Mercurial > p > roundup > code

changeset 6218:7146b68ac263

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add client_nonce to all scripts Add: tal:attributes="nonce request/client/client_nonce" to script tags.
author John Rouillard <rouilj@ieee.org>
date Thu, 02 Jul 2020 20:05:02 -0400
parents 10d7700ff6ad
children ddc6739579ca
files website/issues/html/_generic.calendar.html website/issues/html/_generic.help-list.html website/issues/html/_generic.help-submit.html website/issues/html/_generic.help.html website/issues/html/page.html website/issues/html/user.help-search.html website/issues/html/user.help.html website/issues/html/user.item.html
diffstat 8 files changed, 37 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/website/issues/html/_generic.calendar.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/_generic.calendar.html	Thu Jul 02 20:05:02 2020 -0400
@@ -7,6 +7,7 @@
   <title tal:content="string:Roundup Calendar"></title>
   <script language="Javascript"
           type="text/javascript"
+	  tal:attributes="nonce request/client/client_nonce"
           tal:content="structure string:
           // this is the name of the field in the original form that we're working on
           form  = window.opener.document.${request/form/form/value};
--- a/website/issues/html/_generic.help-list.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/_generic.help-list.html	Thu Jul 02 20:05:02 2020 -0400
@@ -4,14 +4,18 @@
     <title>Search result for user helper</title>
     <link rel="stylesheet" type="text/css" href="@@file/style.css" />
     <script language="Javascript" type="text/javascript"
+        tal:attributes="nonce request/client/client_nonce"
         tal:content="structure string:<!--
         // this is the name of the field in the original form that we're working on
         form  = parent.opener.document.${request/form/form/value};
         field  = '${request/form/property/value}';
     //-->"></script>
-    <script src="@@file/help_controls.js" type="text/javascript"></script>
-<script type="text/javascript"><!--
-var text_field = parent.submit.document.frm_help.text_preview;
+    <script src="@@file/help_controls.js"
+	    tal:attributes="nonce request/client/client_nonce"
+	    type="text/javascript"></script>
+    <script type="text/javascript"
+	    tal:attributes="nonce request/client/client_nonce"><!--
+    var text_field = parent.submit.document.frm_help.text_preview;
 //--></script>
   </head>
   <body>
@@ -75,7 +79,8 @@
      </tal:if>
      
      <pre tal:content=request tal:condition=false />
-     <script type="text/javascript"><!--
+     <script type="text/javascript"
+	     tal:attributes="nonce request/client/client_nonce"><!--
        parent.submit.document.frm_help.cb_listpresent.checked=true;
        reviseList_framed(document.dummyform, text_field)
      //--></script>
--- a/website/issues/html/_generic.help-submit.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/_generic.help-submit.html	Thu Jul 02 20:05:02 2020 -0400
@@ -6,6 +6,7 @@
       <tal:block tal:condition="python:'property' in request.form">
       <title>Generic submit page for framed helper windows</title>
       <script language="Javascript" type="text/javascript"
+          tal:attributes="nonce request/client/client_nonce"
           tal:content="structure string:<!--
 // this is the name of the field in the original form that we're working on
 form  = parent.opener.document.${request/form/form/value};
@@ -38,7 +39,8 @@
 }
 //-->">
       </script>
-      <script src="@@file/help_controls.js" type="text/javascript"></script>
+      <script src="@@file/help_controls.js" type="text/javascript"
+	      tal:attributes="nonce request/client/client_nonce"></script>
       </tal:block>
   </head>
  <body class="body" onload="parent.focus();" id="submit">
@@ -65,7 +67,8 @@
 { callingform[field].fireEvent('onchange'); } parent.close();"
             i18n:attributes="value" />
  </form>
- <script type="text/javascript"><!--
+ <script type="text/javascript"
+	 tal:attributes="nonce request/client/client_nonce"><!--
 var text_field = document.frm_help.text_preview;
 original_field=form[field].value;
 text_field.value=original_field;
--- a/website/issues/html/_generic.help.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/_generic.help.html	Thu Jul 02 20:05:02 2020 -0400
@@ -10,12 +10,15 @@
        tal:content="property" i18n:translate="" /> help - <span i18n:name="tracker"
        tal:replace="config/TRACKER_NAME" /></title>
       <script language="Javascript" type="text/javascript"
-          tal:content="structure string:
+	      tal:attributes="nonce request/client/client_nonce"
+              tal:content="structure string:
           // this is the name of the field in the original form that we're working on
           form  = window.opener.document.${request/form/form/value};
           field  = '${request/form/property/value}';">
       </script>
-      <script src="@@file/help_controls.js" type="text/javascript"><!--
+      <script src="@@file/help_controls.js"
+	      tal:attributes="nonce request/client/client_nonce"
+	      type="text/javascript"><!--
       //--></script>
       </tal:block>
       </tal:block>
--- a/website/issues/html/page.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/page.html	Thu Jul 02 20:05:02 2020 -0400
@@ -7,7 +7,8 @@
 <link rel="stylesheet" type="text/css" href="@@file/style.css" />
 <meta http-equiv="Content-Type"
  tal:attributes="content string:text/html;; charset=${request/client/charset}" />
-<script tal:replace="structure request/base_javascript">
+<script tal:attributes="nonce request/client/client_nonce"
+	tal:replace="structure request/base_javascript">
 </script>
 <metal:x define-slot="more-javascript" />
 
