Commits for galt

v344_base to v345_preview (2017-01-30 to 2017-02-06) v345

a53b9958fa734f73aeffb9ddfe2fbad1ca65f90c Mon Jan 30 16:18:41 2017 -0800

• Check-in of CSP2 Content-Security-Policy work. All C-language CGIs should now support CSP2 in browser to stop major forms of XSS javascript injection. Javascript on pages is gathered together, and then emitted in a single script block at the end with a nonce that tells the browser, this is js that we generated instead of being injected by a hacker. Both inline script from script blocks and inline js event handlers had to be pulled out and separated. You will not see js sprinkled through-out the page now. Older browsers that support CSP1 or that do not understand CSP at all will still work, just without protection. External js libraries loaded at runtime need to be added to the CSP policy header in src/lib/htmshell.c.
  • src/hg/cartDump/cartDump.c - lines changed 1, context: html, text, full: html, text
  • src/hg/cirm/cdw/cdwWebBrowse/README_CSP - lines changed 16, context: html, text, full: html, text
  • src/hg/cirm/cdw/cdwWebBrowse/cdwFlowCharts.c - lines changed 55, context: html, text, full: html, text
  • src/hg/cirm/cdw/cdwWebBrowse/cdwNavBar.html - lines changed 6, context: html, text, full: html, text
  • src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c - lines changed 48, context: html, text, full: html, text
  • src/hg/cirm/cdw/inc/cdwLib.h - lines changed 4, context: html, text, full: html, text
  • src/hg/encode/hgEncodeSubmit/public/javascripts/controls.js - lines changed 1, context: html, text, full: html, text
  • src/hg/encode/hgEncodeVocab/hgEncodeVocab.c - lines changed 2, context: html, text, full: html, text
  • src/hg/hgApi/hgApi.c - lines changed 8, context: html, text, full: html, text
  • src/hg/hgBlat/hgBlat.c - lines changed 7, context: html, text, full: html, text
  • src/hg/hgConvert/hgConvert.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgCustom/hgCustom.c - lines changed 44, context: html, text, full: html, text
  • src/hg/hgFileSearch/hgFileSearch.c - lines changed 16, context: html, text, full: html, text
  • src/hg/hgGateway/hgGateway.c - lines changed 19, context: html, text, full: html, text
  • src/hg/hgGene/domains.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgGenome/mainPage.c - lines changed 36, context: html, text, full: html, text
  • src/hg/hgHubConnect/hgHubConnect.c - lines changed 92, context: html, text, full: html, text
  • src/hg/hgIntegrator/hgIntegrator.c - lines changed 8, context: html, text, full: html, text
  • src/hg/hgLiftOver/hgLiftOver.c - lines changed 6, context: html, text, full: html, text
  • src/hg/hgLogin/hgLogin.c - lines changed 47, context: html, text, full: html, text
  • src/hg/hgPcr/hgPcr.c - lines changed 16, context: html, text, full: html, text
  • src/hg/hgPublicSessions/hgPublicSessions.c - lines changed 15, context: html, text, full: html, text
  • src/hg/hgSession/hgSession.c - lines changed 47, context: html, text, full: html, text
  • src/hg/hgTables/correlate.c - lines changed 7, context: html, text, full: html, text
  • src/hg/hgTables/filterFields.c - lines changed 1, context: html, text, full: html, text
  • src/hg/hgTables/genomeSpace.c - lines changed 16, context: html, text, full: html, text
  • src/hg/hgTables/great.c - lines changed 13, context: html, text, full: html, text
  • src/hg/hgTables/hgTables.c - lines changed 7, context: html, text, full: html, text
  • src/hg/hgTables/hgTables.h - lines changed 2, context: html, text, full: html, text
  • src/hg/hgTables/intersect.c - lines changed 24, context: html, text, full: html, text
  • src/hg/hgTables/mainPage.c - lines changed 51, context: html, text, full: html, text
  • src/hg/hgTrackUi/hgTrackUi.c - lines changed 92, context: html, text, full: html, text
  • src/hg/hgTracks/config.c - lines changed 25, context: html, text, full: html, text
  • src/hg/hgTracks/cytoBandTrack.c - lines changed 1, context: html, text, full: html, text
  • src/hg/hgTracks/extTools.c - lines changed 20, context: html, text, full: html, text
  • src/hg/hgTracks/hgTracks.c - lines changed 94, context: html, text, full: html, text
  • src/hg/hgTracks/imageV2.c - lines changed 5, context: html, text, full: html, text
  • src/hg/hgTracks/menu.c - lines changed 7, context: html, text, full: html, text
