a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c
galt
  Mon Jan 30 16:18:41 2017 -0800
Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.

diff --git src/hg/lib/tablesTables.c src/hg/lib/tablesTables.c
index cdcfc0b..5856e9c 100644
--- src/hg/lib/tablesTables.c
+++ src/hg/lib/tablesTables.c
@@ -43,57 +43,59 @@
 printf("  &nbsp ");
 printf("%d %s found. ", matchCount, itemPlural);
 
 if (addFunc)
     addFunc();
 
 printf("<BR>\n");
 printf("You can further filter search results field by field below. ");    
 printf("Wildcard * and ? characters are allowed in text fields. ");
 printf("&GT;min or &LT;max are allowed in numerical fields.<BR>\n");
 }
 
 static void printSuggestScript(char *id, struct slName *suggestList)
 /* Print out a little javascript to wrap auto-suggester around control with given ID */
 {
-printf("<script>\n");
-printf("$(document).ready(function() {\n");
-printf("  $('#%s').autocomplete({\n", id);
-printf("    delay: 100,\n");
-printf("    minLength: 0,\n");
-printf("    source: [");
+struct dyString *dy = dyStringNew(256);
+dyStringPrintf(dy,"$(document).ready(function() {\n");
+dyStringPrintf(dy,"  $('#%s').autocomplete({\n", id);
+dyStringPrintf(dy,"    delay: 100,\n");
+dyStringPrintf(dy,"    minLength: 0,\n");
+dyStringPrintf(dy,"    source: [");
 char *separator = "";
 struct slName *suggest;
 for (suggest = suggestList; suggest != NULL; suggest = suggest->next)
     {
-    printf("%s\"%s\"", separator, suggest->name);
+    dyStringPrintf(dy,"%s\"%s\"", separator, suggest->name);
     separator = ",";
     }
-printf("]\n");
-printf("    });\n");
-printf("});\n");
-printf("</script>\n");
+dyStringPrintf(dy,"]\n");
+dyStringPrintf(dy,"    });\n");
+dyStringPrintf(dy,"});\n");
+jsInline(dy->string);
+dyStringFree(&dy);
 }
 
 static void printWatermark(char *id, char *watermark)
 /* Print light text filter prompt as watermark. */
 {
-printf("<script>\n");
-printf("$(function() {\n");
-printf("  $('#%s').watermark(\"%s\");\n", id, watermark);
-printf("});\n");
-printf("</script>\n");
+char javascript[1024];
+safef(javascript, sizeof javascript,
+"$(function() {\n"
+"  $('#%s').watermark(\"%s\");\n"
+"});\n", id, watermark);
+jsInline(javascript);
 }
 
 static void showTableFilterControlRow(struct fieldedTable *table, struct cart *cart, 
     char *varPrefix, int maxLenField, struct hash *suggestHash)
 /* Assuming we are in table already drow control row.
  * The suggestHash is keyed by field name.  If something is there we'll assume
  * it's value is slName list of suggestion values */
 {
 /* Include javascript and style we need  */
 webIncludeResourceFile("jquery-ui.css");
 jsIncludeFile("jquery.js", NULL);
 jsIncludeFile("jquery.plugins.js", NULL);
 jsIncludeFile("jquery-ui.js", NULL);
 jsIncludeFile("jquery.watermark.js", NULL);