a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgTables/intersect.c src/hg/hgTables/intersect.c index 6b27ac4..99b943c 100644 --- src/hg/hgTables/intersect.c +++ src/hg/hgTables/intersect.c @@ -90,77 +90,76 @@ removeCartVars(cart, curVars, ArraySize(curVars)); return FALSE; } } else return FALSE; } boolean intersectionIsBpWise() /* Return TRUE if the intersection/union operation is base pair-wise. */ { char *op = cartUsualString(cart, hgtaIntersectOp, "any"); return (sameString(op, "and") || sameString(op, "or")); } -static char *onChangeEnd(struct dyString **pDy) -/* Finish up javascript onChange command. */ -{ -dyStringAppend(*pDy, "document.hiddenForm.submit();\""); -return dyStringCannibalize(pDy); -} - static struct dyString *onChangeStart() /* Start up a javascript onChange command */ { struct dyString *dy = dyStringNew(1024); -dyStringAppend(dy, "onChange=\""); jsDropDownCarryOver(dy, hgtaNextIntersectGroup); jsDropDownCarryOver(dy, hgtaNextIntersectTrack); jsDropDownCarryOver(dy, hgtaNextIntersectTable); jsTrackedVarCarryOver(dy, hgtaNextIntersectOp, "op"); jsTextCarryOver(dy, hgtaNextMoreThreshold); jsTextCarryOver(dy, hgtaNextLessThreshold); if (!isBigWigTable(curTable)) jsTrackedVarCarryOver(dy, hgtaNextInvertTable, "invertTable"); jsTrackedVarCarryOver(dy, hgtaNextInvertTable2, "invertTable2"); return dy; } +static char *onChangeEnd(struct dyString **pDy) +/* Finish up javascript onChange command. */ +{ +dyStringAppend(*pDy, "document.hiddenForm.submit();"); +return dyStringCannibalize(pDy); +} + static char *onChangeEither() /* Get group-changing javascript. */ { struct dyString *dy = onChangeStart(); return onChangeEnd(&dy); } void makeOpButton(char *val, char *selVal) /* Make region radio button including a little Javascript * to save selection state. */ { jsMakeTrackingRadioButton(hgtaNextIntersectOp, "op", val, selVal); } struct trackDb *showGroupTrackRow(char *groupVar, char *groupScript, char *trackVar, char *trackScript, struct sqlConnection *conn) /* Show group & track row of controls. Returns selected track */ { struct trackDb *track; struct grp *selGroup; hPrintf("<TR><TD>"); -selGroup = showGroupField(groupVar, groupScript, conn, FALSE); -track = showTrackField(selGroup, trackVar, trackScript, TRUE); +selGroup = showGroupField(groupVar, "change", groupScript, conn, FALSE); +track = showTrackField(selGroup, trackVar, "change", trackScript, TRUE); hPrintf("</TD></TR>\n"); return track; } void doIntersectMore(struct sqlConnection *conn) /* Continue working in intersect page. */ { struct trackDb *iTrack; char *name = curTableLabel(); char *iName, *iTable; char *onChange = onChangeEither(); char *op, *setting; boolean wigOptions = (isWiggle(database, curTable) || isBedGraph(curTable)); // Note - bigWig is purposely left out of wigOptions. It supports more intersection options @@ -257,34 +256,37 @@ "<P>\n"); if (!bigWig) { jsMakeTrackingCheckBox(cart, hgtaNextInvertTable, "invertTable", FALSE); printf("Complement %s before base-pair-wise intersection/union <BR>\n", name); } jsMakeTrackingCheckBox(cart, hgtaNextInvertTable2, "invertTable2", FALSE); printf("Complement %s before base-pair-wise intersection/union <P>\n", iName); } else { /* keep javaScript onClick happy */ jsTrackingVar("op", op); - hPrintf("<SCRIPT>\n"); - hPrintf("var invertTable=0;\n"); - hPrintf("var invertTable2=0;\n"); - hPrintf("</SCRIPT>\n"); + + jsInline + ( + "var invertTable=0;\n" + "var invertTable2=0;\n" + ); + hPrintf("(data track %s is not composed of gene records. Specialized intersection operations are not available.)<P>\n", name); } cgiMakeButton(hgtaDoIntersectSubmit, "submit"); hPrintf(" "); cgiMakeButton(hgtaDoMainPage, "cancel"); hPrintf("</FORM>\n"); /* Hidden form - for benefit of javascript. */ { static char *saveVars[32]; int varCount = ArraySize(nextVars); memcpy(saveVars, nextVars, varCount * sizeof(saveVars[0])); saveVars[varCount] = hgtaDoIntersectMore; jsCreateHiddenForm(cart, getScriptName(), saveVars, varCount+1);