaderFieldStart(showAllButtons ? 2 : 1);
     cgiMakeButtonWithMsg(hgCtDoRefresh, "update", "Refresh from data URL");
     cgiTableFieldEnd();
     }
 
 cgiTableRowEnd();
-
+int butCount=0;
 for (ct = ctList; ct != NULL; ct = ct->next)
     {
     /* Name  field */
     char *shortLabel = htmlEncode(ct->tdb->shortLabel);
     if ((ctDataUrl(ct) && ctHtmlUrl(ct)) ||
             sameString(ct->tdb->type, "chromGraph"))
         printf("<TR><TD>%s</A></TD>", shortLabel);
     else
 	{
 	char *cgiName = cgiEncode(ct->tdb->track);
         printf("<TR><TD><A TITLE='Update custom track: %s' HREF='%s?%s&%s=%s'>%s</A></TD>",
             shortLabel, hgCustomName(),cartSidUrlString(cart),
 	    hgCtTable, cgiName, shortLabel);
 	freeMem(cgiName);
 	}
@@ -556,32 +559,37 @@
             char *chrom = cloneString(pos);
             chopSuffixAt(chrom, ':');
             if (hgOfficialChromName(database, chrom))
                 printf("<TD><A HREF='%s?%s&position=%s&hgTracksConfigPage=notSet' TITLE=%s>%s:</A></TD>",
                     hgTracksName(), cartSidUrlString(cart),pos, pos, chrom);
             else
                 puts("<TD>&nbsp;</TD>");
             }
         else
             puts("<TD>&nbsp;</TD>");
         }
     if (errCt)
 	{
 	if (ct->networkErrMsg)
 	    {
-	    printf("\n<TD><A href=\"javascript:void(0)\" onClick=\"alert('%s')\">Show</A></TD>\n",
+	    char id[256];
+	    safef(id, sizeof id, "_%d", butCount);
+	    printf("\n<TD><A href='#' id='%s'>Show</A></TD>\n", id);
+	    char javascript[1024];
+	    safef(javascript, sizeof javascript, "alert('%s');return false;",
 		javaScriptLiteralEncode(ct->networkErrMsg));
+	    jsOnEventById("click", id, javascript);
 	    }
 	else
 	    puts("<TD>&nbsp;</TD>");
 	}
     /* Delete checkboxes */
     printf("<TD COLSPAN=%d ALIGN=CENTER>", showAllButtons ? 2 : 1);
     safef(buf, sizeof(buf), "%s_%s", hgCtDeletePrefix,
             ct->tdb->track);
     cgiMakeCheckBoxJS(buf, setAllDelete, "class='deleteCheckbox'");
     puts("</TD>");
 
     /* Update checkboxes */
     if (updateCt)
         {
         printf("<TD COLSPAN=%d ALIGN=CENTER>", showAllButtons ? 2 : 1);
@@ -658,33 +666,32 @@
 
 static void makeOtherCgiForm(char *pos)
 /* Make a form for navigating to other CGIs. */
 {
 struct slPair *valsAndLabels = makeOtherCgiValsAndLabels();
 // Default to the first CGI in the menu.
 char *defaultCgi = valsAndLabels->name;
 char *selected = cartUsualString(cart, hgCtNavDest, defaultCgi);
 printf("<FORM STYLE=\"margin-bottom:0;\" METHOD=\"GET\" NAME=\"navForm\" ID=\"navForm\""
        " ACTION=\"%s\">\n", selected);
 cartSaveSession(cart);
 if (pos)
     cgiMakeHiddenVar("position", pos);
 printf("view in ");
 // Construct a menu of destination CGIs
-char *extraHtml = "id=\"navSelect\" "
-    "onChange=\"var newVal = $('#navSelect').val(); $('#navForm').attr('action', newVal);\"";
-puts(cgiMakeSingleSelectDropList(hgCtNavDest, valsAndLabels, selected, NULL, NULL, extraHtml));
+puts(cgiMakeSingleSelectDropList(hgCtNavDest, valsAndLabels, selected, NULL, NULL,
+ "change", "var newVal = $('#navSelect').val(); $('#navForm').attr('action', newVal);", NULL, "navSelect"));
 cgiMakeButton("submit", "go");
 puts("</FORM>");
 }
 
 static void manageCustomForm(char *warn)
 /* list custom tracks and display checkboxes so user can select for delete */
 {
 
 struct dbDb *dbList = getCustomTrackDatabases();
 struct dbDb *dbDb = NULL;
 /* add this database to the list, as it may have no custom
  * tracks, but we still want to see it in the menu */
 slAddTail(&dbList, hDbDb(database));
 slReverse(&dbList);
 /* remove duplicate entry for this database, if any */
@@ -702,39 +709,39 @@
     printf("<FORM STYLE=\"margin-bottom:0;\" ACTION=\"%s\" METHOD=\"GET\" NAME=\"orgForm\">", hgCustomName());
     cartSaveSession(cart);
     printf("<INPUT TYPE=\"HIDDEN\" NAME=\"org\" VALUE=\"%s\">\n", organism);
     printf("<INPUT TYPE=\"HIDDEN\" NAME=\"db\" VALUE=\"%s\">\n", database);
     puts("</FORM>");
     }
 
