a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c
galt
  Mon Jan 30 16:18:41 2017 -0800
Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.

diff --git src/hg/qaPushQ/qaPushQ.c src/hg/qaPushQ/qaPushQ.c
index 60386f1..33ec08f 100644
--- src/hg/qaPushQ/qaPushQ.c
+++ src/hg/qaPushQ/qaPushQ.c
@@ -3103,31 +3103,32 @@
 printf("Gateway - click to select alternate push queues, if any, e.g. new track/org<br>\n");
 printf("HELP - click to see this help.<br>\n");
 printf("Refresh - click to see if others have made changes.<br>\n");
 printf("<br>\n");
 printf("! - click to hide a column you do not wish to see.<br>\n");
 printf("< - click to move the column to the left.<br>\n");
 printf("> - click to move the column to the right.<br>\n");
 printf("<br>\n");
 printf("^ - click to raise the priority of the record higher within the priority-class.<br>\n");
 printf("v - click to lower the priority.<br>\n");
 printf("T - click to raise to top priority.<br>\n");
 printf("B - click to lower to bottom priority.<br>\n");
 printf("<br>\n");
 printf("Queue Id - click to edit or see the details page for the record.<br>\n");
 printf("<br>\n");
-printf("<a href=\"javascript:window.close();\" >CLOSE</a> <br>\n");
+printf("<a href='#' id='closeIt'>CLOSE</a> <br>\n");
+jsOnEventById("click", "closeIt", "window.close();");
 }
 
 
 void doShowEditHelp()
 /* show the sizes of all the track tables, cgis, and general files in separate window target= _blank  */
 {
 struct pushQ q;
 ZeroVar(&q);
 safef(q.qid, sizeof(q.qid), "%s", cgiString("qid"));
 printf("<h4>Details/Edit Help</h4>\n");
 printf("<br>\n");
 printf("CANCEL - click to return to main display without saving changes.<br>\n");
 printf("HELP - click to see this help.<br>\n");
 printf("<br>\n");
 printf("Initial submission - displays date automatically generated when push queue record is created.<br>\n");
@@ -3150,57 +3151,59 @@
 printf("Status - enter current status (255 char max). Put long notes in Open Issues or Notes.<br>\n");
 printf("Sponsor - usually the developer.<br>\n");
 printf("Reviewer - usually the QA person handling the push queue for the track.<br>\n");
 printf("External Source or Collaborator - external contact outside our staff that may be involved.<br>\n");
 printf("Open Issues - Record any remaining open issues that are not completely resolved (no size limit here).<br>\n");
 printf("Notes - Any other notes you would like to make (no size limit here).<br>\n");
 printf("<br>\n");
 printf("Submit button - save changes and return to main display.<br>\n");
 printf("delete button - delete this push queue record and return to main display.<br>\n");
 printf("push requested button - press only if you are QA staff and about to submit the push-request. It will try to verify that required entries are present.<br>\n");
 printf("clone button - press if you wish to split the original push queue record into multiple parts. Saves typing, used rarely.<br>\n");
 printf("bounce button - press to bounce from priority A, the QA queue, to B, the developer queue if it needs developer attention.<br>\n");
 printf("transfer button - press to transfer the pushQ entry to another queue.<br>\n");
 printf("lock - press lock to lock the record and edit it.  When in edit mode, make your changes and submit.  Do not leave the record locked.<br>\n");
 printf("<br>\n");
-printf("<a href=\"javascript:window.close();\">CLOSE</a> <br>\n");
+printf("<a href='#' id='closeIt'>CLOSE</a> <br>\n");
+jsOnEventById("click", "closeIt", "window.close();");
 }
 
 
 void doShowSizesHelp()
 /* show the sizes of all the track tables, cgis, and general files in separate window target= _blank  */
 {
 struct pushQ q;
 ZeroVar(&q);
 safef(q.qid, sizeof(q.qid), "%s", cgiString("qid"));
 printf("<h4>Show File Sizes Help</h4>\n");
 printf("<br>\n");
 printf("Tables: Shows sizes of database data and indexes.<br>\n");
 printf("Expands wildcard * in table names list. <br>\n");
 printf("Shows total index size, and the key expression of each index.<br>\n");
 printf("Location of tables is relative to the Current Location setting in the record.<br>\n");
 printf("<br>\n");
 printf("CGIs: shows files specified. Currently limited to checking localhost (hgwbeta in this case).<br>\n");
 printf("<br>\n");
 printf("Total size of all:  total size of all files found in bytes.<br>\n");
 printf("Total: size in megabytes(MB) which is what should be entered into the size(MB) field of the push queue record.<br>\n");
 printf("<br>\n");
 printf("RETURN - click to return to the details/edit page.<br>\n");
 printf("Set Size As - click to set size to that found, and return to the details/edit page. Saves typing. Be sure to press submit to save changes.<br>\n");
 printf("<br>\n");
 printf("<br>\n");
-printf("<a href=\"javascript:window.close();\">CLOSE</a> <br>\n");
+printf("<a href='#' id='closeIt'>CLOSE</a> <br>\n");
+jsOnEventById("click", "closeIt", "window.close();");
 }
 
 void checkConn2()
 /* get 2nd conn, if not already done */
 {
 if (!conn2)
     conn2 = sqlConnectRemote(host, user, password, database);
 }
 
 boolean verifyTableIsQueue(char *table)
 /* Return TRUE if table is a push Q */
 {
 boolean result = TRUE;
 char query[256];
 char *field = NULL;
@@ -3568,31 +3571,32 @@
     printf("push-request:<br>\n");
     printf("<br>\n");
     printf("Please push from beta to RR,MGC: <br>\n");
     printf("&nbsp;&nbsp;&nbsp;%s<br>\n",filePath);
     printf("<br>\n");
     printf("Thanks!<br>\n");
     printf("<br>\n");
     printf("<br>\n");
     printf("See <a href=%s>Release Log</a><br>\n",rlPath);
     }
 else
     {
     printf("Error reading %s: %d<br>\n",rlPath,page->status->status);
     }
 printf("<br>\n");
-printf("<a href=\"javascript:window.close();\">CLOSE</a> <br>\n");
+printf("<a href='#' id='closeIt'>CLOSE</a> <br>\n");
+jsOnEventById("click", "closeIt", "window.close();");
 
 htmlPageFree(&page);
 
 }
 
 
 /* ======================================================== */
 
 /* ------------------------------------------------------- */
 
 
 void doMiddle()
 /* dispatch events */
 {