a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgPublicSessions/hgPublicSessions.c src/hg/hgPublicSessions/hgPublicSessions.c index 5d2c0da..f512133 100644 --- src/hg/hgPublicSessions/hgPublicSessions.c +++ src/hg/hgPublicSessions/hgPublicSessions.c @@ -130,79 +130,84 @@ } sqlFreeResult(&sr); hDisconnectCentral(&conn); return galList; } void galleryDisplay(struct galleryEntry *galList) /* Print a table containing the gallery data from galList */ { struct galleryEntry *thisSession = galList; /* Hide the orderable columns and disable ordering on the visible columns * https://datatables.net/reference/option/columnDefs for more info. * Then set up the ordering drop-down menu */ -printf ("\n"); printf ("

\n"); -printf ("Sort by: \n"); printf ("\t\t\n"); printf ("\t\t\n"); printf ("\t\t\n"); printf ("\t\t\n"); printf ("

\n"); +jsOnEventById("change", "sortMethod", "changeSort();"); printf ("\n" " " " " " \n" " \n" " \n" " \n" " \n" " \n"); printf ("\n"); while (thisSession != NULL) { char *settingString = NULL; @@ -254,31 +259,34 @@ void showGalleryTab () /* Rather boring now, but a placeholder against the day that there's also a "favorites" tab */ { struct galleryEntry *galList = galleryFetch(); galleryDisplay(galList); } void doMiddle(struct cart *theCart) /* Set up globals and make web page */ { cart = theCart; char *db = cartUsualString(cart, "db", hDefaultDb()); cartWebStart(cart, db, "Public Sessions"); /* Not in a form; can't use cartSaveSession() to set up an hgsid input */ -printf ("\n", cartSessionId(cart)); +char javascript[1024]; +safef(javascript, sizeof javascript, +"var common = {hgsid:\"%s\"};\n", cartSessionId(cart)); +jsInline(javascript); jsIncludeDataTablesLibs(); printf("

Sessions allow users to save snapshots of the Genome Browser " "and its current configuration, including displayed tracks, position, " "and custom track data. The Public Sessions tool allows users to easily " "share those sessions that they deem interesting with the rest of the " "world's researchers. You can add your own sessions to this list by " "checking the appropriate box on the " "Session Management page.

\n" "

See the " "Sessions User's Guide " "for more information.\n

", cartSidUrlString(cart)); showGalleryTab();
ScreenshotSession PropertiesCreation DateUse Count