diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2018-02-21 19:59:53 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-21 19:59:53 +0100 |
| commit | d435e0a5b0e07c145f929457313d8d7738f42b14 (patch) | |
| tree | 7ed248a0637b8fcf09380658ad731a0a79cbe600 | |
| parent | c0d4e47a7b543ab406eeee414ae9baf228b43ce4 (diff) | |
| download | bugzilla-d435e0a5b0e07c145f929457313d8d7738f42b14.tar.gz bugzilla-d435e0a5b0e07c145f929457313d8d7738f42b14.tar.xz | |
Bug 1439797 - Enable reporting-only CSP by default
89 files changed, 175 insertions, 152 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 35d6dd687..513d8c302 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -34,8 +34,9 @@ BEGIN { sub DEFAULT_CSP { my %policy = ( default_src => [ 'self' ], - script_src => [ 'self', 'unsafe-inline', 'unsafe-eval', 'https://www.google-analytics.com' ], - child_src => [ 'self', ], + script_src => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ], + frame_src => [ 'none', ], + worker_src => [ 'none', ], img_src => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ], style_src => [ 'self', 'unsafe-inline' ], object_src => [ 'none' ], @@ -45,7 +46,7 @@ sub DEFAULT_CSP { 'https://www.google.com/search' ], frame_ancestors => [ 'none' ], - disable => 1, + report_only => 1, ); if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) { push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login'; @@ -68,11 +69,8 @@ sub SHOW_BUG_MODAL_CSP { # This is from extensions/OrangeFactor/web/js/orange_factor.js 'https://brasstacks.mozilla.com/orangefactor/api/count', ], - child_src => [ - 'self', - # This is for the socorro lens addon and is to be removed by Bug 1332016 - 'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm' - ], + frame_src => [ 'none', ], + worker_src => [ 'none', ], ); if (use_attachbase() && $bug_id) { my $attach_base = Bugzilla->localconfig->{'attachment_base'}; @@ -194,7 +192,7 @@ sub content_security_policy { require Bugzilla::CGI::ContentSecurityPolicy; if (%add_params || !$self->{Bugzilla_csp}) { my %params = DEFAULT_CSP; - delete $params{disable} if %add_params && !$add_params{disable}; + delete $params{report_only} if %add_params && !$add_params{report_only}; foreach my $key (keys %add_params) { if (defined $add_params{$key}) { $params{$key} = $add_params{$key}; diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm index 88f2732bc..50a399cdc 100644 --- a/Bugzilla/CGI/ContentSecurityPolicy.pm +++ b/Bugzilla/CGI/ContentSecurityPolicy.pm @@ -34,10 +34,10 @@ my $REFERRER_KEYWORD = enum [qw( my @ALL_BOOL = qw( sandbox upgrade_insecure_requests ); my @ALL_SRC = qw( - default_src child_src connect_src + default_src worker_src connect_src font_src img_src media_src object_src script_src style_src - frame_ancestors form_action + frame_src frame_ancestors form_action ); has \@ALL_SRC => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 ); @@ -51,6 +51,7 @@ local our $cgi = Bugzilla->cgi; local our $template = Bugzilla->template; local our $vars = {}; my $dbh = Bugzilla->dbh; +$cgi->content_security_policy(report_only => 0); my $user = Bugzilla->login(LOGIN_REQUIRED); diff --git a/extensions/BMO/template/en/default/account/create.html.tmpl b/extensions/BMO/template/en/default/account/create.html.tmpl index d29303104..10d5fb5c1 100644 --- a/extensions/BMO/template/en/default/account/create.html.tmpl +++ b/extensions/BMO/template/en/default/account/create.html.tmpl @@ -38,7 +38,7 @@ style_urls = [ 'extensions/BMO/web/styles/create_account.css' ] %] -<script> +<script [% script_nonce FILTER none %]> function onSubmit() { var email = document.getElementById('login').value; var agreed = document.getElementById('etiquette').checked; diff --git a/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl index a29f1f4f2..d1ed4b4b5 100644 --- a/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl @@ -182,7 +182,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_prototype_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('prototype_date') </script> </div> @@ -200,7 +200,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_production_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('production_date') </script> </div> diff --git a/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl index 13620d1c4..eac24e53e 100644 --- a/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl @@ -209,7 +209,7 @@ function toggleTypeOther(element) { <span>Calendar</span> </button> <div id="con_calendar_launch_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('launch_date') </script> </div> diff --git a/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl index 942b37afa..d97d95b2a 100644 --- a/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl @@ -139,7 +139,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_cf_due_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('cf_due_date') </script> </div> diff --git a/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl index ab03523ae..841477099 100644 --- a/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl @@ -16,7 +16,7 @@ style = ".mandatory{color:red;font-size:80%;}" %] -<script> +<script [% script_nonce FILTER none %]> <!