a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c
galt
  Mon Jan 30 16:18:41 2017 -0800
Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.

diff --git src/hg/hgTracks/config.c src/hg/hgTracks/config.c
index ed9bd46..6ade4e4 100644
--- src/hg/hgTracks/config.c
+++ src/hg/hgTracks/config.c
@@ -104,53 +104,63 @@
 	continue;
 
     /* check if group section should be displayed */
     char *otherState;
     char *indicator;
     char *indicatorImg;
     boolean isOpen = !isCollapsedGroup(group);
     collapseGroupGoodies(isOpen, FALSE, &indicatorImg,
                             &indicator, &otherState);
     hPrintf("<TR NOWRAP class='blueToggleBar'>");
     hPrintf("<TH NOWRAP align='left' colspan=3>");
     hPrintf("<table style='width:100%%;'><tr class='noData'><td style='text-align:left;'>");
     hPrintf("\n<A NAME='%sGroup'></A>",group->name);
     hPrintf("<input type=hidden name='%s' id='%s' value=%d>",
             collapseGroupVar(group->name),collapseGroupVar(group->name), (isOpen?0:1));
-    hPrintf("<IMG class='toggleButton' onclick=\"return vis.toggleForGroup(this,'%s');\" "
-            "id='%s_button' src='%s' alt='%s' title='%s this group'>&nbsp;&nbsp;",
-            group->name, group->name, indicatorImg, indicator,isOpen?"Collapse":"Expand");
+    hPrintf("<IMG class='toggleButton' "
+            "id='%s_togBut' src='%s' alt='%s' title='%s this group'>&nbsp;&nbsp;",
+            group->name, indicatorImg, indicator,isOpen?"Collapse":"Expand");
+    char jsText[256];
+    // TODO XSS filter group->name
+    safef(jsText, sizeof jsText, "return vis.toggleForGroup(this,'%s');", group->name);
+    char idText[256];
+    safef(idText, sizeof idText, "%s_togBut", group->name);
+    jsOnEventById("click", idText, jsText);
+
     hPrintf("<B>&nbsp;%s</B> ", group->label);
     hPrintf("&nbsp;&nbsp;&nbsp;");
     hPrintf("</td><td style='text-align:right;'>\n");
-    hPrintf("<INPUT TYPE=SUBMIT NAME=\"%s\" VALUE=\"%s\" "
-            "onClick=\"document.mainForm.%s.value='%s'; %s\" "
+    safef(idText, sizeof idText, "%s_hideAllBut", group->name);
+    hPrintf("<INPUT TYPE=SUBMIT NAME=\"%s\" id='%s' VALUE=\"%s\" "
             "title='Hide all tracks in this groups'>",
-	    configHideAll, "hide all", configGroupTarget, group->name,
-	    jsSetVerticalPosition("mainForm"));
+	    configHideAll, idText, "hide all");
+    // TODO XSS filter configGroupTarget
+    safef(jsText, sizeof jsText, "document.mainForm.%s.value='%s'; %s",
+	    configGroupTarget, group->name, jsSetVerticalPosition("mainForm"));
+    jsOnEventById("click", idText, jsText);
     hPrintf(" ");
-    hPrintf("<INPUT TYPE=SUBMIT NAME=\"%s\" VALUE=\"%s\" "
-            "onClick=\"document.mainForm.%s.value='%s'; %s\" "
+    safef(idText, sizeof idText, "%s_showAllBut", group->name);
+    hPrintf("<INPUT TYPE=SUBMIT NAME=\"%s\" id='%s' VALUE=\"%s\" "
             "title='Show all tracks in this groups'>",
-	    configShowAll, "show all", configGroupTarget, group->name,
-	    jsSetVerticalPosition("mainForm"));
+	    configShowAll, idText, "show all");
+    jsOnEventById("click", idText, jsText);
     hPrintf(" ");
-    hPrintf("<INPUT TYPE=SUBMIT NAME=\"%s\" VALUE=\"%s\" "
-            "onClick=\"document.mainForm.%s.value='%s'; %s\" "
+    safef(idText, sizeof idText, "%s_defaultBut", group->name);
+    hPrintf("<INPUT TYPE=SUBMIT NAME=\"%s\" id='%s' VALUE=\"%s\" "
             "title='Show default tracks in this group'>",
-	    configDefaultAll, "default", configGroupTarget, group->name,
-	    jsSetVerticalPosition("mainForm"));
+	    configDefaultAll, idText, "default");
+    jsOnEventById("click", idText, jsText);
     hPrintf(" ");
     /* do not want all the submit buttons named the same.  It is
      * confusing to the javascript submit() function.
      */
     char submitName[256];
     safef(submitName, sizeof(submitName), "%sSubmit", group->name);
     cgiMakeButtonWithMsg(submitName, "submit","Submit your selections and view them in the browser");
     hPrintf("</td></tr></table>\n");
     hPrintf("</TH></TR>\n");
 
     /* First non-CT, non-hub group gets ruler. */
     if (!showedRuler && !isHubTrack(group->name) &&
                 differentString(group->name, "user"))
 	{
         showedRuler = TRUE;