a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c galt Mon Jan 30 16:18:41 2017 -0800 Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c. diff --git src/hg/js/jquery.plugins.js src/hg/js/jquery.plugins.js index 9a14a52..6a0e67d 100644 --- src/hg/js/jquery.plugins.js +++ src/hg/js/jquery.plugins.js @@ -1,532 +1,532 @@ /* JQuery Plugins + some code required for drop down menus * Must be loaded after jquery.js * * CONTENTS: * drupal.js (Jabico used this for the dropdown menus) * bgiframe v2.1 * hoverIntent r5 * Superfish v1.4.8 - jQuery menu widget * Superfish initialization (Add Superfish to all Nice menus with some basic options.) */ /* This first one is not actually a JQuery plugin, but drupal.js required for nicemenus.js to work */ var Drupal = Drupal || { 'settings': {}, 'behaviors': {}, 'themes': {}, 'locale': {} }; +// moved from globalNavBar.inc to here +jQuery.extend(Drupal.settings, { "basePath": "/", "nice_menus_options": { "delay": 800, "speed": 1 }, "thickbox": { "close": "Close", "next": "Next \x3e", "prev": "\x3c Prev", "esc_key": "or Esc Key", "next_close": "Next / Close on last", "image_count": "Image !current of !total" }, "custom_search": { "form_target": "_self", "solr": 0 } }); + /** * Set the variable that indicates if JavaScript behaviors should be applied */ Drupal.jsEnabled = document.getElementsByTagName && document.createElement && document.createTextNode && document.documentElement && document.getElementById; /** * Attach all registered behaviors to a page element. * * Behaviors are event-triggered actions that attach to page elements, enhancing * default non-Javascript UIs. Behaviors are registered in the Drupal.behaviors * object as follows: * @code * Drupal.behaviors.behaviorName = function () { * ... * }; * @endcode * * Drupal.attachBehaviors is added below to the jQuery ready event and so * runs on initial page load. Developers implementing AHAH/AJAX in their * solutions should also call this function after new page content has been * loaded, feeding in an element to be processed, in order to attach all * behaviors to the new content. * * Behaviors should use a class in the form behaviorName-processed to ensure * the behavior is attached only once to a given element. (Doing so enables * the reprocessing of given elements, which may be needed on occasion despite * the ability to limit behavior attachment to a particular element.) * * @param context * An element to attach behaviors to. If none is given, the document element * is used. */ Drupal.attachBehaviors = function(context) { context = context || document; if (Drupal.jsEnabled) { // Execute all of them. jQuery.each(Drupal.behaviors, function() { this(context); }); } }; /** * Encode special characters in a plain-text string for display as HTML. */ Drupal.checkPlain = function(str) { str = String(str); var replace = { '&': '&', '"': '"', '<': '<', '>': '>' }; for (var character in replace) { var regex = new RegExp(character, 'g'); str = str.replace(regex, replace[character]); } return str; }; /** * Translate strings to the page language or a given language. * * See the documentation of the server-side t() function for further details. * * @param str * A string containing the English string to translate. * @param args * An object of replacements pairs to make after translation. Incidences * of any key in this array are replaced with the corresponding value. * Based on the first character of the key, the value is escaped and/or themed: * - !variable: inserted as is * - @variable: escape plain text to HTML (Drupal.checkPlain) * - %variable: escape text and theme as a placeholder for user-submitted * content (checkPlain + Drupal.theme('placeholder')) * @return * The translated string. */ Drupal.t = function(str, args) { // Fetch the localized version of the string. if (Drupal.locale.strings && Drupal.locale.strings[str]) { str = Drupal.locale.strings[str]; } if (args) { // Transform arguments before inserting them for (var key in args) { switch (key.charAt(0)) { // Escaped only case '@': args[key] = Drupal.checkPlain(args[key]); break; // Pass-through case '!': break; // Escaped and placeholder case '%': default: args[key] = Drupal.theme('placeholder', args[key]); break; } str = str.replace(key, args[key]); } } return str; }; /** * Format a string containing a count of items. * * This function ensures that the string is pluralized correctly. Since Drupal.t() is * called by this function, make sure not to pass already-localized strings to it. * * See the documentation of the server-side format_plural() function for further details. * * @param count * The item count to display. * @param singular * The string for the singular case. Please make sure it is clear this is * singular, to ease translation (e.g. use "1 new comment" instead of "1 new"). * Do not use @count in the singular string. * @param plural * The string for the plural case. Please make sure it is clear this is plural, * to ease translation. Use @count in place of the item count, as in "@count * new comments". * @param args * An object of replacements pairs to make after translation. Incidences * of any key in this array are replaced with the corresponding value. * Based on the first character of the key, the value is escaped and/or themed: * - !variable: inserted as is * - @variable: escape plain text to HTML (Drupal.checkPlain) * - %variable: escape text and theme as a placeholder for user-submitted * content (checkPlain + Drupal.theme('placeholder')) * Note that you do not need to include @count in this array. * This replacement is done automatically for the plural case. * @return * A translated string. */ Drupal.formatPlural = function(count, singular, plural, args) { var args = args || {}; args['@count'] = count; // Determine the index of the plural form. var index = Drupal.locale.pluralFormula ? Drupal.locale.pluralFormula(args['@count']) : ((args['@count'] == 1) ? 0 : 1); if (index == 0) { return Drupal.t(singular, args); } else if (index == 1) { return Drupal.t(plural, args); } else { args['@count['+ index +']'] = args['@count']; delete args['@count']; return Drupal.t(plural.replace('@count', '@count['+ index +']')); } }; /** * Generate the themed representation of a Drupal object. * * All requests for themed output must go through this function. It examines * the request and routes it to the appropriate theme function. If the current * theme does not provide an override function, the generic theme function is * called. * * For example, to retrieve the HTML that is output by theme_placeholder(text), * call Drupal.theme('placeholder', text). * * @param func * The name of the theme function to call. * @param ... * Additional arguments to pass along to the theme function. * @return * Any data the theme function returns. This could be a plain HTML string, * but also a complex object. */ Drupal.theme = function(func) { for (var i = 1, args = []; i < arguments.length; i++) { args.push(arguments[i]); } return (Drupal.theme[func] || Drupal.theme.prototype[func]).apply(this, args); }; /** * Parse a JSON response. * * The result is either the JSON object, or an object with 'status' 0 and 'data' an error message. */ Drupal.parseJson = function (data) { if ((data.substring(0, 1) != '{') && (data.substring(0, 1) != '[')) { return { status: 0, data: data.length ? data : Drupal.t('Unspecified error') }; } - return eval('(' + data + ');'); + return JSON.parse(data); }; /** * Freeze the current body height (as minimum