  • src/hg/hgTracks/searchTracks.c - lines changed 86, context: html, text, full: html, text
  • src/hg/hgUserSuggestion/hgUserSuggestion.c - lines changed 31, context: html, text, full: html, text
  • src/hg/hgVai/hgVai.c - lines changed 33, context: html, text, full: html, text
  • src/hg/hgc/bigBedClick.c - lines changed 9, context: html, text, full: html, text
  • src/hg/hgc/hgc.c - lines changed 6, context: html, text, full: html, text
  • src/hg/hgc/lowelab.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgc/mafClick.c - lines changed 3, context: html, text, full: html, text
  • src/hg/hgc/pubs.c - lines changed 4, context: html, text, full: html, text
  • src/hg/hgc/wikiTrack.c - lines changed 5, context: html, text, full: html, text
  • src/hg/htdocs/bigImage.html - lines changed 1, context: html, text, full: html, text
  • src/hg/htdocs/goldenPath/help/trackDb/trackDbDoc.js - lines changed 1, context: html, text, full: html, text
  • src/hg/htdocs/inc/globalNavBar.inc - lines changed 6, context: html, text, full: html, text
  • src/hg/inc/hPrint.h - lines changed 1, context: html, text, full: html, text
  • src/hg/inc/hui.h - lines changed 6, context: html, text, full: html, text
  • src/hg/inc/jsHelper.h - lines changed 3, context: html, text, full: html, text
  • src/hg/inc/search.h - lines changed 1, context: html, text, full: html, text
  • src/hg/inc/web.h - lines changed 45, context: html, text, full: html, text
  • src/hg/js/alleles.js - lines changed 18, context: html, text, full: html, text
  • src/hg/js/hgGateway.js - lines changed 32, context: html, text, full: html, text
  • src/hg/js/hgTracks.js - lines changed 77, context: html, text, full: html, text
  • src/hg/js/jquery.contextmenu.js - lines changed 1, context: html, text, full: html, text
  • src/hg/js/jquery.jstore-all-min.js - lines changed 56, context: html, text, full: html, text
  • src/hg/js/jquery.jstore.js - lines changed 56, context: html, text, full: html, text
  • src/hg/js/jquery.plugins.js - lines changed 7, context: html, text, full: html, text
  • src/hg/js/lowetooltip.js - lines changed 2, context: html, text, full: html, text
  • src/hg/js/subCfg.js - lines changed 5, context: html, text, full: html, text
  • src/hg/js/utils.js - lines changed 165, context: html, text, full: html, text
  • src/hg/lib/cart.c - lines changed 5, context: html, text, full: html, text
  • src/hg/lib/fileUi.c - lines changed 11, context: html, text, full: html, text
  • src/hg/lib/googleAnalytics.c - lines changed 4, context: html, text, full: html, text
  • src/hg/lib/gtexUi.c - lines changed 6, context: html, text, full: html, text
  • src/hg/lib/hCommon.c - lines changed 2, context: html, text, full: html, text
  • src/hg/lib/hPrint.c - lines changed 2, context: html, text, full: html, text
  • src/hg/lib/haplotypes.c - lines changed 49, context: html, text, full: html, text
  • src/hg/lib/hui.c - lines changed 274, context: html, text, full: html, text
  • src/hg/lib/jWestBanner.html - lines changed 2, context: html, text, full: html, text
  • src/hg/lib/jWestHeader.html - lines changed 1, context: html, text, full: html, text
  • src/hg/lib/jsHelper.c - lines changed 72, context: html, text, full: html, text
  • src/hg/lib/pal.c - lines changed 3, context: html, text, full: html, text
  • src/hg/lib/search.c - lines changed 30, context: html, text, full: html, text
  • src/hg/lib/snakeUi.c - lines changed 1, context: html, text, full: html, text
  • src/hg/lib/tablesTables.c - lines changed 18, context: html, text, full: html, text
  • src/hg/lib/web.c - lines changed 66, context: html, text, full: html, text
  • src/hg/near/hgNear/hgNear.c - lines changed 19, context: html, text, full: html, text
  • src/hg/near/hgNear/userSettings.c - lines changed 3, context: html, text, full: html, text
  • src/hg/protein/lib/domains.c - lines changed 3, context: html, text, full: html, text
  • src/hg/qaPushQ/qaPushQ.c - lines changed 8, context: html, text, full: html, text
  • src/hg/visiGene/hgVisiGene/hgVisiGene.c - lines changed 17, context: html, text, full: html, text
  • src/inc/cheapcgi.h - lines changed 41, context: html, text, full: html, text
  • src/inc/htmshell.h - lines changed 9, context: html, text, full: html, text
  • src/lib/cheapcgi.c - lines changed 334, context: html, text, full: html, text
  • src/lib/htmshell.c - lines changed 260, context: html, text, full: html, text

