src/hg/js/hgTracks.js f8b16feaacf8742673d634e6584ddd37ca5caa2a

f8b16feaacf8742673d634e6584ddd37ca5caa2a
galt
  Thu Feb 2 14:13:51 2017 -0800
Fixing missing ajax transfer in hgTracks popup hgTrackUi js. Note this should basically pick up the equivalent of inline event handlers like onclick= stuff.

diff --git src/hg/js/hgTracks.js src/hg/js/hgTracks.js
index 951d9f7..9c71faa 100644
--- src/hg/js/hgTracks.js
+++ src/hg/js/hgTracks.js
@@ -3488,42 +3488,61 @@
                     var urlData = cart.varsToUrlData(changedVars);
                     if (imageV2.mapIsUpdateable) {
                         imageV2.requestImgUpdate(trackName,urlData,"");
                     } else {
                         window.location = "../cgi-bin/hgTracks?" + urlData + "&hgsid=" + getHgsid();
                     }
                 }
             }
         }
     },
 
     uiDialog: function (response, status)
     {
     // Take html from hgTrackUi and put it up as a modal dialog.
 
-	//alert("Got here popUp.uiDialog"); // DEBUG REMOVE GALT
+	var pageNonce = getNonce();
+	alert('pageNonce='+pageNonce);  // DEBUG REMOVE
+
+	var ajaxNonce = stripNonce(response, false);
+	alert('ajaxNonce='+ajaxNonce);  // DEBUG REMOVE
+    
+	var jsNonce = stripJsNonce(response, ajaxNonce, false);// DEBUG msg with true
 
         // make sure all links (e.g. help links) open up in a new window
         response = response.replace(/<a /ig, "<a target='_blank' ");
 
         var cleanHtml = response;
         cleanHtml = stripJsFiles(cleanHtml,false);   // DEBUG msg with true
         cleanHtml = stripCssFiles(cleanHtml,false);  // DEBUG msg with true
         cleanHtml = stripJsEmbedded(cleanHtml,false);// DEBUG msg with true
 	//alert(cleanHtml);  // DEBUG REMOVE
         $('#hgTrackUiDialog').html("<div id='pop' style='font-size:.9em;'>"+ cleanHtml +"</div>");
 
+	// append ajax js blocks with nonce
+	var i;
+	for (i=0; i<jsNonce.length; ++i) {
+	    var sTag = document.createElement("script");
+	    sTag.type = "text/javascript";
+	    sTag.text = jsNonce[i];
+	    sTag.setAttribute('nonce', pageNonce); // CSP2 Requires
+
+	    alert("about to call appendChild on:\n"+jsNonce[i]);
+
+	    document.head.appendChild(sTag);
+	}		
+
         // Strategy for popups with js:
         // - jsFiles and CSS should not be included in html.  Here they are shluped out.
         // - The resulting files ought to be loadable dynamically (with getScript()), 
         //   but this was not working nicely with the modal dialog
         //   Therefore include files must be included with hgTracks CGI !
         // - embedded js should not be in the popup box.
         // - Somethings should be in a popup.ready() function, and this is emulated below, 
         //   as soon as the cleanHtml is added
         //   Since there are many possible popup cfg dialogs, the ready should be all inclusive.
 
         if ( ! popUp.trackDescriptionOnly ) {
             // If subtrack then vis rules differ
             var subtrack = tdbIsSubtrack(hgTracks.trackDb[popUp.trackName]) ? popUp.trackName :"";  
             // Saves the original vars (and vals) that may get changed by the popup cfg.
             popUp.saveAllVars = getAllVars( $('#hgTrackUiDialog'), subtrack );