-- function trySubmit() { var alert_text = ""; diff --git a/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl index 2d590fcfc..d2b1c1f08 100644 --- a/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl @@ -327,7 +327,7 @@ function validate_form() { <span>Calendar</span> </button> <div id="con_calendar_start_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('start_date') </script> </div> @@ -341,7 +341,7 @@ function validate_form() { <span>Calendar</span> </button> <div id="con_calendar_announce_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('announce_date') </script> </div> @@ -355,7 +355,7 @@ function validate_form() { <span>Calendar</span> </button> <div id="con_calendar_cf_due_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('cf_due_date') </script> </div> diff --git a/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl index 859d77194..28b8045f6 100644 --- a/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl @@ -810,7 +810,7 @@ function showGear() { We do this to help protect the personal identifying information in this [% terms.bugs %]. </p> -<script> +<script [% script_nonce FILTER none %]> initFields(); onPurposeChange(); onAddGearChange(); diff --git a/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl index 7df624700..64af64a6b 100644 --- a/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl +++ b/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl @@ -166,7 +166,7 @@ function toggleGoalOther() { <span>Calendar</span> </button> <div id="con_calendar_timing_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('timing_date') </script> </div> diff --git a/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl b/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl index 5486684f1..632ccb1e6 100644 --- a/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl +++ b/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl @@ -30,7 +30,7 @@ <span id="security_group_warning" style="color:red; display:none;"> This security group needs to be set to SHOWN/SHOWN </span> - <script> + <script [% script_nonce FILTER none %]> var toggleGroupWarning = function() { var correct_shown = $('#security_group_id option:selected').data('group-correct-visibility'); if ($('#security_group_id').val() === '' || correct_shown) { diff --git a/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl b/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl index c66a02371..e28a142ae 100644 --- a/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl +++ b/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl @@ -35,7 +35,7 @@ [% attachment_data FILTER html %] </pre> [% IF user.id %] - <script> + <script [% script_nonce FILTER none %]> <!-- var patchviewerinstalled = 0; document.write('<button type="button" id="editButton" onclick="editAsComment(patchviewerinstalled);">Edit Attachment As Comment<\/button>'); diff --git a/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl index 3c47ca199..d6dec42b9 100644 --- a/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl +++ b/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl @@ -10,7 +10,7 @@ && (comment.author.login_name == 'tbplbot@gmail.com' || comment.author.login_name == 'orangefactor@bots.tld') %] [% has_tbpl_comment = 1 %] - <script> + <script [% script_nonce FILTER none %]> var id = [% count FILTER none %]; tbpl_comment_ids.push(id); collapse_comment( diff --git a/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl index 65bf77967..aa76de122 100644 --- a/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl +++ b/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl @@ -11,7 +11,7 @@ [% collapse_caption = 'Collapse TinderboxPushlog Comments' %] [% show_caption = 'Show TinderboxPushlog Comments' %] [% hide_caption = 'Hide TinderboxPushlog Comments' %] - <script> + <script [% script_nonce FILTER none %]> YAHOO.util.Event.onDOMReady(function () { var ul = document.getElementsByClassName('bz_collapse_expand_comments'); if (ul.length == 0) diff --git a/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl index 135e1cd95..f490ad826 100644 --- a/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl +++ b/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl @@ -10,6 +10,6 @@ [%# Needed for collapsing TinderboxPushlog comments %] [% has_tbpl_comment = 0 %] -<script> +<script [% script_nonce FILTER none %]> var tbpl_comment_ids = new Array(); </script> diff --git a/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl b/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl index 6e15e50d3..1dec71b8d 100644 --- a/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl +++ b/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl @@ -7,7 +7,7 @@ #%] [%# Display product and component descriptions after their respective fields %] -<script> +<script [% script_nonce FILTER none %]> var Event = YAHOO.util.Event; var Dom = YAHOO.util.Dom; Event.onDOMReady(function() { diff --git a/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl b/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl index 31669f47f..87b51c924 100644 --- a/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl +++ b/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl @@ -45,7 +45,7 @@ id = field.name name = field.name minrows = 4 maxrows = 8 cols = 60 defaultcontent = value %] </div> - <script> + <script [% script_nonce FILTER none %]> hideEditableField('[% field.name FILTER js %]_edit_container', '[% field.name FILTER js %]_input', '[% field.name FILTER js %]_edit_action', diff --git a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl index a538e9347..faf32aa36 100644 --- a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl +++ b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl @@ -162,7 +162,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_reported_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('reported_date') </script> </div> @@ -177,7 +177,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_fixed_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('fixed_date') </script> </div> @@ -192,7 +192,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_awarded_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('awarded_date') </script> </div> diff --git a/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl b/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl index 79587205c..8ee3d0d59 100644 --- a/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl +++ b/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl @@ -18,7 +18,7 @@ <h1>JavaScript is required to use this report.</h1> </noscript> -<script> +<script [% script_nonce FILTER none %]> var flags_data = $.parseJSON("[% flags_json FILTER js %]"); var products_data = $.parseJSON("[% products_json FILTER js %]"); var fields_data = $.parseJSON("[% fields_json FILTER js %]"); diff --git a/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl b/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl index 05efefca5..13904f61b 100644 --- a/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl +++ b/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl @@ -137,7 +137,7 @@ Show UNCONFIRMED [% terms.bugs %] with: </table> </form> -<script> +<script [% script_nonce FILTER none %]> createCalendar('last_is'); </script> diff --git a/extensions/BMO/template/en/default/pages/user_activity.html.tmpl b/extensions/BMO/template/en/default/pages/user_activity.html.tmpl index 33aa27e3d..075c8edf9 100644 --- a/extensions/BMO/template/en/default/pages/user_activity.html.tmpl +++ b/extensions/BMO/template/en/default/pages/user_activity.html.tmpl @@ -83,7 +83,7 @@ [% END %] </form> -<script> +<script [% script_nonce FILTER none %]> createCalendar('from'); createCalendar('to'); </script> diff --git a/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl b/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl index 32cb55ea1..bb1381c46 100644 --- a/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl +++ b/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl @@ -14,7 +14,7 @@ [% SET selectable_products = user.get_selectable_products %] [% SET dont_show_button = 1 %] -<script> +<script [% script_nonce FILTER none %]> var useclassification = false; var first_load = true; var last_sel = []; diff --git a/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl b/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl index b70a46b35..2a2ab6bc5 100644 --- a/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl +++ b/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl @@ -23,7 +23,7 @@ } </style> -<script> +<script [% script_nonce FILTER none %]> var Dom = YAHOO.util.Dom; var useclassification = false; var first_load = true; @@ -47,7 +47,7 @@ var watch_users = new Array(); <script src="[% 'js/productform.js' FILTER version FILTER html %]"> </script> -<script> +<script [% script_nonce FILTER none %]> function onSelectProduct() { var component = Dom.get('component'); selectProduct(Dom.get('product'), component); diff --git a/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl b/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl index e6a04f092..940fc2d11 100644 --- a/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl +++ b/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl @@ -27,7 +27,7 @@ </td> </tr> -<script> +<script [% script_nonce FILTER none %]> function sanitise_name(name) { return name.toLowerCase() .replace(/[^a-z0-9_]/g, '-') diff --git a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl index 98a8f4184..8d8b12505 100644 --- a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl +++ b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl @@ -35,7 +35,7 @@ <input type="submit" value="Commit Changes" id="commit_btn" class="bz_default_hidden"> </form> -<script> +<script [% script_nonce FILTER none %]> var table_data_str = "[% table_data FILTER js %]"; var table_data = $.parseJSON(table_data_str); var editTable = new EditTable('edit_table', table_data); diff --git a/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl b/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl index 08f90b8d4..0cb5f2ff1 100644 --- a/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl +++ b/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl @@ -7,7 +7,7 @@ #%] [% IF flag_default_requestees.keys.size %] - <script> + <script [% script_nonce FILTER none %]> var currently_requested = new Array(); var default_requestees = new Array(); [% FOREACH id = flag_currently_requested.keys %] diff --git a/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl b/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl index 7cadbdca5..88d9d4dd7 100644 --- a/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl +++ b/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl @@ -21,7 +21,7 @@ #%] [% IF ftc_flags.keys.size %] - <script> + <script [% script_nonce FILTER none %]> YAHOO.util.Event.onDOMReady(function() { var selects = YAHOO.util.Dom.getElementsByClassName('flag_select'); for (var i = 0; i < selects.length; i++) { diff --git a/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl b/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl index b9cfa6fbf..20192841f 100644 --- a/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl +++ b/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl @@ -32,7 +32,7 @@ Please use the <a href="enter_bug.cgi?format=__default__">advanced [% terms.bug <div id="loading" class="hidden"> Please wait... </div> -<script> +<script [% script_nonce FILTER none %]> YAHOO.util.Dom.removeClass('loading', 'hidden'); </script> @@ -50,7 +50,7 @@ YAHOO.util.Dom.removeClass('loading', 'hidden'); <a id="advanced_link" href="enter_bug.cgi?format=__default__">Switch to the advanced [% terms.bug %] entry form</a> </div> -<script> +<script [% script_nonce FILTER none %]> YAHOO.util.Dom.addClass('loading', 'hidden'); guided.init({ webdev: [% webdev ? "true" : "false" %] }); guided.currentUser = '[% user.login FILTER js %]'; diff --git a/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl b/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl index c224a4e45..d0a3abb5b 100644 --- a/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl +++ b/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl @@ -10,7 +10,7 @@ [%# this div exists to allow bugzilla-tweaks to detect when we're active %] <div id="inline-history-ext"></div> -<script> +<script [% script_nonce FILTER none %]> var ih_activity = new Array(); var ih_activity_flags = new Array(); var ih_activity_sort_order = '[% user.settings.comment_sort_order.value FILTER js %]'; diff --git a/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl b/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl index e07edbc83..7956fcfae 100644 --- a/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl +++ b/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl @@ -74,7 +74,7 @@ </div> </script> -<script> +<script [% script_nonce FILTER none %]> [% IF Param('splinter_base') %] MyDashboard.splinter_base = '[% Bugzilla.splinter_review_base FILTER js %]'; [% END %] diff --git a/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl