af730d9e24c0642fe39657f890bc117ed015ccbf galt Wed Feb 15 01:12:26 2017 -0800 CSP code cleanup. Using new var-args versions of functions jsInlineF and jsOnEventByIdF to avoid using lots of fixed-size local javascript strings. diff --git src/hg/hgTrackUi/hgTrackUi.c src/hg/hgTrackUi/hgTrackUi.c index 3e299be..a7f855a 100644 --- src/hg/hgTrackUi/hgTrackUi.c +++ src/hg/hgTrackUi/hgTrackUi.c @@ -2737,67 +2737,63 @@ void superTrackUi(struct trackDb *superTdb, struct trackDb *tdbList) /* List tracks in this collection, with visibility controls and UI links */ { jsIncludeFile("hui.js",NULL); printf("\n<P><TABLE CELLPADDING=2>"); tdbRefSortPrioritiesFromCart(cart, &superTdb->children); struct slRef *childRef; char javascript[1024]; for (childRef = superTdb->children; childRef != NULL; childRef = childRef->next) { struct trackDb *tdb = childRef->val; if (childRef == superTdb->children) // first time through { printf("\n<TR><TD NOWRAP colspan=2>"); printf("<IMG height=18 width=18 id='btn_plus_all' src='../images/add_sm.gif'>"); - safef(javascript, sizeof javascript, "superT.plusMinus(true);"); - jsOnEventById("click", "btn_plus_all", javascript); + jsOnEventById("click", "btn_plus_all", "superT.plusMinus(true);"); printf("<IMG height=18 width=18 id='btn_minus_all' src='../images/remove_sm.gif'>"); - safef(javascript, sizeof javascript, "superT.plusMinus(false);"); - jsOnEventById("click", "btn_minus_all", javascript); + jsOnEventById("click", "btn_minus_all", "superT.plusMinus(false);"); printf(" <B>All</B><BR>"); printf("</TD></TR>\n"); } printf("<TR><TD NOWRAP>"); if (!tdbIsDownloadsOnly(tdb)) { char id[256]; enum trackVisibility tv = hTvFromString(cartUsualString(cart, tdb->track,hStringFromTv(tdb->visibility))); // Don't use cheapCgi code... no name and no boolshad... just js printf("<INPUT TYPE=CHECKBOX id='%s'%s>", tdb->track, (tv != tvHide?" CHECKED":"")); safef(id, sizeof id, "%s", tdb->track); - safef(javascript, sizeof javascript, "superT.childChecked(this);"); - jsOnEventById("change", id, javascript); // TODO XSS Filter track as id? + jsOnEventById("change", id, "superT.childChecked(this);"); safef(javascript, sizeof(javascript), "superT.selChanged(this)"); struct slPair *event = slPairNew("change", cloneString(javascript)); hTvDropDownClassVisOnlyAndExtra(tdb->track, tv, tdb->canPack, (tv == tvHide ? "hiddenText":"normalText"), trackDbSetting(tdb, "onlyVisibility"), event); printf("</TD>\n<TD>"); safef(id, sizeof id, "%s_link", tdb->track); printf("<A HREF='%s?%s=%s&c=%s&g=%s' id='%s'>" "%s</A> ", (tdbIsDownloadsOnly(tdb)? hgFileUiName(): hgTrackUiName()), cartSessionVarName(), cartSessionId(cart), chromosome, cgiEncode(tdb->track), id, tdb->shortLabel); - safef(javascript, sizeof(javascript), "superT.submitAndLink(this);"); - jsOnEventById("click", id, javascript); // TODO XSS Filter track as id? + jsOnEventById("click", id, "superT.submitAndLink(this);"); } else { printf("<A HREF='%s?%s=%s&g=%s'>Downloads</A>", hgFileUiName(),cartSessionVarName(), cartSessionId(cart), cgiEncode(tdb->track)); printf("</TD>\n<TD>"); printf("%s ",tdb->shortLabel); } printf("</TD>\n"); printf("<TD>%s", tdb->longLabel); char *dataVersion = trackDbSetting(tdb, "dataVersion"); if (dataVersion) printf("  <EM style='color:#666666; font-size:smaller;'>%s</EM>", dataVersion); printf("</TD></TR>"); } @@ -3274,34 +3270,32 @@ if (!ajax) { printf(" "); cgiMakeButton("Submit", "Submit"); // Offer cancel button always? // composites and multiTracks (not standAlones or supers) if (tdbIsContainer(tdb)) { printf(" "); cgiMakeOnClickButton("htui_cancel", "window.history.back();","Cancel"); } if (tdbIsComposite(tdb)) { printf("\n <a href='#' id='htui_reset'>Reset to defaults</a>\n"); - char javascript[1024]; - safef(javascript, sizeof javascript, + jsOnEventByIdF("click", "htui_reset", "setVarAndPostForm('%s','1','mainForm'); return false;", setting); - jsOnEventById("click", "htui_reset", javascript); } } if (ct) { puts(" "); cgiMakeButton(CT_DO_REMOVE_VAR, "Remove custom track"); cgiMakeHiddenVar(CT_SELECTED_TABLE_VAR, tdb->track); puts(" "); if (differentString(tdb->type, "chromGraph")) { char buf[256]; if (ajax) // reference to a separate form doesn't work in modal dialog, // so change window.location directly.