38d05d1d1259c64a71c7d46444a9e9bb91e21676
galt
  Fri Jan 10 23:46:22 2020 -0800
Changing cartReset to use CSP meta head to suppress XSS javascript in the destination CGI parameter. refs#24750

diff --git src/hg/cartReset/cartReset.c src/hg/cartReset/cartReset.c
index bdf6330..74e87c4 100644
--- src/hg/cartReset/cartReset.c
+++ src/hg/cartReset/cartReset.c
@@ -7,46 +7,43 @@
 #include "hash.h"
 #include "cheapcgi.h"
 #include "htmshell.h"
 #include "hui.h"
 #include "cart.h"
 
 
 
 static char *defaultDestination = "../cgi-bin/hgGateway";
 
 void doMiddle()
 /* cartReset - Reset cart. */
 {
 
 cartResetInDb(hUserCookie());
-/* 
-//Keep in case we need it later. The standards say we should provide
-//a clickable link for browsers that do not support meta refresh 
-printf("Your settings are now reset to defaults.<BR>");
-char *destination = cgiUsualString("destination", defaultDestination);
-printf("You will be automatically redirected to the gateway page in 0 second,\n"
-" or you can <BR> <A href=\"%s\">click here to continue</A>.\n",
-       destination);
-*/
 }
 
 int main(int argc, char *argv[])
 /* Process command line. */
 {
 long enteredMainTime = clock1000();
 struct dyString *headText = newDyString(512);
 char *destination = cgiUsualString("destination", defaultDestination);
 if (strstr(destination, "//"))
     errAbort("To stop Open Redirect abuse, only relative URLs are supported. "
 	    "Request for destination=[%s] rejected.\n", destination);
 
-dyStringPrintf(headText,
+char *meta = getCspMetaHeader();  // ContentSecurityPolicy stops XSS js in destination
+
+dyStringPrintf(headText, "%s"
 	       "<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"0;URL=%s\">"
 	       "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
 	       "<META HTTP-EQUIV=\"Expires\" CONTENT=\"-1\">"
-	       ,destination);
+	       ,meta,destination);
+
 htmShellWithHead("Reset Cart", headText->string, doMiddle, NULL);
+
+freeMem(meta);
 dyStringFree(&headText);
+
 cgiExitTime("cartReset", enteredMainTime);
 return 0;
 }