b/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl index 22ee41af6..9ed394fbb 100644 --- a/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl +++ b/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl @@ -9,7 +9,7 @@ [% PROCESS bug/needinfo.html.tmpl bug => attachment.bug %] -<script> +<script [% script_nonce FILTER none %]> document.getElementById('editButton').addEventListener('click', function() { document.getElementById('attachment_view_window') .appendChild(document.getElementById('needinfo_container')); diff --git a/extensions/Push/template/en/default/pages/push_config.html.tmpl b/extensions/Push/template/en/default/pages/push_config.html.tmpl index 3783ecad6..dd5507bbc 100644 --- a/extensions/Push/template/en/default/pages/push_config.html.tmpl +++ b/extensions/Push/template/en/default/pages/push_config.html.tmpl @@ -12,7 +12,7 @@ style_urls = [ 'extensions/Push/web/admin.css' ] %] -<script> +<script [% script_nonce FILTER none %]> var push_defaults = new Array(); [% FOREACH option = push.config.options %] [% IF option.name != 'enabled' && option.default != '' %] @@ -127,7 +127,7 @@ var push_defaults = new Array(); </tr> [% END %] [% IF name != 'global' %] - <script> + <script [% script_nonce FILTER none %]> var is_enabled = document.getElementById('[% name FILTER js %]_enabled').value == 'Enabled'; toggle_options(is_enabled, '[% name FILTER js %]'); </script> diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl index 62f45d568..5c19ac758 100644 --- a/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl +++ b/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl @@ -23,7 +23,7 @@ any persons designated in the CC line, and authorized members of the Mozilla Rep team.</p> -<script> +<script [% script_nonce FILTER none %]> function trySubmit() { var firstname = document.getElementById('firstname').value; var lastname = document.getElementById('lastname').value; @@ -135,7 +135,7 @@ function validateAndSubmit() { <span>Calendar</span> </button> <div id="con_calendar_cf_due_date"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('cf_due_date') </script> </td> diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl index 10f65de39..af3db60bc 100644 --- a/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl +++ b/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl @@ -17,7 +17,7 @@ [% USE Bugzilla %] [% mandatory = '<span class="mandatory" title="Required">*</span>' %] -<script> +<script [% script_nonce FILTER none %]> var Dom = YAHOO.util.Dom; function mandatory(elements) { diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl index bc7c0d146..18b5a6c38 100644 --- a/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl +++ b/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl @@ -27,7 +27,7 @@ <p>These requests will only be visible to the person who submitted the request, any persons designated in the CC line, and authorized members of the Mozilla Rep team.</p> -<script> +<script [% script_nonce FILTER none %]> function trySubmit() { var eventname = document.getElementById('eventname').value; var shortdesc = 'Swag Request - ' + eventname; diff --git a/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl b/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl index 4b4f237c2..1e1889089 100644 --- a/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl +++ b/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl @@ -30,7 +30,7 @@ 'js/field.js' ] %] -<script></script> +<script [% script_nonce FILTER none %]></script> <h1>Mozilla Reps - Payment Form</h1> diff --git a/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl b/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl index 22d95d694..ed5ae7b36 100644 --- a/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl +++ b/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl @@ -10,7 +10,7 @@ [% bug = attachment.bug %] [% END %] -<script> +<script [% script_nonce FILTER none %]> $(function() { [% IF bug.product_obj.reviewer_required %] REVIEW.init_mandatory(); diff --git a/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl b/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl index be866ae4b..5e7629eac 100644 --- a/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl +++ b/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl @@ -7,7 +7,7 @@ #%] [% IF attachment.bug.product_obj.reviewer_required %] -<script> +<script [% script_nonce FILTER none %]> $(function() { REVIEW.init_mandatory(); }); diff --git a/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl