97e8b7ff52a2f4fb0b62d7015aab593346bc3a65 galt Fri Feb 3 11:48:36 2017 -0800 stripJsEmbedded is probably obsolete. diff --git src/hg/js/utils.js src/hg/js/utils.js index 7a9361f..2cfefd4 100644 --- src/hg/js/utils.js +++ src/hg/js/utils.js @@ -1599,31 +1599,46 @@ d = d + s.charAt(i++); } } return d; } function jsDecode(s) // For JS string values decode "\xHH" { return nonAlphaNumericHexDecodeText(s, "\\x", ""); } function stripJsEmbedded(returnedHtml, debug, whatWeDid) -{ // strips embedded javascript from html returned by ajax +{ + // GALT NOTE: this may have been mostly obsoleted by CSP2 changes. + // There were 3 or 4 places in the code that even in production + // had called this function stripJsEmbedded with debug=true, which means that + // if any script tag blocks are present, they would be seen and shown + // to the user. This probably was because if these blocks were found + // simply adding them to the div html from the ajax callback would result in + // their being ignored by the browser. It seems to be a security feature of browsers. + // Meanwhile however inline event handlers in the html worked and were allowed. + // So this was just a way to warn developers that their script blocks would have been ignored + // and have no effect. I think this concern no longer applies after my CSP2 changes + // because it is able to pull in all the js, whether from event handlers or what would + // have been individual script blocks in the old days, and adds it to + // the page with a nonce and appendChild. + // + // strips embedded javascript from html returned by ajax // NOTE: any warnBox style errors will be put into the warnBox // If whatWeDid !== null, we use it to return info about // what we stripped out and processed (current just warnMsg). var cleanHtml = returnedHtml; // embedded javascript? while (cleanHtml.length > 0) { var begPattern = //i; var endPattern = /<\/script\>/i; var bounds = bindings.outside(begPattern,endPattern,cleanHtml); if (bounds.start === -1) break; var jsEmbeded = cleanHtml.slice(bounds.start,bounds.stop); if (-1 === jsEmbeded.indexOf("showWarnBox")) { if (debug)