src/hg/js/utils.js 97e8b7ff52a2f4fb0b62d7015aab593346bc3a65

97e8b7ff52a2f4fb0b62d7015aab593346bc3a65
galt
  Fri Feb 3 11:48:36 2017 -0800
stripJsEmbedded is probably obsolete.

diff --git src/hg/js/utils.js src/hg/js/utils.js
index 7a9361f..2cfefd4 100644
--- src/hg/js/utils.js
+++ src/hg/js/utils.js
@@ -1599,31 +1599,46 @@
 	    d = d + s.charAt(i++);
 	}
 }
 return d;
 }
 
 
 function jsDecode(s)
 // For JS string values decode "\xHH" 
 {
 return nonAlphaNumericHexDecodeText(s, "\\x", "");
 }
 
 
 function stripJsEmbedded(returnedHtml, debug, whatWeDid)
-{ // strips embedded javascript from html returned by ajax
+{ 
+  // GALT NOTE: this may have been mostly obsoleted by CSP2 changes.
+  // There were 3 or 4 places in the code that even in production
+  // had called this function stripJsEmbedded with debug=true, which means that
+  // if any script tag blocks are present, they would be seen and shown
+  // to the user.  This probably was because if these blocks were found
+  // simply adding them to the div html from the ajax callback would result in 
+  // their being ignored by the browser. It seems to be a security feature of browsers.
+  // Meanwhile however inline event handlers in the html worked and were allowed.
+  // So this was just a way to warn developers that their script blocks would have been ignored
+  // and have no effect. I think this concern no longer applies after my CSP2 changes
+  // because it is able to pull in all the js, whether from event handlers or what would
+  // have been individual script blocks in the old days, and adds it to
+  // the page with a nonce and appendChild.
+  //
+  // strips embedded javascript from html returned by ajax
   // NOTE: any warnBox style errors will be put into the warnBox
   // If whatWeDid !== null, we use it to return info about
   // what we stripped out and processed (current just warnMsg).
     var cleanHtml = returnedHtml;
     
     // embedded javascript?
     while (cleanHtml.length > 0) {
         var begPattern = /<script.*\>/i;
         var endPattern = /<\/script\>/i;
         var bounds = bindings.outside(begPattern,endPattern,cleanHtml);
         if (bounds.start === -1)
             break;
         var jsEmbeded = cleanHtml.slice(bounds.start,bounds.stop);
         if (-1 === jsEmbeded.indexOf("showWarnBox")) {
             if (debug)