a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/lib/search.c src/hg/lib/search.c index baa2b7c..88dba26 100644 --- src/hg/lib/search.c +++ src/hg/lib/search.c @@ -58,38 +58,38 @@ "bigBed - self index, often remote bed format", "Peaks Broad (broadPeak) - ENCODE large region peak format", "Peaks Narrow (narrowPeak) - ENCODE small region peak format", "Raw Sequence (fastq) - High throughput sequence format", "Signal (bigWig) - self index, often remote wiggle format", "Signal (wig) - wiggle format" }; struct slPair *fileTypes = NULL; int ix = 0, count = sizeof(crudeTypes)/sizeof(char *); for (ix=0;ix<count;ix++) slPairAdd(&fileTypes, crudeTypes[ix],cloneString(nicerTypes[ix])); return fileTypes; } -char *fileFormatSelectHtml(char *name, char *selected, char *extraHtml) +char *fileFormatSelectHtml(char *name, char *selected, char *event, char *javascript, char *style) // returns an allocated string of HTML for the fileType select drop down { struct slPair *fileTypes = fileFormatSearchWhiteList(); if (slCount(fileTypes) > 0) { char *dropDownHtml = cgiMakeSingleSelectDropList(name,fileTypes,selected, - ANYLABEL,NULL,extraHtml); + ANYLABEL, NULL, event, javascript, style, NULL); slPairFreeList(&fileTypes); return dropDownHtml; } return NULL; } struct slPair *mdbSelectPairs(struct cart *cart, struct slPair *mdbVars) // Returns the current mdb vars and vals in the table of drop down selects { // figure out how many metadata selects are visible. int numMetadataSelects = 0; struct slPair *mdbSelectPairs = NULL; if (mdbVars == NULL) return 0; @@ -187,104 +187,114 @@ // Assume tableSearch unless fileSearch { struct dyString *output = dyStringNew(1024); dyStringPrintf(output,"<tr><td colspan='%d' align='right' class='lineOnTop' style='height:20px; " "max-height:20px;'><em style='color:%s; width:200px;'>ENCODE terms</em>" "</td></tr>\n", cols,COLOR_DARKGREY); struct slPair *mdbSelect = mdbSelects; int row = 0; for (;mdbSelect != NULL; mdbSelect = mdbSelect->next) { char buf[256]; char *dropDownHtml = NULL; - #define PLUS_MINUS_BUTTON "<input type='button' id='%sButton%d' value='%c' " \ - "style='font-size:.7em;' title='%s' " \ - "onclick='findTracks.mdbSelectPlusMinus(this,%d)'>" + char id[256]; + char javascript[1024]; + + #define PLUS_MINUS_BUTTON "<input type='button' id='%s' value='%c' " \ + "style='font-size:.7em;' title='%s'>" + #define PLUS_MINUS_BUTTON_JS "findTracks.mdbSelectPlusMinus(this,%d);" #define ADD_PM_BUTTON(type,num,value) \ - dyStringPrintf(output,PLUS_MINUS_BUTTON, (type), (num), (value), \ - ((value) == '+' ? "add another row after":"delete"), (num)) + safef(id, sizeof id, "%sButton%d", (type), (num)); \ + dyStringPrintf(output,PLUS_MINUS_BUTTON, id, (value), \ + ((value) == '+' ? "add another row after":"delete")); \ + safef(javascript, sizeof javascript, PLUS_MINUS_BUTTON_JS, (num)); \ + jsOnEventById("click", id, javascript); dyStringAppend(output,"<tr valign='top' class='mdbSelect'><td nowrap>\n"); row++; if (slCount(mdbSelects) > 2 || row > 2) - ADD_PM_BUTTON("minus", row, '-'); + { + ADD_PM_BUTTON("minus", row, '-') + } else dyStringAppend(output," "); - ADD_PM_BUTTON("plus", row, '+'); + ADD_PM_BUTTON("plus", row, '+') dyStringAppend(output,"</td><td>and </td><td colspan=3 nowrap>\n"); safef(buf, sizeof(buf), "%s%i", METADATA_NAME_PREFIX, row); // Left side select of vars dropDownHtml = cgiMakeSingleSelectDropList(buf, mdbVars,mdbSelect->name, NULL,"mdbVar", - "style='font-size:.9em;' onchange='findTracks.mdbVarChanged(this);'"); + "change", "findTracks.mdbVarChanged(this);", "font-size:.9em;", NULL); if (dropDownHtml) { dyStringAppend(output,dropDownHtml); freeMem(dropDownHtml); } // Right side select of vals safef(buf, sizeof(buf), "%s%i", METADATA_VALUE_PREFIX, row); enum cvSearchable searchBy = cvSearchMethod(mdbSelect->name); if (searchBy == cvSearchBySingleSelect || searchBy == cvSearchByMultiSelect) { dyStringPrintf(output,"</td>\n<td align='right' id='isLike%i' style='width:10px; " "white-space:nowrap;'>is%s</td>\n<td nowrap id='%s' " "style='max-width:600px;'>\n", row,(searchBy == cvSearchByMultiSelect?" among":""),buf); struct slPair *pairs = mdbValLabelSearch(conn, mdbSelect->name, MDB_VAL_STD_TRUNCATION, FALSE, !fileSearch, fileSearch); // not tags, either a file or table search if (slCount(pairs) > 0) { char *dropDownHtml = cgiMakeSelectDropList((searchBy == cvSearchByMultiSelect), buf, pairs,mdbSelect->val, ANYLABEL,"mdbVal", - "style='min-width:200px; font-size:.9em;' " - "onchange='findTracks.mdbValChanged(this);'"); + "change", "findTracks.mdbValChanged(this);", + "min-width:200px; font-size:.9em;", NULL); if (dropDownHtml) { dyStringAppend(output,dropDownHtml); freeMem(dropDownHtml); } slPairFreeList(&pairs); } } else if (searchBy == cvSearchByFreeText) { dyStringPrintf(output,"</td><td align='right' id='isLike%i' style='width:10px; " "white-space:nowrap;'>contains</td>\n<td nowrap id='%s' " "style='max-width:600px;'>\n",row,buf); - dyStringPrintf(output,"<input type='text' name='%s' value='%s' class='mdbVal freeText' " - "style='max-width:310px; width:310px; font-size:.9em;' " - "onchange='findTracks.mdbVarChanged(true);'>\n", - buf,(mdbSelect->val ? (char *)mdbSelect->val: "")); + safef(id, sizeof id, "%i_change", row); + dyStringPrintf(output,"<input type='text' name='%s' id='%s' value='%s' class='mdbVal freeText' " + "style='max-width:310px; width:310px; font-size:.9em;'>\n", + buf,id,(mdbSelect->val ? (char *)mdbSelect->val: "")); + jsOnEventById("change", id, "findTracks.mdbVarChanged(true);"); } else if (searchBy == cvSearchByWildList) { dyStringPrintf(output,"</td><td align='right' id='isLike%i' style='width:10px; " "white-space:nowrap;'>is among</td>\n<td nowrap id='%s' " "style='max-width:600px;'>\n",row,buf); - dyStringPrintf(output,"<input type='text' name='%s' value='%s' class='mdbVal wildList' " + safef(id, sizeof id, "%i_change", row); + dyStringPrintf(output,"<input type='text' name='%s' id='%s' value='%s' class='mdbVal wildList' " "title='enter comma separated list of values' " - "style='max-width:310px; width:310px; font-size:.9em;' " - "onchange='findTracks.mdbVarChanged(true);'>\n", - buf,(mdbSelect->val ? (char *)mdbSelect->val: "")); + "style='max-width:310px; width:310px; font-size:.9em;'>\n", + buf,id,(mdbSelect->val ? (char *)mdbSelect->val: "")); + jsOnEventById("change", id, "findTracks.mdbVarChanged(true);"); } //else if (searchBy == cvSearchByDateRange || searchBy == cvSearchByIntegerRange) // { // // TO BE IMPLEMENTED // } dyStringPrintf(output,"<span id='helpLink%i'> </span></td>\n", row); dyStringPrintf(output,"</tr>\n"); } dyStringPrintf(output,"<tr><td colspan='%d' align='right' style='height:10px; " "max-height:10px;'> </td></tr>", cols); return dyStringCannibalize(&output); }