87300988042f9b370f257fddf5a3ae0d21662851 galt Sat Feb 4 00:12:53 2017 -0800 Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code. diff --git src/hg/js/hgTracks.js src/hg/js/hgTracks.js index 1290433..3a861e4 100644 --- src/hg/js/hgTracks.js +++ src/hg/js/hgTracks.js @@ -3197,35 +3197,40 @@ { // When popup closes with ok }, uiDialog: function (response, status) { // Take html from hgTracks and put it up as a modal dialog. // make sure all links (e.g. help links) open up in a new window response = response.replace(/<a /ig, "<a target='_blank' "); var cleanHtml = response; cleanHtml = stripCspHeader(cleanHtml,false); // DEBUG msg with true cleanHtml = stripJsFiles(cleanHtml,false); // DEBUG msg with true cleanHtml = stripCssFiles(cleanHtml,false); // DEBUG msg with true - cleanHtml = stripJsEmbedded(cleanHtml,false);// DEBUG msg with true + //cleanHtml = stripJsEmbedded(cleanHtml,false);// DEBUG msg with true // Obsolete by CSP2? + var nonceJs = {}; + cleanHtml = stripCSPAndNonceJs(cleanHtml, false, nonceJs); // DEBUG msg with true + cleanHtml = stripMainMenu(cleanHtml,false); // DEBUG msg with true $('#hgTracksDialog').html("<div id='pop' style='font-size:.9em;'>"+ cleanHtml +"</div>"); + appendNonceJsToPage(nonceJs); + // Strategy for popups with js: // - jsFiles and CSS should not be included in html. Here they are shluped out. // - The resulting files ought to be loadable dynamically (with getScript()), // but this was not working nicely with the modal dialog // Therefore include files must be included with hgTracks CGI ! // - embedded js should not be in the popup box. // - Somethings should be in a popup.ready() function, and this is emulated below, // as soon as the cleanHtml is added // Since there are many possible popup cfg dialogs, the ready should be all inclusive. // -- popup.ready() -- Here is the place to do things that might otherwise go // into a $('#pop').ready() routine! // Searching for some semblance of size suitability @@ -3464,55 +3469,44 @@ var urlData = cart.varsToUrlData(changedVars); if (imageV2.mapIsUpdateable) { imageV2.requestImgUpdate(trackName,urlData,""); } else { window.location = "../cgi-bin/hgTracks?" + urlData + "&hgsid=" + getHgsid(); } } } } }, uiDialog: function (response, status) { // Take html from hgTrackUi and put it up as a modal dialog. - var pageNonce = getNonce(); - - var ajaxNonce = stripNonce(response, false); - - var jsNonce = stripJsNonce(response, ajaxNonce, false);// DEBUG msg with true - // make sure all links (e.g. help links) open up in a new window response = response.replace(/<a /ig, "<a target='_blank' "); var cleanHtml = response; cleanHtml = stripJsFiles(cleanHtml,false); // DEBUG msg with true cleanHtml = stripCssFiles(cleanHtml,false); // DEBUG msg with true - cleanHtml = stripJsEmbedded(cleanHtml,false);// DEBUG msg with true + //cleanHtml = stripJsEmbedded(cleanHtml,false);// DEBUG msg with true // OBSOLETE BY CSP2? + var nonceJs = {}; + cleanHtml = stripCSPAndNonceJs(cleanHtml, false, nonceJs); // DEBUG msg with true + //alert(cleanHtml); // DEBUG REMOVE $('#hgTrackUiDialog').html("<div id='pop' style='font-size:.9em;'>"+ cleanHtml +"</div>"); - // append ajax js blocks with nonce - var i; - for (i=0; i<jsNonce.length; ++i) { - var sTag = document.createElement("script"); - sTag.type = "text/javascript"; - sTag.text = jsNonce[i]; - sTag.setAttribute('nonce', pageNonce); // CSP2 Requires - document.head.appendChild(sTag); - } + appendNonceJsToPage(nonceJs); // Strategy for popups with js: // - jsFiles and CSS should not be included in html. Here they are shluped out. // - The resulting files ought to be loadable dynamically (with getScript()), // but this was not working nicely with the modal dialog // Therefore include files must be included with hgTracks CGI ! // - embedded js should not be in the popup box. // - Somethings should be in a popup.ready() function, and this is emulated below, // as soon as the cleanHtml is added // Since there are many possible popup cfg dialogs, the ready should be all inclusive. if ( ! popUp.trackDescriptionOnly ) { // If subtrack then vis rules differ var subtrack = tdbIsSubtrack(hgTracks.trackDb[popUp.trackName]) ? popUp.trackName :""; // Saves the original vars (and vals) that may get changed by the popup cfg.