97e8b7ff52a2f4fb0b62d7015aab593346bc3a65 galt Fri Feb 3 11:48:36 2017 -0800 stripJsEmbedded is probably obsolete. diff --git src/hg/js/subCfg.js src/hg/js/subCfg.js index ad712cb..64c582a 100644 --- src/hg/js/subCfg.js +++ src/hg/js/subCfg.js @@ -1,16 +1,16 @@ -// subCfg the subtrack Configureation module (scm) for hgTrackUi +// subCfg the subtrack Configuration module (scm) for hgTrackUi // // This module is for subtrack level config embedded dialogs in hgTrackUi. // Subtrack config dialogs are embedded in the subtrack table and get populated when first // opened. Composite and view level controls (parents) when updated override related // subtrack controls (children). Subtrack controls, when updated overide parent controls // for the one subtrack. Controls wil get class 'changed' added when changes are made. // When the form is submitted, all controls not marked as "changed" will be unnamed and will // therefore not make it into the cart. // Definitions as used here: // obj: an input or select style html control which may be marked as "changed" // parentObj: composite or view level obj which has subtrack level childObjs associated // childObj: subtrack level obj that has composite and or view level parentObjs // cfg: subtrack level embedded dialog which can be opened or closed (hidden) and isn't // populated till first opened. Can also be a viewCfg and maybe a compositeCfg @@ -491,63 +491,81 @@ count++; } }); } if (count > 1) // if hasChanged() is working, there should never be more than one warn('DEBUG: Both composite and view are seen as updated! ' + 'Named update is not working.'); } }, currentCfg: undefined, // keep track of cfg while ajaxing, man currentSub: undefined, // keep track of subtrack while ajaxing, dude cfgFill: function (content, status) { // Finishes the population of a subtrack cfg. Called by ajax return. + + var pageNonce = getNonce(); + + var ajaxNonce = stripNonce(content, false); + + var jsNonce = stripJsNonce(content, ajaxNonce, false);// DEBUG msg with true + var ix; var cfg = subCfg.currentCfg; subCfg.currentCfg = undefined; var cleanHtml = content; cleanHtml = stripJsFiles(cleanHtml,true); // DEBUG msg with true cleanHtml = stripCssFiles(cleanHtml,true); // DEBUG msg with true - cleanHtml = stripJsEmbedded(cleanHtml,true);// DEBUG msg with true + // Obsoleted by CSP2 nonce js? + //cleanHtml = stripJsEmbedded(cleanHtml,true);// DEBUG msg with true if (subCfg.visIndependent) { ix = cleanHtml.indexOf('</SELECT>'); if (ix > 0) cleanHtml = cleanHtml.substring(ix+'</SELECT>'.length); while(cleanHtml.length > 0) { ix = cleanHtml.search("<"); cleanHtml = cleanHtml.substring(ix); ix = cleanHtml.search(/<BR\>/i); if (ix !== 0) break; // Not found or not at start. else cleanHtml = cleanHtml.substring(4); // skip past <BR> and continue } } else { ix = cleanHtml.indexOf('<B>Display mode: </B>'); if (ix > 0) // Excludes vis! cleanHtml = cleanHtml.substring(ix+'<B>Display mode: </B>'.length); } //cleanHtml = cleanHtml.substring(ix); ix = cleanHtml.indexOf('</FORM>'); // start of form already chipped off if (ix > 0) cleanHtml = cleanHtml.substring(0,ix - 1); cleanHtml = "<div class='blueBox' style='background-color:#FFF9D2; padding:0.5em 1em 1em;'>" + cleanHtml + "</div>"; $(cfg).html(cleanHtml); + + // append ajax js blocks with nonce + for (i=0; i<jsNonce.length; ++i) { + var sTag = document.createElement("script"); + sTag.type = "text/javascript"; + sTag.text = jsNonce[i]; + sTag.setAttribute('nonce', pageNonce); // CSP2 Requires + document.head.appendChild(sTag); + } + $(cfg).addClass('filled'); var boxWithin = $(cfg).find('.blueBox'); if (boxWithin.length > 1) $(boxWithin[1]).removeClass('blueBox'); //$(cfg).html("<div style='font-size:.9em;'>" + cleanHtml + "</div>"); var subObjs = $(cfg).find('input,select').filter("[name]"); if (subObjs.length === 0) { warn('DEBUG: Did not find controls for cfg: ' + cfg.id); return; } $(subObjs).each(function (i) { if (this.name) { // The filter("[name]") above didn't do it! if (this.type !== 'hidden') { subCfg.inheritSetting(this,false); // updates any values that have been changed