a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgTracks/hgTracks.c src/hg/hgTracks/hgTracks.c index 76eef91..8162e6c 100644 --- src/hg/hgTracks/hgTracks.c +++ src/hg/hgTracks/hgTracks.c @@ -714,31 +714,34 @@ // but in virtMode we may be in a window that is smaller than the ideo width // so temporarily set them to the actual ideo graphic offset and width int saveInsideX = insideX; int saveInsideWidth = insideWidth; insideX = textWidth+4; insideWidth = ideoWidth-insideX; ideoTrack->drawItems(ideoTrack, winStart, winEnd, hvg, insideX, gfxBorder, insideWidth, font, ideoTrack->ixColor, ideoTrack->limitedVis); insideX = saveInsideX; insideWidth = saveInsideWidth; hvGfxUnclip(hvg); /* Save out picture and tell html file about it. */ hvGfxClose(&hvg); /* Finish map. */ if (!psOutput) + { hPrintf("\n"); + jsInline("$('area.cytoBand').click(function(){return false;});\n"); + } } // create an empty hidden-map place holder which can change dynamically with ajax callbacks. if (!doIdeo && !psOutput) { hPrintf("\n", mapName); hPrintf("\n"); } hPrintf(""); if (!psOutput) { // by default, create an empty hidden ideo place holder for future dynamic ajax update char *srcPath = ""; char *style = "display: none;"; @@ -6459,30 +6462,31 @@ /* or maybe errabort ? */ label[3] = 0; len = 4; } if (len % 2 != 0) paddedLabel[3] = 0; if (len == strlen(paddedLabel)) strcpy(paddedLabel, label); else { int i; for (i=0; itdb)) { assert(track->tdb->parent != NULL); if (sameString("hide", cartUsualString(cart, track->tdb->parent->track, track->tdb->parent->isShow ? "show" : "hide"))) track->visibility = tvHide; } } struct track *rFindTrackWithTable(char *tableName, struct track *trackList) @@ -7213,30 +7217,32 @@ sharedErrMsg = tg->networkErrMsg; break; } } if (sharedErrMsg) { for (tg=track; tg; tg=tg->nextWindow) { tg->networkErrMsg = sharedErrMsg; tg->drawItems = bigDrawWarning; tg->totalHeight = bigWarnTotalHeight; } } } + + void doTrackForm(char *psOutput, struct tempName *ideoTn) /* Make the tracks display form with the zoom/scroll buttons and the active * image. If the ideoTn parameter is not NULL, it is filled in if the * ideogram is created. */ { struct group *group; struct track *track; char *freezeName = NULL; boolean hideAll = cgiVarExists("hgt.hideAll"); boolean defaultTracks = cgiVarExists("hgt.reset"); boolean showedRuler = FALSE; boolean showTrackControls = cartUsualBoolean(cart, "trackControlsOnMain", TRUE); long thisTime = 0, lastTime = 0; basesPerPixel = ((float)virtWinBaseCount) / ((float)fullInsideWidth); @@ -7794,35 +7800,35 @@ hPrintf("
\n\n", hgTracksName()); hPrintf("%s", trackGroupsHidden2->string); freeDyString(&trackGroupsHidden1); freeDyString(&trackGroupsHidden2); if (!psOutput) cartSaveSession(cart); /* Put up hgsid= as hidden variable. */ hPrintf("
"); } /* Make line that says position. */ { char buf[256]; char *survey = cfgOptionEnv("HGDB_SURVEY", "survey"); char *surveyLabel = cfgOptionEnv("HGDB_SURVEY_LABEL", "surveyLabel"); - char *javascript = "onchange=\"document.location = '/cgi-bin/hgTracks?db=' + document.TrackForm.db.options[document.TrackForm.db.selectedIndex].value;\""; + char *javascript = "document.location = '/cgi-bin/hgTracks?db=' + document.TrackForm.db.options[document.TrackForm.db.selectedIndex].value;"; if (containsStringNoCase(database, "zoo")) { hPuts("Organism "); - printAssemblyListHtmlExtra(database, javascript); + printAssemblyListHtmlExtra(database, "change", javascript); } if (virtualSingleChrom()) // DISGUISE VMODE safef(buf, sizeof buf, "%s", windowsSpanPosition()); else safef(buf, sizeof