height). Used to prevent * unnecessary upwards scrolling when doing DOM manipulations. */ Drupal.freezeHeight = function () { Drupal.unfreezeHeight(); var div = document.createElement('div'); $(div).css({ position: 'absolute', top: '0px', left: '0px', width: '1px', height: $('body').css('height') }).attr('id', 'freeze-height'); $('body').append(div); }; /** * Unfreeze the body height */ Drupal.unfreezeHeight = function () { $('#freeze-height').remove(); }; /** * Wrapper around encodeURIComponent() which avoids Apache quirks (equivalent of * drupal_urlencode() in PHP). This function should only be used on paths, not * on query string arguments. */ Drupal.encodeURIComponent = function (item, uri) { uri = uri || location.href; item = encodeURIComponent(item).replace(/%2F/g, '/'); return (uri.indexOf('?q=') != -1) ? item : item.replace(/%26/g, '%2526').replace(/%23/g, '%2523').replace(/\/\//g, '/%252F'); }; /** * Get the text selection in a textarea. */ Drupal.getSelection = function (element) { if (typeof(element.selectionStart) != 'number' && document.selection) { // The current selection var range1 = document.selection.createRange(); var range2 = range1.duplicate(); // Select all text. range2.moveToElementText(element); // Now move 'dummy' end point to end point of original range. range2.setEndPoint('EndToEnd', range1); // Now we can calculate start and end points. var start = range2.text.length - range1.text.length; var end = start + range1.text.length; return { 'start': start, 'end': end }; } return { 'start': element.selectionStart, 'end': element.selectionEnd }; }; /** * Build an error message from ahah response. */ Drupal.ahahError = function(xmlhttp, uri) { if (xmlhttp.status == 200) { if (jQuery.trim($(xmlhttp.responseText).text())) { var message = Drupal.t("An error occurred. \n@uri\n@text", {'@uri': uri, '@text': xmlhttp.responseText }); } else { var message = Drupal.t("An error occurred. \n@uri\n(no information available).", {'@uri': uri, '@text': xmlhttp.responseText }); } } else { var message = Drupal.t("An HTTP error @status occurred. \n@uri", {'@uri': uri, '@status': xmlhttp.status }); } return message; } // Global Killswitch on the <html> element if (Drupal.jsEnabled) { // Global Killswitch on the <html> element $(document.documentElement).addClass('js'); // 'js enabled' cookie document.cookie = 'has_js=1; path=/'; // Attach all behaviors. $(document).ready(function() { Drupal.attachBehaviors(this); }); } /** * The default themes. */ Drupal.theme.prototype = { /** * Formats text for emphasized display in a placeholder inside a sentence. * * @param str * The text to format (plain-text). * @return * The formatted text (html). */ placeholder: function(str) { return '<em>' + Drupal.checkPlain(str) + '</em>'; } }; /* ********************** */ /* This code adds the object browser to jQuery */ /* It allows using newer Jquery versions with our old version of bgiframe. */ /* copied from http://stackoverflow.com/questions/14798403/typeerror-browser-is-undefined */ /* Max 2016: It seems that bgiframe is only needed for MSIE6 support, so it is possible we could remove * bgiframe (and this code) entirely, but bgiframe is used even in our own code, so I'm waiting with this */ if (typeof jQuery.browser == 'undefined') { var matched, browser; jQuery.uaMatch = function( ua ) { ua = ua.toLowerCase(); var match = /(chrome)[ \/]([\w.]+)/.exec( ua ) || /(webkit)[ \/]([\w.]+)/.exec( ua ) || /(opera)(?:.*version|)[ \/]([\w.]+)/.exec( ua ) || /(msie) ([\w.]+)/.exec( ua ) || ua.indexOf("compatible") < 0 && /(mozilla)(?:.*? rv:([\w.]