a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgPublicSessions/hgPublicSessions.c src/hg/hgPublicSessions/hgPublicSessions.c index 5d2c0da..f512133 100644 --- src/hg/hgPublicSessions/hgPublicSessions.c +++ src/hg/hgPublicSessions/hgPublicSessions.c @@ -130,79 +130,84 @@ } sqlFreeResult(&sr); hDisconnectCentral(&conn); return galList; } void galleryDisplay(struct galleryEntry *galList) /* Print a table containing the gallery data from galList */ { struct galleryEntry *thisSession = galList; /* Hide the orderable columns and disable ordering on the visible columns * https://datatables.net/reference/option/columnDefs for more info. * Then set up the ordering drop-down menu */ -printf ("<script type=\"text/javascript\">"); -printf("$(document).ready(function () {\n" +struct dyString *javascript = newDyString(1024); +dyStringPrintf(javascript, + "$(document).ready(function () {\n" " $('#sessionTable').DataTable({\"columnDefs\": [{\"visible\":false, \"targets\":[2,3]},\n" " {\"orderable\":false, \"targets\":[0,1]}\n" " ],\n" " \"dom\":\"lftip\",\n" " \"stateSave\":true,\n" " \"stateSaveCallback\": %s,\n" " \"stateLoadCallback\": %s,\n" " });\n" /* Recover previous sorting choice from the cart settings, if available */ " var startOrder = $('#sessionTable').DataTable().order();\n" " if (startOrder[0][0] == 3) {\n" " if (startOrder[0][1] == \"asc\") {\n" " $('#sortMethod').val(\"useAsc\");\n" " } else {\n" " $('#sortMethod').val(\"useDesc\");\n" " }\n" " } else {\n" " if (startOrder[0][0] == 2) {\n" " if (startOrder[0][1] == \"asc\") {\n" " $('#sortMethod').val(\"dateAsc\");\n" " } else {\n" " $('#sortMethod').val(\"dateDesc\");\n" " }\n" " } else {\n" " $('#sessionTable').DataTable().order([3,'desc']).draw();\n" " $('#sortMethod').val(\"useDesc\");\n" " }\n" " }\n" "});\n", jsDataTableStateSave(hgPublicSessionsPrefix), jsDataTableStateLoad(hgPublicSessionsPrefix, cart)); -printf ("function changeSort() {\n" +jsInline(javascript->string); +dyStringFree(&javascript); + +jsInline( + "function changeSort() {\n" " var newSort = document.getElementById('sortMethod').value;\n" " var theTable = $('#sessionTable').DataTable();\n" " if (newSort == \"useDesc\") {theTable.order([3,'desc']).draw(); }\n" " if (newSort == \"useAsc\") {theTable.order([3,'asc']).draw(); }\n" " if (newSort == \"dateDesc\") {theTable.order([2,'desc']).draw(); }\n" " if (newSort == \"dateAsc\") {theTable.order([2,'asc']).draw(); }\n" "}\n"); -printf("</script>\n"); printf ("<p>\n"); -printf ("<b>Sort by:</b> <select id=\"sortMethod\" onchange=\"changeSort()\">\n"); +printf ("<b>Sort by:</b> <select id=\"sortMethod\">\n"); printf ("\t\t<option value=\"useDesc\">Popularity (descending)</option>\n"); printf ("\t\t<option value=\"useAsc\">Popularity (ascending)</option>\n"); printf ("\t\t<option value=\"dateDesc\">Creation (newest first)</option>\n"); printf ("\t\t<option value=\"dateAsc\">Creation (oldest first)</option>\n"); printf ("</select></p>\n"); +jsOnEventById("change", "sortMethod", "changeSort();"); printf ("<table id=\"sessionTable\" class=\"sessionTable stripe hover row-border compact\" width=\"100%%\">\n" " <thead>" " <tr>" " <th>Screenshot</th>\n" " <th>Session Properties</th>\n" " <th>Creation Date</th>\n" " <th>Use Count</th>\n" " </tr>\n" " </thead>\n"); printf ("<tbody>\n"); while (thisSession != NULL) { char *settingString = NULL; @@ -254,31 +259,34 @@ void showGalleryTab () /* Rather boring now, but a placeholder against the day that there's also a "favorites" tab */ { struct galleryEntry *galList = galleryFetch(); galleryDisplay(galList); } void doMiddle(struct cart *theCart) /* Set up globals and make web page */ { cart = theCart; char *db = cartUsualString(cart, "db", hDefaultDb()); cartWebStart(cart, db, "Public Sessions"); /* Not in a form; can't use cartSaveSession() to set up an hgsid input */ -printf ("<script>var common = {hgsid:\"%s\"};</script>\n", cartSessionId(cart)); +char javascript[1024]; +safef(javascript, sizeof javascript, +"var common = {hgsid:\"%s\"};\n", cartSessionId(cart)); +jsInline(javascript); jsIncludeDataTablesLibs(); printf("<p>Sessions allow users to save snapshots of the Genome Browser " "and its current configuration, including displayed tracks, position, " "and custom track data. The Public Sessions tool allows users to easily " "share those sessions that they deem interesting with the rest of the " "world's researchers. You can add your own sessions to this list by " "checking the appropriate box on the " "<a href=\"../cgi-bin/hgSession?%s\">Session Management</a> page.</p>\n" "<p>See the " "<a href=\"../goldenPath/help/hgSessionHelp.html\">Sessions User's Guide</a> " "for more information.\n</p>", cartSidUrlString(cart)); showGalleryTab();