a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgSession/hgSession.c src/hg/hgSession/hgSession.c index 2610a77..8a6e0ca 100644 --- src/hg/hgSession/hgSession.c +++ src/hg/hgSession/hgSession.c @@ -261,42 +261,44 @@ void showExistingSessions(char *userName) /* Print out a table with buttons for sharing/unsharing/loading/deleting * previously saved sessions. */ { struct sqlConnection *conn = hConnectCentral(); struct sqlResult *sr = NULL; char **row = NULL; char query[512]; boolean foundAny = FALSE; char *encUserName = cgiEncodeFull(userName); boolean gotSettings = (sqlFieldIndex(conn, namedSessionTable, "settings") >= 0); /* DataTables configuration: only allow ordering on session name, creation date, and database. * https://datatables.net/reference/option/columnDefs */ -printf ("\n", jsDataTableStateSave(hgSessionPrefix), jsDataTableStateLoad(hgSessionPrefix, cart)); + , jsDataTableStateSave(hgSessionPrefix), jsDataTableStateLoad(hgSessionPrefix, cart)); +jsInline(javascript); printf("

My Sessions

\n"); printf("
"); printf("\n"); printf(""); printf("" "" "" "" "", cartSidUrlString(cart)); printf(""); printf("\n"); if (gotSettings) @@ -356,36 +358,37 @@ if (gotSettings) { safef(buf, sizeof(buf), "%s%s", hgsEditPrefix, encSessionName); cgiMakeButton(buf, "details"); } else printf("unavailable"); printf("", link); freez(&link); foundAny = TRUE; struct slName *sn = slNameNew(sessionName); slAddHead(&existingSessionNames, sn); } if (!foundAny) printf("" "\n"); printf("\n"); printf("
session name (click to load)created onassemblyview/edit 
details 
delete this 
session 
share with 
others? 
post in 
public listing?
send to
mail
"); safef(buf, sizeof(buf), "%s%s", hgsDeletePrefix, encSessionName); char command[512]; safef(command, sizeof(command), confirmDeleteFormat, encSessionName); cgiMakeOnClickSubmitButton(command, buf, "delete"); printf(""); safef(buf, sizeof(buf), "%s%s", hgsSharePrefix, encSessionName); - cgiMakeCheckBoxJS(buf, shared>0, "onchange=\"console.log('new status' + this.checked); document.mainForm.submit();\""); + cgiMakeCheckBoxWithId(buf, shared>0, buf); + jsOnEventById("change",buf,"console.log('new status' + this.checked); document.mainForm.submit();"); printf(""); safef(buf, sizeof(buf), "%s%s", hgsGalleryPrefix, encSessionName); - cgiMakeCheckBoxFourWay(buf, inGallery, shared>0, NULL, NULL, - "onchange=\"document.mainForm.submit();\""); + cgiMakeCheckBoxFourWay(buf, inGallery, shared>0, buf, NULL, NULL); + jsOnEventById("change", buf, "document.mainForm.submit();"); link = getSessionEmailLink(encUserName, encSessionName); printf("%s
   (none)
\n"); @@ -414,33 +417,32 @@ printf("\n"); printf("\n"); printf("\n"); } void showLoadingOptions(char *userName, boolean savedSessionsSupported) /* Show options for loading settings from another user's session, a file * or URL. */ { printf("

Restore Settings

\n"); if (savedSessionsSupported) showOtherUserOptions(); printf("\n"); printf("\n"); -printf("\n"); printf("\n"); printf("\n"); printf("\n"); printf("
Use settings from a local file:\n", - hgsLoadLocalFileName); +printf("\n", hgsLoadLocalFileName, hgsLoadLocalFileName); +jsOnEventById("keypress", hgsLoadLocalFileName,"return noSubmitOnEnter(event);"); printf("  "); cgiMakeButton(hgsDoLoadLocal, "submit"); printf("
Use settings from a URL (http://..., ftp://...):" "\n"); cgiMakeOnKeypressTextVar(hgsLoadUrlName, cartUsualString(cart, hgsLoadUrlName, ""), 20, jsPressOnEnter(hgsDoLoadUrl)); printf("  "); cgiMakeButton(hgsDoLoadUrl, "submit"); printf("
\n"); @@ -497,31 +499,31 @@ cgiMakeButton(hgsDoNewSession, "submit"); printf("\n"); printf("\n"); } printf("Save current settings to a local file:\n"); printf("   file:\n"); cgiMakeOnKeypressTextVar(hgsSaveLocalFileName, cartUsualString(cart, hgsSaveLocalFileName, ""), 20, jsPressOnEnter(hgsDoSaveLocal)); printf("   "); printf("file type returned: "); cgiMakeDropListFull(hgsSaveLocalFileCompress, textOutCompressMenu, textOutCompressValues, textOutCompressMenuSize, cartUsualString(cart, hgsSaveLocalFileCompress, textOutCompressNone), - NULL); + NULL, NULL); printf(""); printf(" "); cgiMakeButton(hgsDoSaveLocal, "submit"); printf("\n"); printf("(leave file blank to get output in " "browser window)\n"); printf("\n"); printf("\n"); } void showSessionControls(char *userName, boolean savedSessionsSupported, boolean webStarted) /* If userName is non-null, show sessions that belong to user and allow * saving of named sessions. * If savedSessionsSupported, allow import of named sessions. @@ -943,82 +945,97 @@ #define toggleGalleryDisable \ " var c = document.getElementById('detailsSharedCheckbox'); " \ " var d = document.getElementById('detailsGalleryCheckbox'); " \ " if (c.checked)" \ " {d.disabled = false;} " \ " else" \ " {d.disabled = true; " \ " d.checked = false; }" dyStringPrintf(dyMessage, "%s