buf, "%s:%ld-%ld", virtChromName, virtWinStart+1, virtWinEnd); position = cloneString(buf); hPrintf("%s", addCommasToPos(database, position)); hPrintf("\n", buf); sprintLongWithCommas(buf, virtWinEnd - virtWinStart); hPrintf(" %s bp. ", buf); hPrintf("\n"); hWrites(" "); hButton("hgt.jump", "go"); @@ -7970,40 +7976,41 @@ { cgiMakeButtonWithMsg(TRACK_SEARCH, TRACK_SEARCH_BUTTON,TRACK_SEARCH_HINT); hPrintf(" "); } hButtonWithMsg("hgt.reset", "default tracks","Display only default tracks"); hPrintf(" "); hButtonWithMsg("hgt.defaultImgOrder", "default order", "Display current tracks in their default order"); // if (showTrackControls) - always show "hide all", Hiram 2008-06-26 { hPrintf(" "); hButtonWithMsg("hgt.hideAll", "hide all","Hide all currently visibile tracks"); } hPrintf(" "); - hPrintf("", + hPrintf("", hasCustomTracks ? CT_MANAGE_BUTTON_LABEL : CT_ADD_BUTTON_LABEL, hasCustomTracks ? "Manage your custom tracks" : "Add your own custom tracks"); + jsOnEventById("click", "ct_add", "document.customTrackForm.submit();return false;"); hPrintf(" "); if (hubConnectTableExists()) { - hPrintf(""); + jsOnEventById("click", "th_form", "document.trackHubForm.submit();"); hPrintf(" "); } hButtonWithMsg("hgTracksConfigPage", "configure","Configure image and track selection"); hPrintf(" "); hButtonWithOnClick("hgTracksConfigMultiRegionPage", "multi-region", "Configure multi-region display options", "popUpHgt.hgTracks('multi-region config'); return false;"); hPrintf(" "); if (!hIsGsidServer()) { hButtonWithMsg("hgt.toggleRevCmplDisp", "reverse", revCmplDisp ? "Show forward strand at this location" : "Show reverse strand at this location"); @@ -8067,41 +8074,53 @@ char *indicator; char *indicatorImg; boolean isOpen = !isCollapsedGroup(group); collapseGroupGoodies(isOpen, TRUE, &indicatorImg, &indicator, &otherState); hPrintf("
"); cg->rowOpen = TRUE; if (!hIsGsidServer()) hPrintf("\n"); controlGridEndRow(cg); /* Base Position track goes into map group, which will always exist. */ if (!showedRuler && sameString(group->name, "map") ) { char *url = trackUrl(RULER_TRACK_NAME, chromName); showedRuler = TRUE; myControlGridStartCell(cg, isOpen, group->name); hPrintf("", url); hPrintf(" %s
", RULER_TRACK_LABEL); hPrintf(""); hDropListClassWithStyle("ruler", rulerMenu, @@ -8710,33 +8729,35 @@ // ajax callback to convert chrom position to virt chrom position if (cartVarExists(cart, "hgt.convertChromToVirtChrom")) { position = cartString(cart, "hgt.convertChromToVirtChrom"); char nvh[256]; safef(nvh, sizeof nvh, "%s.%s", database, position); cartSetString(cart, "nonVirtHighlight", nvh); parseNonVirtPosition(position); if (findNearestVirtMatch(chromName, winStart, winEnd, FALSE, &virtWinStart, &virtWinEnd)) { struct jsonElement *jsonForConvert = NULL; jsonForConvert = newJsonObject(newHash(8)); jsonObjectAdd(jsonForConvert, "virtWinStart", newJsonNumber(virtWinStart)); jsonObjectAdd(jsonForConvert, "virtWinEnd", newJsonNumber(virtWinEnd)); - hPrintf("\n"); + + struct dyString *dy = dyStringNew(1024); + jsonDyStringPrint(dy, (struct jsonElement *) jsonForConvert, "convertChromToVirtChrom", 0); + jsInline(dy->string); + dyStringFree(&dy); } return; } lastVirtModeExtraState = cartUsualString(cart, "lastVirtModeExtraState", lastVirtModeExtraState); // DISGUISED POSITION if (!startsWith("virt:", position) && (virtualSingleChrom())) { // "virtualSingleChrom trying to find best vchrom location corresponding to chromName, winStart, winEnd findNearest = TRUE; // try to find the nearest match if (!