@@ -362,7 +363,9 @@
 
 See user.item.html in the classic template for examples.
 -->
-<script metal:define-macro="user_utils" type="text/javascript" src="@@file/user_utils.js"></script>
+<script metal:define-macro="user_utils" type="text/javascript"
+	src="@@file/user_utils.js"
+	tal:attributes="nonce request/client/client_nonce"></script>
 
 <!-- src: value will be re-used for other input fields -->
 <input metal:define-macro="user_src_input"
--- a/website/issues/html/user.help-search.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/user.help-search.html	Thu Jul 02 20:05:02 2020 -0400
@@ -5,13 +5,15 @@
   <head>
     <title>Search input for user helper</title>
     <script language="Javascript" type="text/javascript"
+        tal:attributes="nonce request/client/client_nonce"
         tal:content="structure string:<!--
         // this is the name of the field in the original form that we're working on
         form  = parent.opener.document.${form};
         field  = '${field}';
         //-->">
     </script>
-    <script type="text/javascript" src="@@file/help_controls.js"></script>
+    <script type="text/javascript" src="@@file/help_controls.js"
+	    tal:attributes="nonce request/client/client_nonce"></script>
     <link rel="stylesheet" type="text/css" href="@@file/style.css" />
   </head>
   <body onload="parent.submit.url='...'"
@@ -73,7 +75,8 @@
 
 </form>
 <pre tal:content="request" tal:condition=false />
-<script type="text/javascript"><!--
+<script type="text/javascript"
+	tal:attributes="nonce request/client/client_nonce"><!--
   focus2id('username');
 //--></script>
   </body>
--- a/website/issues/html/user.help.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/user.help.html	Thu Jul 02 20:05:02 2020 -0400
@@ -13,6 +13,7 @@
        tal:content="property" i18n:translate="" /> help - <span i18n:name="tracker"
 	       tal:replace="config/TRACKER_NAME" /></tal:x></title>
       <script language="Javascript" type="text/javascript"
+	      tal:attributes="nonce request/client/client_nonce"
 	      tal:condition=false
           tal:content="structure string:<!--
           // this is the name of the field in the original form that we're working on
@@ -21,7 +22,8 @@
           //-->">
       </script>
       <script src="@@file/help_controls.js"
-     tal:condition=false type="text/javascript"><!--
+	      tal:attributes="nonce request/client/client_nonce"
+	      tal:condition=false type="text/javascript"><!--
       //--></script>
       </tal:block>
   </head>
--- a/website/issues/html/user.item.html	Thu Jul 02 10:38:30 2020 -0400
+++ b/website/issues/html/user.item.html	Thu Jul 02 20:05:02 2020 -0400
@@ -12,8 +12,10 @@
 /></tal:if>
 </title>
 <metal:slot fill-slot="more-javascript">
-<script metal:use-macro="templates/page/macros/user_utils"></script>
-<script type="text/javascript" src="@@file/help_controls.js"></script>
+  <script metal:use-macro="templates/page/macros/user_utils"
+	  tal:attributes="nonce request/client/client_nonce"></script>
+  <script type="text/javascript" src="@@file/help_controls.js"
+	  tal:attributes="nonce request/client/client_nonce"></script>
 </metal:slot>
 <tal:block metal:fill-slot="body_title"
   define="edit_ok context/is_edit_ok">
Roundup Issue Tracker: http://roundup-tracker.org/