src/hg/inc/web.h a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c

a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c
galt
  Mon Jan 30 16:18:41 2017 -0800
Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.

diff --git src/hg/inc/web.h src/hg/inc/web.h
index 6bbb429..2b76e41 100644
--- src/hg/inc/web.h
+++ src/hg/inc/web.h
@@ -95,131 +95,134 @@
 /* End HTML that was started with webStartJWest/ */
 
 void webVaWarn(char *format, va_list args);
 /* Warning handler that closes off web page. */
 
 boolean webGotWarnings();
 /* Return TRUE if webVaWarn has been called. */
 
 void webAbort(char* title, char* format, ...)
 /* an abort function that outputs a error page */
 #if defined(__GNUC__)
 __attribute__((format(printf, 2, 3)))
 #endif
 ;
 
-void printCladeListHtml(char *genome, char *onChangeText);
+void printCladeListHtml(char *genome, char *event, char *javascript);
 /* Make an HTML select input listing the clades. */
 
-void printGenomeListHtml(char *db, char *onChangeText);
-/* Prints to stdout the HTML to render a dropdown list containing
- * a list of the possible genomes to choose from.
- * param db - The database whose genome will be selected by default.
+void printGenomeListHtml(char *db, char *event, char *javascript);
+/* Prints to stdout the HTML to render a dropdown list
+ * containing a list of the possible genomes to choose from.
+ * param db - a database whose genome will be the default genome.
  *                       If NULL, no default selection.
- * param onChangeText - Optional (can be NULL) text to pass in any
- * onChange javascript.
- */
+ * param event e.g. "change"
+ *   javascript - Optional (can be NULL) onEvent javascript. */
 
-void printBlatGenomeListHtml(char *db, char *onChangeText);
-/* Prints to stdout the HTML to render a dropdown list containing
- * a list of the possible genomes to choose from.
- * param db - The database whose genome will be selected by default.
+void printBlatGenomeListHtml(char *db, char *event, char *javascript);
+/* Prints to stdout the HTML to render a dropdown list
+ * containing a list of the possible genomes to choose from.
+ * param db - a database whose genome will be the default genome.
  *                       If NULL, no default selection.
- * param onChangeText - Optional (can be NULL) text to pass in any
- * onChange javascript.
- */
+ * param event e.g. "change"
+ *   javascript - Optional (can be NULL) onEvent javascript. */
 
 void printLiftOverGenomeList(char *customOrgCgiName, char *db,
-			     struct dbDb *dbList, char *onChangeText);
+			     struct dbDb *dbList, char *event, char *javascript);
 /* Prints to stdout the HTML to render a dropdown list
  * containing a list of the possible genomes to choose from.
  * Databases in dbList do not have to exist.
  * param db - a database whose genome will be the default genome.
  *                       If NULL, no default selection.
- * param onChangeText - Optional (can be NULL) text to pass in
- *                              any onChange javascript. */
+ * param event e.g. "change"
+ *   javascript - Optional (can be NULL) onEvent javascript. */
 
-void printSomeGenomeListHtmlNamed(char *customOrgCgiName, char *db, struct dbDb *dbList, char *OnChangeText);
+void printSomeGenomeListHtmlNamed(char *customOrgCgiName, char *db, struct dbDb *dbList, char *event, char *javascript);
+/* Prints to stdout the HTML to render a dropdown list
+ * containing a list of the possible genomes to choose from.
+ * param db - a database whose genome will be the default genome.
+ *                       If NULL, no default selection.
+ * param event e.g. "change"
+ *   javascript - Optional (can be NULL) onEvent javascript. */
 
-void printSomeGenomeListHtml(char *db, struct dbDb *dbList, char *onChangeText);
+void printSomeGenomeListHtml(char *db, struct dbDb *dbList, char *event, char *javascript);
 /* Prints to stdout the HTML to render a dropdown list
  * containing a list of the possible genomes to choose from.
  * param db - a database whose genome will be the default genome.
  *                       If NULL, no default selection.
- * param onChangeText - Optional (can be NULL) text to pass in
- *                              any onChange javascript. */
+ * param event e.g. "change"
+ *   javascript - Optional (can be NULL) onEvent javascript. */
 
