a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/hgUserSuggestion/hgUserSuggestion.c src/hg/hgUserSuggestion/hgUserSuggestion.c index ddfccc8..2b99f04 100644 --- src/hg/hgUserSuggestion/hgUserSuggestion.c +++ src/hg/hgUserSuggestion/hgUserSuggestion.c @@ -144,31 +144,32 @@ "Command-line Utilities", "Others"}; int i; for(i=0;i<5;i++) { if (strcmp(cat[i], category)==0) return TRUE; } return FALSE; } /* javascript functions */ void printMainForm() /* Create the main suggestion form */ { hPrintf( - " <FORM ACTION=\"../cgi-bin/hgUserSuggestion?do.suggestSendMail=1\" METHOD=\"POST\" ENCTYPE=\"multipart/form-data\" NAME=\"mainForm\" onLoad=\"document.forms.mainForm.name.focus()\">\n"); + " <FORM ACTION=\"../cgi-bin/hgUserSuggestion?do.suggestSendMail=1\" METHOD=\"POST\" ENCTYPE=\"multipart/form-data\" NAME=\"mainForm\" id='mainForm'>\n"); +jsOnEventById("load","mainForm","document.forms.mainForm.name.focus();"); hPrintf( "<H2>User Suggestion Form</H2>\n" "<P>If you have ideas about how we can improve the value of the Genome Browser to your research, " "we'd like to hear from you. Please provide a concise description below. " "A copy of the suggestion will be sent to your email address along with a reference number. " "You may follow up on the status of your request at any time by <a href=\"../contacts.html#followup\">contacting us</a> and quoting the reference number.</P>"); hPrintf("<P>Please note: this form is not the proper place to submit questions regarding browser use or bug reports. Use the links on our <a href=\"../contacts.html\">contact page</a> instead.</P>"); hPrintf("<HR><BR>"); hPrintf( " <div id=\"suggest\"> \n" " <label for=\"name\">Your Name:</label><input type=\"text\" name=\"suggestName\" id=\"name\" size=\"50\"style=\"margin-left:20px\" maxlength=\"256\"/><BR><BR>\n" " <label for=\"email\">Your Email:</label><input type=\"text\" name=\"suggestEmail\" id=\"email\" size=\"50\" style=\"margin-left:70px\" maxlength=\"254\"/><BR><BR>\n" " <label for=\"confirmEmail\">Re-enter Your Email:</label><input type=\"text\" \n" " name=\"suggestCfmEmail\" id=\"cfmemail\" size=\"50\" style=\"margin-left:20px\" maxlength=\"254\"/><BR><BR>\n"); hPrintf( @@ -180,165 +181,157 @@ " <option>Others</option>\n" " </select><BR><BR>\n"); hPrintf( " <label for=\"summary\">Summary:</label><input type=\"text\" name=\"suggestSummary\" id=\"summary\" size=\"74\" style=\"margin-left:20px\" maxlength=\"256\"/><BR><BR>\n" " <label for=\"details\">Details:</label><BR><textarea name=\"suggestDetails\" id=\"details\" cols=\"100\" rows=\"15\" maxlength=\"4096\"></textarea><BR><BR>\n" "<input type=\"text\" name=\"suggestWebsite\" style=\"display: none;\" />" " </div>\n"); hPrintf( " <p>\n" " <label for=\"code\">Enter the following value below: <span id=\"txtCaptchaDiv\" style=\"color:#F00\"></span><BR> \n" " <input type=\"hidden\" id=\"txtCaptcha\" /></label>\n" " <input type=\"text\" name=\"txtInput\" id=\"txtInput\" size=\"30\" />\n" " </p>\n"); hPrintf( " <div class=\"formControls\">\n" - " <input id=\"sendButton\" type=\"button\" value=\"Send\" onclick=\"submitform()\"/> \n" + " <input id=\"sendButton\" type=\"button\" value=\"Send\"> \n" " <input type=\"reset\" name=\"suggestClear\" value=\"Clear\" class=\"largeButton\"> \n" " </div>\n" " \n" " </FORM>\n\n"); +jsOnEventById("click","sendButton","submitform();"); } void printValidateScript() /* javascript to validate form inputs */ { -hPrintf( - " <script type=\"text/javascript\">\n" +jsInline( " function validateMainForm(theform)\n" " {\n" " var x=theform.suggestName.value;\n" " if (x==null || x==\"\")\n" " {\n" " alert(\"Name field must be filled out\");\n" " theform.suggestName.focus() ;\n" " return false;\n" - " }\n"); -hPrintf( + " }\n" " var y=theform.suggestEmail.value;\n" " if (y==null || y==\"\")\n" " {\n" " alert(\"Email field must be filled out\");\n" " theform.suggestEmail.focus() ;\n" " return false;\n" " }\n" " if (!validateMailAddr(theform.suggestEmail.value))\n" " {\n" " alert(\"Not a valid e-mail address\");\n" " theform.suggestEmail.focus() ;\n" " return false;\n" " }\n" " var str1 = theform.suggestEmail.value;\n" " var str2 = theform.suggestCfmEmail.value;\n" " if (str2==null || str2==\"\")\n" " {\n" " alert(\"Please re-enter your email address.\");\n" " theform.suggestCfmEmail.focus();\n" " return false;\n" " }\n" " if (str1 != str2)\n" " {\n" " alert(\"Email addresses do not match, please re-enter.\");\n" " theform.suggestCfmEmail.focus();\n" " return false;\n" - " }\n"); -hPrintf( + " }\n" " var y=theform.suggestSummary.value;\n" " if (y==null || y==\"\")\n" " {\n" " alert(\"Summary field must be filled out\");\n" " theform.suggestSummary.focus() ;\n" " return false;\n" " } \n" " return true; \n" - " }"); -hPrintf( + " }" " function validateMailAddr(x)\n" " {\n" " var atpos=x.indexOf(\"@\");\n" " var dotpos=x.lastIndexOf(\".