 /* the main form contains a table of all tracks, with checkboxes to delete */
 printf("<FORM ACTION=\"%s\" METHOD=\"%s\" NAME=\"mainForm\">\n",
            hgCustomName(), cartUsualString(cart, "formMethod", "POST"));
 cartSaveSession(cart);
 
 if (assemblyMenu)
     {
     /* Print clade, genome and assembly  */
-    char *onChangeDb = "onchange=\"document.orgForm.db.value = document.mainForm.db.options[document.mainForm.db.selectedIndex].value; document.orgForm.submit();\"";
-    char *onChangeOrg = "onchange=\"document.orgForm.org.value = document.mainForm.org.options[document.mainForm.org.selectedIndex].value; document.orgForm.db.value = 0; document.orgForm.submit();\"";
+    char *onChangeDb = "document.orgForm.db.value = document.mainForm.db.options[document.mainForm.db.selectedIndex].value; document.orgForm.submit();";
+    char *onChangeOrg = "document.orgForm.org.value = document.mainForm.org.options[document.mainForm.org.selectedIndex].value; document.orgForm.db.value = 0; document.orgForm.submit();";
 
     puts("<TABLE BORDER=0>\n");
     puts("<TR><TD>genome\n");
-    printSomeGenomeListHtml(database, dbList, onChangeOrg);
+    printSomeGenomeListHtml(database, dbList, "change", onChangeOrg);
     puts("&nbsp;&nbsp;&nbsp;");
     puts("assembly\n");
-    printSomeAssemblyListHtml(database, dbList, onChangeDb);
+    printSomeAssemblyListHtml(database, dbList, "change", onChangeDb);
     puts("&nbsp;&nbsp;&nbsp;");
     printf("[%s]", database);
     puts("</TD></TR></TABLE><P>\n");
     }
 else
     {
     char *assemblyName = hFreezeDateOpt(database);
     if (assemblyName == NULL)
 	assemblyName = "default";
 
     printf("<B>genome:</B> %s &nbsp;&nbsp;&nbsp;<B>assembly:</B> %s &nbsp;&nbsp;&nbsp;[%s]\n",
             organism, assemblyName, database);
 	}
 
 if (measureTiming && (loadTime > 0))
@@ -772,56 +779,61 @@
 char *pos = NULL;
 if (ctList)
     {
     pos = ctInitialPosition(ctList);
     if (!pos)
         pos = ctFirstItemPos(ctList);
     }
 
 puts("<TR><TD>");
 makeOtherCgiForm(pos);
 puts("</TD></TR>");
 
 /* button to add custom tracks */
 puts("<TR><TD>");
 printf("<INPUT TYPE=SUBMIT NAME=\"addTracksButton\" ID=\"addTracksButton\" VALUE=\"%s\" "
-       "STYLE=\"margin-top: 5px\" "
+       "STYLE=\"margin-top: 5px\" >\n",
+       "add custom tracks");
+char javascript[1024];
+safef(javascript, sizeof javascript,
+	"var $form = $(\"form[name='mainForm']\"); "
+	"$form.append(\"<input name='%s' type='hidden'>\"); "
+	"$form.submit();"
+	, hgCtDoAdd);
+
 // This submits mainForm with a hidden input that tells hgCustom to show add tracks page:
-       "onClick='var $form = $(form[name=\"mainForm\"]); "
-                "$form.append(\"<input name=\\\"%s\\\" type=\\\"hidden\\\">\"); "
-                "$form.submit();' >\n",
-       "add custom tracks", hgCtDoAdd);
+jsOnEventById("click", "addTracksButton", javascript);
 puts("</TD></TR>");
 
 puts("</TABLE>");
 puts("</TD>");
 
 cgiTableRowEnd();
 cgiTableEnd();
 
 
 // This vertically aligns the 'add tracks' button with the other-CGI select
-puts("<SCRIPT>");
-puts("function fitUnder($el1, $el2) { "
+jsInline(
+    "function fitUnder($el1, $el2) { "
     "  var off1 = $el1.offset(); "
     "  var off2 = $el2.offset(); "
     "  off2.left = off1.left; "
     "  $el2.offset(off2);"
     "  $el2.width($el1.width()); "
-     "};");
-puts("$(document).ready(function () { fitUnder($('#navSelect'), $('#addTracksButton')); });");
-puts("</SCRIPT>");
+    "};"
+    "$(document).ready(function () { fitUnder($('#navSelect'), $('#addTracksButton')); });\n"
+);
 
 cartSetString(cart, "hgta_group", "user");
 }
 
 void helpCustom()
 /* display documentation */
 {
 webNewSection("Loading Custom Tracks");
 char *browserVersion;
 if (btIE == cgiClientBrowser(&browserVersion, NULL, NULL) && *browserVersion < '8')
     puts("<span>");
 else
     puts("<span style='position:relative; top:-1em;'>");
 webIncludeHelpFile("customTrackLoad", FALSE);