-void printGenomeListForCladeHtml(char *db, char *onChangeText);
+void printGenomeListForCladeHtml(char *db, char *event, char *javascript);
 /* Prints to stdout the HTML to render a dropdown list containing
- * a list of the possible genomes from db's clade to choose from.
- * db's genome is the default for the select.
+ * a list of the possible genomes from selOrganism's clade to choose from.
+ * selOrganism is the default for the select.
  */
 
 void webPushErrHandlers();
 /* Push warn and abort handler for errAbort(). */
 
 void webPushErrHandlersCartDb(struct cart *cart, char *db);
 /* Push warn and abort handler for errAbort(); save cart and db for use in handlers. */
 
 void webPopErrHandlers();
 /* Pop warn and abort handler for errAbort(). */
 
-void printAssemblyListHtml(char *curDb, char *onChangeText);
+void printAssemblyListHtml(char *db, char *event, char *javascript);
 /*
 Prints to stdout the HTML to render a dropdown list containing a list of the possible
 assemblies to choose from.
 
 param curDb - The assembly (the database name) to choose as selected.
 If NULL, no default selection.
  */
 
-void printAssemblyListHtmlExtra(char *curDb, char *javascript);
+void printAssemblyListHtmlExtra(char *db, char *event, char *javascript);
 /*
 Prints to stdout the HTML to render a dropdown list containing a list of the possible
 assemblies to choose from.
 
 param curDb - The assembly (the database name) to choose as selected.
 If NULL, no default selection.
 param javascript - The javascript text for the select box
  */
 
-void printSomeAssemblyListHtml(char *db, struct dbDb *dbList, char *javascript);
+void printSomeAssemblyListHtml(char *db, struct dbDb *dbList, char *event, char *javascript);
 /* Find all assemblies from the list that are active, and print
  * HTML to render dropdown list
  * param db - default assembly.  If NULL, no default selection */
 
 void printSomeAssemblyListHtmlNamed(char *name, char *db, struct dbDb *dbList, char *onChangeText);
 /* Find all assemblies from the list that are active, and print
  * HTML to render dropdown list
  * param db - default assembly.  If NULL, no default selection */
 
 void printAllAssemblyListHtmlParm(char *db, struct dbDb *dbList,
-                            char *dbCgi, bool allowInactive, char *javascript);
+                            char *dbCgi, bool allowInactive, char *event, char *javascript);
 /* Prints to stdout the HTML to render a dropdown list containing the list
-of assemblies for the current genome to choose from.  By default,
- this includes only active assemblies with a database (with the
- exception of the default assembly, which will be included even
- if it isn't active).
-
-param db - The default assembly (the database name) to choose as selected.
-                If NULL, no default selection.
-param allowInactive - if set, print all assemblies for this genome,
-                        even if they're inactive or have no database
+ * of assemblies for the current genome to choose from.  By default,
+ * this includes only active assemblies with a database (with the
+ * exception of the default assembly, which will be included even
+ * if it isn't active).
+ *  param db - The default assembly (the database name) to choose as selected.
+ *             If NULL, no default selection.
+ *  param allowInactive - if set, print all assemblies for this genome,
+ *                        even if they're inactive or have no database
  */
 
 void printSomeAssemblyListHtmlParm(char *db, struct dbDb *dbList,
-                                        char *dbCgi, char *javascript);
+                                        char *dbCgi, char *event, char *javascript);
 /* Find all the assemblies from the list that are active.
 Prints to stdout the HTML to render a dropdown list containing the list
 of the possible assemblies to choose from.
 
 param db - The default assembly (the database name) to choose as selected.
                 If NULL, no default selection.
  */
 
 void printOrgAssemblyListAxtInfo(char *dbCgi, char *javascript);
 /* Find all the organisms/assemblies that are referenced in axtInfo,
  * and print the dropdown list. */
 
 void printBlatAssemblyListHtml(char *curDb);
 /*
 Prints to stdout the HTML to render a dropdown list containing a list of the possible