(chromName && findNearestVirtMatch(chromName, winStart, winEnd, findNearest, &virtWinStart, &virtWinEnd))) { // create 1k window near middle of vchrom @@ -9386,99 +9407,105 @@ /* Reset vars except for position and database. */ { static char *except[] = {"db", "position", NULL}; char *cookieName = hUserCookie(); char *sessionId = cgiOptionalString(cartSessionVarName()); char *userId = findCookieData(cookieName); struct cart *oldCart = cartNew(userId, sessionId, NULL, NULL); cartRemoveExcept(oldCart, except); cartCheckout(&oldCart); cgiVarExcludeExcept(except); } void setupHotkeys(boolean gotExtTools) /* setup keyboard shortcuts and a help dialog for it */ { +struct dyString *dy = dyStringNew(1024); // wire the keyboard hotkeys -hPrintf("\n"); +jsInline(dy->string); +dyStringFree(&dy); // help dialog hPrintf("
\n"); hPrintf("
",MAX_CONTROL_COLUMNS); else hPrintf("", MAX_CONTROL_COLUMNS-1); hPrintf("
"); hPrintf("\n",group->name); - hPrintf("\"%s\"  ", - group->name, group->name, indicatorImg, indicator,isOpen?"Collapse":"Expand"); + group->name, indicatorImg, indicator,isOpen?"Collapse":"Expand"); + char jsText[256]; + safef(jsText, sizeof jsText, "return vis.toggleForGroup(this, '%s');", group->name); + char idText[256]; + safef(idText, sizeof idText, "%s_button", group->name); + jsOnEventById("click", idText, jsText); + hPrintf("\n%s", group->label); hPrintf("\n"); if (isHubTrack(group->name)) - hPrintf("\n", &group->name[sizeof hubTrackPrefix - 1]); + { + hPrintf("\n"); + safef(jsText, sizeof jsText, + "document.disconnectHubForm.elements['hubId'].value='%s';" + "document.disconnectHubForm.submit();return true;", + &group->name[sizeof hubTrackPrefix - 1]); + jsOnEventById("click", "hub_disconn", jsText); + } + hPrintf("\n"); hPrintf("
\n"); hPrintf("\n"); // percent sign hPrintf("\n"); hPrintf("\n"); hPrintf("\n"); // percent sign hPrintf("\n"); hPrintf("\n"); hPrintf("\n"); hPrintf("\n"); hPrintf("\n"); hPrintf("\n"); hPrintf("\n"); @@ -9686,37 +9713,38 @@ } if (cartVarExists(cart, "hgt.convertChromToVirtChrom")) { cartRemove(cart, "hgt.convertChromToVirtChrom"); return; } jsonObjectAdd(jsonForClient, "measureTiming", newJsonBoolean(measureTiming)); // js code needs to know if a highlightRegion is defined for this db char *highlightDef = cartOptionalString(cart, "highlight"); if (highlightDef && startsWith(database,highlightDef) && highlightDef[strlen(database)] == '.') jsonObjectAdd(jsonForClient, "highlight", newJsonString(highlightDef)); jsonObjectAdd(jsonForClient, "enableHighlightingDialog", newJsonBoolean(cartUsualBoolean(cart, "enableHighlightingDialog", TRUE))); -hPrintf("\n"); + +struct dyString *dy = dyStringNew(1024); +jsonDyStringPrint(dy, (struct jsonElement *) jsonForClient, "hgTracks", 0); +jsInline(dy->string); +dyStringFree(&dy); boolean gotExtTools = extToolsEnabled(); setupHotkeys(gotExtTools); if (gotExtTools) printExtMenuData(); if (measureTiming) measureTime("Time at end of doMiddle, next up cart write"); if (cartOptionalString(cart, "udcTimeout")) { warn("The Genome Browser cart currently includes the \"udcTimeout\" string. " "While this is useful for debugging hubs, it may negatively impact " "performance. To clear this variable, click " "here.",cartSessionId(cart)); } - }
left 10%ctrl+j track searcht then s
left 1/2 screenj default tracksd then t
left one screenJ default orderd then o
right 10%ctrl+l hide allh then a
right 1/2 screenl custom tracksc then t
right one screenL track hubst then h
zoom in 1.5xctrl+i configurec then f
zoom in 3xi reverser then v
zoom in 10xI resizer then s
zoom in base levelb refreshr then f
zoom out 1.5xctrl+k jump to position box/