b/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl index c2c574bd9..04ec1b13b 100644 --- a/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl +++ b/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl @@ -6,7 +6,7 @@ # defined by the Mozilla Public License, v. 2.0. #%] -<script> +<script [% script_nonce FILTER none %]> $(function() { [% IF product.reviewer_required %] REVIEW.init_mandatory(); diff --git a/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl b/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl index b2f375b88..2392f5f6a 100644 --- a/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl +++ b/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl @@ -36,7 +36,7 @@ %] <br> </div> - <script> + <script [% script_nonce FILTER none %]> hideEditableField('bz_bug_mentors_edit_container', 'bz_bug_mentors_input', 'bz_bug_mentors_edit_action', diff --git a/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl b/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl index 2c06f4950..771bc803c 100644 --- a/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl +++ b/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl @@ -12,6 +12,6 @@ <a href="#" id="[% fid FILTER none %]_suggestions_link">suggested reviewers ▾</a> </span> -<script> +<script [% script_nonce FILTER none %]> REVIEW.init_review_flag('[% fid FILTER none %]', '[% flag_name FILTER none %]'); </script> diff --git a/extensions/Review/template/en/default/pages/review_history.html.tmpl b/extensions/Review/template/en/default/pages/review_history.html.tmpl index d80ed5e0a..c8263bc52 100644 --- a/extensions/Review/template/en/default/pages/review_history.html.tmpl +++ b/extensions/Review/template/en/default/pages/review_history.html.tmpl @@ -19,7 +19,7 @@ 'js/field.js' ] %] -<script> +<script [% script_nonce FILTER none %]> $(function () { YUI({ base: 'js/yui3/', diff --git a/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl b/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl index 1b65e71a8..a90266dae 100644 --- a/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl +++ b/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl @@ -31,7 +31,7 @@ </td> </tr> -<script> +<script [% script_nonce FILTER none %]> $(function() { 'use strict'; var securemail_groups = []; diff --git a/extensions/Splinter/template/en/default/pages/splinter.html.tmpl b/extensions/Splinter/template/en/default/pages/splinter.html.tmpl index 9e59f1520..b5cab5c59 100644 --- a/extensions/Splinter/template/en/default/pages/splinter.html.tmpl +++ b/extensions/Splinter/template/en/default/pages/splinter.html.tmpl @@ -37,7 +37,7 @@ [% can_edit = 0 %] -<script> +<script [% script_nonce FILTER none %]> Splinter.configBase = '[% Bugzilla.splinter_review_base FILTER js %]'; Splinter.configBugUrl = '[% urlbase FILTER js %]'; Splinter.configHaveExtension = true; @@ -229,7 +229,7 @@ any_flags_requesteeble = any_flags_requesteeble %] [% END %] - <script> + <script [% script_nonce FILTER none %]> [% FOREACH flag_type = flag_types %] [% NEXT UNLESS flag_type.is_active %] Event.addListener('flag_type-[% flag_type.id FILTER js %]', 'change', diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl index 962271254..3fbb622de 100644 --- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl @@ -32,7 +32,7 @@ [% value.name FILTER html %]</option> [% END %] </select> - <script> + <script [% script_nonce FILTER none %]> initHidingOptionsForIE('[% flag.name FILTER js %]'); </script> [% IF !new_bug && user.id %] @@ -47,7 +47,7 @@ </tr> [% END %] -<script> +<script [% script_nonce FILTER none %]> var tracking_flags_str = "[% tracking_flags_json FILTER js %]"; TrackingFlags = $.parseJSON(tracking_flags_str); </script> diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl index 4bb9e1eab..005cc8062 100644 --- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl @@ -28,7 +28,7 @@ END; %] -<script> +<script [% script_nonce FILTER none %]> $(function() { var tracking_flag_components_str = "[% tracking_flag_components FILTER js %]"; var tracking_flag_components = $.parseJSON(tracking_flag_components_str); diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl index 1571fc4f9..1fccf6949 100644 --- a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl @@ -40,7 +40,7 @@ [% END %] [% END %] -<script> +<script [% script_nonce FILTER none %]> var tracking_flags_str = "[% tracking_flags_json FILTER js %]"; var TrackingFlags = $.parseJSON(tracking_flags_str); hide_tracking_flags(); diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl index fb09b0ac1..91f89ea73 100644 --- a/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl @@ -29,7 +29,7 @@ </option> [% END %] </select> -<script> +<script [% script_nonce FILTER none %]> <!