src/hg/hgPcr/hgPcr.c a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c

a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c
galt
  Mon Jan 30 16:18:41 2017 -0800
Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.

diff --git src/hg/hgPcr/hgPcr.c src/hg/hgPcr/hgPcr.c
index 5562e9d..91c9bb6 100644
--- src/hg/hgPcr/hgPcr.c
+++ src/hg/hgPcr/hgPcr.c
@@ -196,69 +196,78 @@
 );
 }
 
 #define ORGFORM_KEEP_ORG "document.orgForm.org.value = " \
     " document.mainForm.org.options[document.mainForm.org.selectedIndex].value; "
 #define ORGFORM_KEEP_DB " document.orgForm.db.value = " \
     " document.mainForm.db.options[document.mainForm.db.selectedIndex].value; "
 #define ORGFORM_KEEP_PARAMS \
     " document.orgForm.wp_f.value = document.mainForm.wp_f.value; " \
     " document.orgForm.wp_r.value = document.mainForm.wp_r.value; " \
     " document.orgForm.wp_size.value = document.mainForm.wp_size.value; " \
     " document.orgForm.wp_perfect.value = document.mainForm.wp_perfect.value; " \
     " document.orgForm.wp_good.value = document.mainForm.wp_good.value; "
 #define ORGFORM_RESET_DB " document.orgForm.db.value = 0; "
 #define ORGFORM_RESET_TARGET " document.orgForm.wp_target.value = \"\"; "
-#define ORGFORM_SUBMIT " document.orgForm.submit();'";
+#define ORGFORM_SUBMIT " document.orgForm.submit();"
 
 
 void showGenomes(char *genome, struct pcrServer *serverList)
 /* Put up drop-down list with genomes on it. */
 {
 struct hash *uniqHash = hashNew(8);
 struct pcrServer *server;
-char *onChangeText = "onchange='" ORGFORM_KEEP_PARAMS ORGFORM_KEEP_ORG
+char *onChangeText = 
+    ORGFORM_KEEP_PARAMS 
+    ORGFORM_KEEP_ORG
     ORGFORM_RESET_DB
     ORGFORM_RESET_TARGET
-    ORGFORM_SUBMIT;
+    ORGFORM_SUBMIT 
+    ;
 
-printf("<SELECT NAME=\"org\" %s>\n", onChangeText);
+printf("<SELECT NAME=\"org\" id='org'>\n");
+jsOnEventById("change", "org", onChangeText);
 for (server = serverList; server != NULL; server = server->next)
     {
     if (!hashLookup(uniqHash, server->genome))
         {
 	hashAdd(uniqHash, server->genome, NULL);
 	printf("  <OPTION%s VALUE=\"%s\">%s</OPTION>\n", 
 	    (sameWord(genome, server->genome) ? " SELECTED" : ""), 
 	    server->genome, server->genome);
 	}
     }
 printf("</SELECT>\n");
 hashFree(&uniqHash);
 }
 
 void showAssemblies(char *genome, char *db, struct pcrServer *serverList,
 		    boolean submitOnClick)
 /* Put up drop-down list with assemblies on it. */
 {
 struct pcrServer *server;
-char *onChangeText = "onchange='" ORGFORM_KEEP_PARAMS ORGFORM_KEEP_ORG
+char *onChangeText =
+    ORGFORM_KEEP_PARAMS 
+    ORGFORM_KEEP_ORG
     ORGFORM_KEEP_DB
     ORGFORM_RESET_TARGET
-    ORGFORM_SUBMIT;
+    ORGFORM_SUBMIT 
+    ;
 
-printf("<SELECT NAME=\"db\"%s>\n", submitOnClick ? onChangeText : "");
+printf("<SELECT NAME=\"db\" id='db'>\n");
+if (submitOnClick)
+    jsOnEventById("change", "db", onChangeText);
 for (server = serverList; server != NULL; server = server->next)
     {
     if (sameWord(genome, server->genome))
 	printf("  <OPTION%s VALUE=%s>%s</OPTION>\n", 
 	    (sameString(db, server->db) ? " SELECTED" : ""), 
 	    server->db, server->description);
     }
 printf("</SELECT>\n");
 }
 
 void showTargets(char *target, struct targetPcrServer *serverList)
 /* Put up drop-down list with targets on it. */
 {
 struct targetPcrServer *server;