+)|)/.exec( ua ) || []; return { browser: match[ 1 ] || "", version: match[ 2 ] || "0" }; }; matched = jQuery.uaMatch( navigator.userAgent ); browser = {}; if ( matched.browser ) { browser[ matched.browser ] = true; browser.version = matched.version; } // Chrome is Webkit, but Webkit is also Safari. if ( browser.chrome ) { browser.webkit = true; } else if ( browser.webkit ) { browser.safari = true; } jQuery.browser = browser; /* END OF BROWSER OBJECT */ } /* bgiframe v2.1 * Copyright (c) 2006 Brandon Aaron (http://brandonaaron.net) * Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php) * and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses. * * $LastChangedDate: 2007-06-19 20:25:28 -0500 (Tue, 19 Jun 2007) $ * $Rev: 2111 $ * * Version 2.1 */ (function($){$.fn.bgIframe=$.fn.bgiframe=function(s){if($.browser.msie&&parseInt($.browser.version)<=6){s=$.extend({top:'auto',left:'auto',width:'auto',height:'auto',opacity:true,src:'javascript:false;'},s||{});var prop=function(n){return n&&n.constructor==Number?n+'px':n;},html='<iframe class="bgiframe"frameborder="0"tabindex="-1"src="'+s.src+'"'+'style="display:block;position:absolute;z-index:-1;'+(s.opacity!==false?'filter:Alpha(Opacity=\'0\');':'')+'top:'+(s.top=='auto'?'expression(((parseInt(this.parentNode.currentStyle.borderTopWidth)||0)*-1)+\'px\')':prop(s.top))+';'+'left:'+(s.left=='auto'?'expression(((parseInt(this.parentNode.currentStyle.borderLeftWidth)||0)*-1)+\'px\')':prop(s.left))+';'+'width:'+(s.width=='auto'?'expression(this.parentNode.offsetWidth+\'px\')':prop(s.width))+';'+'height:'+(s.height=='auto'?'expression(this.parentNode.offsetHeight+\'px\')':prop(s.height))+';'+'"/>';return this.each(function(){if($('> iframe.bgiframe',this).length==0)this.insertBefore(document.createElement(html),this.firstChild);});}return this;};if(!$.browser.version)$.browser.version=navigator.userAgent.toLowerCase().match(/.+(?:rv|it|ra|ie)[\/: ]([\d.]+)/)[1];})(jQuery); /** * hoverIntent r5 // 2007.03.27 // jQuery 1.1.2+ * <http://cherne.net/brian/resources/jquery.hoverIntent.html> * * @param f onMouseOver function || An object with configuration options * @param g onMouseOut function || Nothing (use configuration options object) * @author Brian Cherne <brian@cherne.net> */ (function($){$.fn.hoverIntent=function(f,g){var cfg={sensitivity:7,interval:100,timeout:0};cfg=$.extend(cfg,g?{over:f,out:g}:f);var cX,cY,pX,pY;var track=function(ev){cX=ev.pageX;cY=ev.pageY;};var compare=function(ev,ob){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);if((Math.abs(pX-cX)+Math.abs(pY-cY))<cfg.sensitivity){$(ob).unbind("mousemove",track);ob.hoverIntent_s=1;return cfg.over.apply(ob,[ev]);}else{pX=cX;pY=cY;ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}};var delay=function(ev,ob){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);ob.hoverIntent_s=0;return cfg.out.apply(ob,[ev]);};var handleHover=function(e){var p=(e.type=="mouseover"?e.fromElement:e.toElement)||e.relatedTarget;while(p&&p!=this){try{p=p.parentNode;}catch(e){p=this;}}if(p==this){return false;}var ev=jQuery.extend({},e);var ob=this;if(ob.hoverIntent_t){ob.hoverIntent_t=clearTimeout(ob.hoverIntent_t);}if(e.type=="mouseover"){pX=ev.pageX;pY=ev.pageY;$(ob).bind("mousemove",track);if(ob.hoverIntent_s!=1){ob.hoverIntent_t=setTimeout(function(){compare(ev,ob);},cfg.interval);}}else{$(ob).unbind("mousemove",track);if(ob.hoverIntent_s==1){ob.hoverIntent_t=setTimeout(function(){delay(ev,ob);},cfg.timeout);}}};return this.mouseover(handleHover).mouseout(handleHover);};})(jQuery); /* * Superfish v1.4.8 - jQuery menu widget * Copyright (c) 2008 Joel Birch * * Dual licensed under the MIT and GPL licenses: * http://www.opensource.org/licenses/mit-license.php * http://www.gnu.org/licenses/gpl.html * * CHANGELOG: http://users.tpg.com.au/j_birch/plugins/superfish/changelog.txt */ ;(function($){ $.fn.superfish = function(op){ var sf = $.fn.superfish, c = sf.c, $arrow = $(['<span class="',c.arrowClass,'"> »</span>'].join('')), over = function(){ var $$ = $(this), menu = getMenu($$); clearTimeout(menu.sfTimer); $$.showSuperfishUl().siblings().hideSuperfishUl(); }, out = function(){ var $$ = $(this), menu = getMenu($$), o = sf.op; clearTimeout(menu.sfTimer); menu.sfTimer=setTimeout(function(){ o.retainPath=($.inArray($$[0],o.