\n" "

\n" "" "" "Session Name: " - "\n", + "\n", sessionName, hgSessionName(), cartSessionVarName(cart), cartSessionId(cart), hgsOldSessionName, sessionName, - hgsNewSessionName, 32, sessionName, highlightAccChanges, highlightAccChanges); + hgsNewSessionName, hgsNewSessionName, 32, sessionName); + jsOnEventById("change" , hgsNewSessionName, highlightAccChanges); + jsOnEventById("keypress", hgsNewSessionName, highlightAccChanges); + dyStringPrintf(dyMessage, "  " - "  " + "  " "  " "   " "
\n", - hgsLoadPrefix, encSessionName, hgsDeletePrefix, encSessionName, - encSessionName, hgsDoSessionChange, hgsDoSessionChange, hgsCancel); + hgsLoadPrefix, encSessionName, + hgsDeletePrefix, encSessionName, hgsDeletePrefix, encSessionName, + hgsDoSessionChange, hgsDoSessionChange, hgsCancel); + char id[256]; + safef(id, sizeof id, "%s%s", hgsDeletePrefix, encSessionName); + char javascript[1024]; + safef(javascript, sizeof javascript, confirmDeleteFormat, encSessionName); + jsOnEventById("click", id, javascript); + dyStringPrintf(dyMessage, "Share with others? \n" + "id=\"detailsSharedCheckbox\">\n" "
\n", hgsSharePrefix, encSessionName, (shared>0 ? " CHECKED" : ""), - highlightAccChanges, toggleGalleryDisable, highlightAccChanges, toggleGalleryDisable, cgiBooleanShadowPrefix(), hgsSharePrefix, encSessionName); + safef(javascript, sizeof javascript, "{%s %s}", highlightAccChanges, toggleGalleryDisable); + jsOnEventById("change", "detailsSharedCheckbox", javascript); + safef(javascript, sizeof javascript, "{%s %s}", highlightAccChanges, toggleGalleryDisable); + jsOnEventById("click" , "detailsSharedCheckbox", javascript); dyStringPrintf(dyMessage, "List in Public Sessions? \n" + "id=\"detailsGalleryCheckbox\">\n" "
\n", hgsGalleryPrefix, encSessionName, (shared>=2 ? " CHECKED" : ""), - highlightAccChanges, highlightAccChanges, cgiBooleanShadowPrefix(), hgsGalleryPrefix, encSessionName); + jsOnEventById("change", "detailsGalleryCheckbox", highlightAccChanges); + jsOnEventById("click" , "detailsGalleryCheckbox", highlightAccChanges); + /* Set initial disabled state of the gallery checkbox */ - dyStringPrintf(dyMessage, "\n\n", toggleGalleryDisable); + jsInline(toggleGalleryDisable); dyStringPrintf(dyMessage, "Created on %s.
\n", firstUse); /* Print custom track counts per assembly */ struct cart *tmpCart = cartNew(NULL,NULL,NULL,NULL); struct sqlConnection *conn2 = hConnectCentral(); cartLoadUserSession(conn2, userName, sessionName, tmpCart, NULL, NULL); hDisconnectCentral(&conn2); cartCheckForCustomTracks(tmpCart, dyMessage); if (gotSettings) { description = replaceChars(description, "\\\\", "\\__ESC__"); description = replaceChars(description, "\\r", "\r"); description = replaceChars(description, "\\n", "\n"); description = replaceChars(description, "\\__ESC__", "\\"); dyStringPrintf(dyMessage, "Description:
\n" - "
\n", - hgsNewSessionDescription, 5, 80, - highlightAccChanges, highlightAccChanges, description); + "
\n", + hgsNewSessionDescription, hgsNewSessionDescription, 5, 80, + description); + jsOnEventById("change" , hgsNewSessionDescription, highlightAccChanges); + jsOnEventById("keypress" , hgsNewSessionDescription, highlightAccChanges); } dyStringAppend(dyMessage, "
\n"); sqlFreeResult(&sr); } else errAbort("doSessionDetail: got no results from query:
\n%s\n", query); return dyStringCannibalize(&dyMessage); } char *doUpdateSessions(char *userName) /* Look for cart variables matching prefixes for sharing/unsharing, * loading or deleting a previously saved session. * Return a message confirming what we did, or NULL if no such variables * were in the cart. */