cfb1153618c1c3f959f2ffb551ad26d81ca3dfc8 Mon Jan 30 16:32:44 2017 -0800

• oops fix CSP header inclusion, merge was a bit wonky.
  • src/hg/lib/gbHeader.h - lines changed 1, context: html, text, full: html, text
  • src/hg/lib/web.c - lines changed 2, context: html, text, full: html, text

dd1493178c354ea7170cd68c79d7d0a163768ed5 Mon Jan 30 16:37:38 2017 -0800

• getting rid of unneeded newline
  • src/hg/lib/gbHeader.h - lines changed 1, context: html, text, full: html, text

f8b16feaacf8742673d634e6584ddd37ca5caa2a Thu Feb 2 14:13:51 2017 -0800

• Fixing missing ajax transfer in hgTracks popup hgTrackUi js. Note this should basically pick up the equivalent of inline event handlers like onclick= stuff.
  • src/hg/hgTrackUi/hgTrackUi.c - lines changed 3, context: html, text, full: html, text
  • src/hg/js/hgTracks.js - lines changed 20, context: html, text, full: html, text
  • src/lib/htmshell.c - lines changed 1, context: html, text, full: html, text

1a0fe31189d4bbaeccc42b8f34fe12e876e189d7 Fri Feb 3 10:09:59 2017 -0800

• removing debugging and old CSP1 stuff.
  • src/hg/js/hgTracks.js - lines changed 63, context: html, text, full: html, text
  • src/hg/js/utils.js - lines changed 1, context: html, text, full: html, text

97e8b7ff52a2f4fb0b62d7015aab593346bc3a65 Fri Feb 3 11:48:36 2017 -0800

• stripJsEmbedded is probably obsolete.
  • src/hg/js/subCfg.js - lines changed 20, context: html, text, full: html, text
  • src/hg/js/utils.js - lines changed 16, context: html, text, full: html, text

87300988042f9b370f257fddf5a3ae0d21662851 Sat Feb 4 00:12:53 2017 -0800

• Fixes for early warning during ajax callback; fixes for early warning in js. Changed to not only parse to but strip out the CSP header and js-with-nonce leaving cleaner html -- should create fewer "surprises" for existing screen-scraping code.
  • src/hg/js/alleles.js - lines changed 15, context: html, text, full: html, text
  • src/hg/js/hgTracks.js - lines changed 25, context: html, text, full: html, text
  • src/hg/js/subCfg.js - lines changed 20, context: html, text, full: html, text
  • src/hg/js/utils.js - lines changed 85, context: html, text, full: html, text
  • src/hg/lib/cart.c - lines changed 1, context: html, text, full: html, text

dab575f9c813b6e2d49e403fc438c0fa0f9307d8 Sat Feb 4 22:53:05 2017 -0800

• make sure this js state never overflows.
  • src/hg/hgSession/hgSession.c - lines changed 3, context: html, text, full: html, text

39c1c15163cf86529fdcb102535f639da0bd89f5 Sun Feb 5 00:04:41 2017 -0800

• Dealing with warnings messages that overflow the 1024 limit buffer. Fullsize warning message still appears in the error log.
  • src/lib/htmshell.c - lines changed 22, context: html, text, full: html, text