a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/js/jquery.plugins.js src/hg/js/jquery.plugins.js index 9a14a52..6a0e67d 100644 --- src/hg/js/jquery.plugins.js +++ src/hg/js/jquery.plugins.js @@ -5,30 +5,33 @@ * drupal.js (Jabico used this for the dropdown menus) * bgiframe v2.1 * hoverIntent r5 * Superfish v1.4.8 - jQuery menu widget * Superfish initialization (Add Superfish to all Nice menus with some basic options.) */ /* This first one is not actually a JQuery plugin, but drupal.js required for nicemenus.js to work */ var Drupal = Drupal || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} }; +// moved from globalNavBar.inc to here +jQuery.extend(Drupal.settings, { "basePath": "/", "nice_menus_options": { "delay": 800, "speed": 1 }, "thickbox": { "close": "Close", "next": "Next \x3e", "prev": "\x3c Prev", "esc_key": "or Esc Key", "next_close": "Next / Close on last", "image_count": "Image !current of !total" }, "custom_search": { "form_target": "_self", "solr": 0 } }); + /** * Set the variable that indicates if JavaScript behaviors should be applied */ Drupal.jsEnabled = document.getElementsByTagName && document.createElement && document.createTextNode && document.documentElement && document.getElementById; /** * Attach all registered behaviors to a page element. * * Behaviors are event-triggered actions that attach to page elements, enhancing * default non-Javascript UIs. Behaviors are registered in the Drupal.behaviors * object as follows: * @code * Drupal.behaviors.behaviorName = function () { * ... * }; @@ -193,31 +196,31 @@ args.push(arguments[i]); } return (Drupal.theme[func] || Drupal.theme.prototype[func]).apply(this, args); }; /** * Parse a JSON response. * * The result is either the JSON object, or an object with 'status' 0 and 'data' an error message. */ Drupal.parseJson = function (data) { if ((data.substring(0, 1) != '{') && (data.substring(0, 1) != '[')) { return { status: 0, data: data.length ? data : Drupal.t('Unspecified error') }; } - return eval('(' + data + ');'); + return JSON.parse(data); }; /** * Freeze the current body height (as minimum height). Used to prevent * unnecessary upwards scrolling when doing DOM manipulations. */ Drupal.freezeHeight = function () { Drupal.unfreezeHeight(); var div = document.createElement('div'); $(div).css({ position: 'absolute', top: '0px', left: '0px', width: '1px', height: $('body').css('height') @@ -493,33 +496,30 @@ var o = sf.op, sh = sf.c.shadowClass+'-off', $ul = this.addClass(o.hoverClass) .find('>ul:hidden').css('visibility','visible'); sf.IE7fix.call($ul); o.onBeforeShow.call($ul); $ul.animate(o.animation,o.speed,function(){ sf.IE7fix.call($ul); o.onShow.call($ul); }); return this; } }); })(jQuery); - - - // This uses Superfish 1.4.8 // (http://users.tpg.com.au/j_birch/plugins/superfish) // Add Superfish to all Nice menus with some basic options. (function ($) { $(document).ready(function() { $('ul.nice-menu').superfish({ // Apply a generic hover class. hoverClass: 'over', // Disable generation of arrow mark-up. autoArrows: false, // Disable drop shadows. dropShadows: false, // Mouse delay. delay: Drupal.settings.nice_menus_options.delay, // Animation speed.