\");\n" " if (atpos<1 || dotpos<atpos+2 || dotpos+2>=x.length)\n" " {\n" " return false;\n" " } \n" " return true;\n" " }\n" - " </script><br />\n\n"); + ); } void printCheckCaptchaScript() /* javascript to check CAPTCHA code */ { -hPrintf( - " <script type=\"text/javascript\">\n" +jsInline( " // The Simple JavaScript CAPTCHA Generator code is copied from typicalwhiner.com/190/simple-javascript-captcha-generator \n" " function checkCaptcha(theform){\n" " var why = \"\";\n" " \n" " if(theform.txtInput.value == \"\"){\n" " why += \"- Security code should not be empty.\";\n" " }\n" " if(theform.txtInput.value != \"\"){\n" " if(ValidCaptcha(theform.txtInput.value) == false){\n" " why += \"- Security code did not match.\";\n" " }\n" " }\n" " if(why != \"\"){\n" " alert(why);\n" " theform.txtInput.focus() ;\n" " return false;\n" " }\n" " return true;\n" - " }\n\n"); -hPrintf( + " }\n\n" " var a = Math.ceil(Math.random() * 9)+ '';\n" " var b = Math.ceil(Math.random() * 9)+ '';\n" " var c = Math.ceil(Math.random() * 9)+ '';\n" " var d = Math.ceil(Math.random() * 9)+ '';\n" " var e = Math.ceil(Math.random() * 9)+ '';\n\n" " var code = a + b + c + d + e;\n" " document.getElementById(\"txtCaptcha\").value = code;\n" - " document.getElementById(\"txtCaptchaDiv\").innerHTML = code;\n\n"); -hPrintf( + " document.getElementById(\"txtCaptchaDiv\").innerHTML = code;\n\n" " function ValidCaptcha(){\n" " var str1 = removeSpaces(document.getElementById('txtCaptcha').value);\n" " var str2 = removeSpaces(document.getElementById('txtInput').value);\n" " if (str1 == str2){\n" " return true;\n" " } else {\n" " return false;\n" " }\n" - " }\n\n"); -hPrintf( + " }\n\n" " function removeSpaces(string){\n" " return string.split(' ').join('');\n" " }\n" - " </script><br />\n\n"); + ); } void printSubmitFormScript() /* javascript to submit form */ { -hPrintf( - " <script type=\"text/javascript\">\n" +jsInline( " function submitform()\n" " {\n" " if ( validateMainForm(document.forms[\"mainForm\"]) && checkCaptcha(document.forms[\"mainForm\"]))\n" " {\n" " document.forms[\"mainForm\"].submit();\n" " }\n" " }\n" - " </script>\n\n"); + ); } void printSuggestionConfirmed(char *summary, char * refID, char *userAddr, char *adminAddr, char *details) /* display suggestion confirm page */ { hPrintf( "<h2>Thank you for your suggestion!</h2>"); hPrintf( "<p>" "You may follow up on the status of your request at any time by " "<a href=\"../contacts.html#followup\">contacting us</a> and quoting your reference number:<BR><BR>%s<BR><BR>" "A copy of this information has also been sent to you at %s.<BR></p>", refID, userAddr); hPrintf( "<p><a href=\"hgUserSuggestion\">Click here if you wish to make additional suggestions.</a></p>"); @@ -348,56 +341,59 @@ "%s<BR>" "<B>Your suggestion details:</B><BR>" "<pre>%s</pre>" "</p>", summary, details); } void printInvalidForm() /* display invalid form page */ { hPrintf( "<h2>Invalid Form.</h2>"); hPrintf( "<p>" "The form is invalid. Please correct it and " - "<a href=\"javascript: history.go(-1)\">submit</a> again.</p>" + "<a id='goBack' >submit</a> again.</p>" ); +jsOnEventById("click", "goBack", "history.go(-1)"); } void printInvalidCategory(char *invalidCategory) /* display invalid category page */ { hPrintf( "<h2>Invalid Category.</h2>"); hPrintf( "<p>" "The category \"%s\" is invalid. Please correct it and " - "<a href=\"javascript: history.go(-1)\">submit</a> again.</p>", + "<a id='goBack'>submit</a> again.</p>", invalidCategory); +jsOnEventById("click", "goBack", "history.go(-1)"); } void printInvalidEmailAddr(char *invalidEmailAddr) /* display suggestion confirm page */ { hPrintf( "<h2>Invalid email address format.</h2>"); hPrintf( "<p>" "The email address \"%s\" is invalid. Please correct it and " - "<a href=\"javascript: history.go(-1)\">submit</a> again.</p>", + "<a id='goBack'>submit</a> again.</p>", invalidEmailAddr); +jsOnEventById("click", "goBack", "history.go(-1)"); } void sendSuggestionBack(char *sName, char *sEmail, char *sCategory, char *sSummary, char *sDetails, char *suggestID) /* send back the suggestion */ { /* parameters from hg.cong */ char *mailTo = mailToAddr(); char *mailFrom=mailFromAddr(); char *filter=filterKeyword(); char subject[512]; char msg[4608]; /* need to make larger */ safef(msg, sizeof(msg), "SuggestionID:: %s\nUserName:: %s\nUserEmail:: %s\nCategory:: %s\nSummary:: %s\n\n\nDetails::\n%s", suggestID, sName, sEmail, sCategory, sSummary, sDetails);