$path)>-1); $$.hideSuperfishUl(); if (o.$path.length && $$.parents(['li.',o.hoverClass].join('')).length<1){over.call(o.$path);} },o.delay); }, getMenu = function($menu){ var menu = $menu.parents(['ul.',c.menuClass,':first'].join(''))[0]; sf.op = sf.o[menu.serial]; return menu; }, addArrow = function($a){ $a.addClass(c.anchorClass).append($arrow.clone()); }; return this.each(function() { var s = this.serial = sf.o.length; var o = $.extend({},sf.defaults,op); o.$path = $('li.'+o.pathClass,this).slice(0,o.pathLevels).each(function(){ $(this).addClass([o.hoverClass,c.bcClass].join(' ')) .filter('li:has(ul)').removeClass(o.pathClass); }); sf.o[s] = sf.op = o; $('li:has(ul)',this)[($.fn.hoverIntent && !o.disableHI) ? 'hoverIntent' : 'hover'](over,out).each(function() { if (o.autoArrows) addArrow( $('>a:first-child',this) ); }) .not('.'+c.bcClass) .hideSuperfishUl(); var $a = $('a',this); $a.each(function(i){ var $li = $a.eq(i).parents('li'); $a.eq(i).focus(function(){over.call($li);}).blur(function(){out.call($li);}); }); o.onInit.call(this); }).each(function() { var menuClasses = [c.menuClass]; if (sf.op.dropShadows && !($.browser.msie && $.browser.version < 7)) menuClasses.push(c.shadowClass); $(this).addClass(menuClasses.join(' ')); }); }; var sf = $.fn.superfish; sf.o = []; sf.op = {}; sf.IE7fix = function(){ var o = sf.op; if ($.browser.msie && $.browser.version > 6 && o.dropShadows && o.animation.opacity!=undefined) this.toggleClass(sf.c.shadowClass+'-off'); }; sf.c = { bcClass : 'sf-breadcrumb', menuClass : 'sf-js-enabled', anchorClass : 'sf-with-ul', arrowClass : 'sf-sub-indicator', shadowClass : 'sf-shadow' }; sf.defaults = { hoverClass : 'sfHover', pathClass : 'overideThisToUse', pathLevels : 1, delay : 800, animation : {opacity:'show'}, speed : 'normal', autoArrows : true, dropShadows : true, disableHI : false, // true disables hoverIntent detection onInit : function(){}, // callback functions onBeforeShow: function(){}, onShow : function(){}, onHide : function(){} }; $.fn.extend({ hideSuperfishUl : function(){ var o = sf.op, not = (o.retainPath===true) ? o.$path : ''; o.retainPath = false; var $ul = $(['li.',o.hoverClass].join(''),this).add(this).not(not).removeClass(o.hoverClass) .find('>ul').hide().css('visibility','hidden'); o.onHide.call($ul); return this; }, showSuperfishUl : function(){ var o = sf.op, sh = sf.c.shadowClass+'-off', $ul = this.addClass(o.hoverClass) .find('>ul:hidden').css('visibility','visible'); sf.IE7fix.call($ul); o.onBeforeShow.call($ul); $ul.animate(o.animation,o.speed,function(){ sf.IE7fix.call($ul); o.onShow.call($ul); }); return this; } }); })(jQuery); - - - // This uses Superfish 1.4.8 // (http://users.tpg.com.au/j_birch/plugins/superfish) // Add Superfish to all Nice menus with some basic options. (function ($) { $(document).ready(function() { $('ul.nice-menu').superfish({ // Apply a generic hover class. hoverClass: 'over', // Disable generation of arrow mark-up. autoArrows: false, // Disable drop shadows. dropShadows: false, // Mouse delay. delay: Drupal.settings.nice_menus_options.delay, // Animation speed. speed: Drupal.settings.nice_menus_options.speed // Add in Brandon Aaron’s bgIframe plugin for IE select issues. // http://plugins.jquery.com/node/46/release }).find('ul').bgIframe({opacity:false}); $('ul.nice-menu ul').css('display', 'none'); }); })(jQuery);