-- initHidingOptionsForIE('[% field.name FILTER js %]'); [%+ INCLUDE "bug/field-events.js.tmpl" diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl index e381c4f1c..e1263a308 100644 --- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl @@ -29,7 +29,7 @@ var selected_components = [ style_urls = [ 'extensions/TrackingFlags/web/styles/admin.css' ] %] -<script> +<script [% script_nonce FILTER none %]> var groups_str = "[% groups || '[]' FILTER js %]"; var groups = $.parseJSON(groups_str); var flag_values_str = "[% values || '[]' FILTER js %]"; diff --git a/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl b/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl index c6a16f7d0..e063ac942 100644 --- a/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl +++ b/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl @@ -11,7 +11,7 @@ [% can_edit_story = bug.check_can_change_field('cf_user_story', 0, 1) %] <div class="user_story"> - <script> + <script [% script_nonce FILTER none %]> function userStoryComment() { var commenttext = "(Commenting on User Story)\n"; var text_elem = document.getElementById('user_story'); @@ -61,7 +61,7 @@ cols = constants.COMMENT_COLS defaultcontent = bug.cf_user_story %] </div> - <script> + <script [% script_nonce FILTER none %]> YAHOO.util.Event.addListener('user_story_edit_action', 'click', function() { YAHOO.util.Dom.addClass('user_story_edit', 'bz_default_hidden'); YAHOO.util.Dom.addClass('user_story_readonly', 'bz_default_hidden'); diff --git a/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl b/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl index 77734408a..6079ec616 100644 --- a/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl +++ b/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl @@ -32,7 +32,7 @@ defaultcontent = user_story_default %] </div> - <script> + <script [% script_nonce FILTER none %]> var user_story_exclude_components = []; [% FOREACH c = default.user_story_visible.1 %] user_story_exclude_components.push('[% c FILTER js %]'); diff --git a/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl b/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl index e5a29ba56..fde6434de 100644 --- a/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl +++ b/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl @@ -50,7 +50,7 @@ value="[% product.votestoconfirm FILTER html %]"> <br>(Setting this to 0 disables auto-confirming [% terms.bugs %] by vote.) - <script> + <script [% script_nonce FILTER none %]> YAHOO.util.Event.addListener('allows_unconfirmed', 'change', function() { bz_toggleClass('votes_to_confirm_container', 'bz_default_hidden'); }); diff --git a/report.cgi b/report.cgi index b9f398cae..7ec2bb04f 100755 --- a/report.cgi +++ b/report.cgi @@ -25,6 +25,8 @@ my $cgi = Bugzilla->cgi; my $template = Bugzilla->template; my $vars = {}; +$cgi->content_security_policy(report_only => 0); + # Go straight back to query.cgi if we are adding a boolean chart. if (grep(/^cmd-/, $cgi->param())) { my $params = $cgi->canonicalise_query("format", "ctype"); diff --git a/static/metricsgraphics/socorro-lens.html b/static/metricsgraphics/socorro-lens.html index 786394228..9af061323 100644 --- a/static/metricsgraphics/socorro-lens.html +++ b/static/metricsgraphics/socorro-lens.html @@ -37,7 +37,7 @@ </div> <div style="width:300px; height:75px; color:red; text-align:center; visibility:hidden;" id='warn'></div> <script src='js/main.js'></script> - <script> + <script [% script_nonce FILTER none %]> document.addEventListener('DOMContentLoaded', function () { document.querySelector('select[name="channel"]').onchange = channelEventHandler; document.querySelector('select[name="match"]').onchange = matchEventHandler; diff --git a/template/en/default/account/prefs/email.html.tmpl b/template/en/default/account/prefs/email.html.tmpl index d09bffc5d..014bf4f3d 100644 --- a/template/en/default/account/prefs/email.html.tmpl +++ b/template/en/default/account/prefs/email.html.tmpl @@ -41,7 +41,7 @@ filter some or all notifications. </p> -<script> +<script [% script_nonce FILTER none %]> <!-- function SetCheckboxes(setting) { for (var count = 0; count < document.userprefsform.elements.length; count++) { diff --git a/template/en/default/account/prefs/saved-searches.html.tmpl b/template/en/default/account/prefs/saved-searches.html.tmpl index 58448eb5e..426b593dc 100644 --- a/template/en/default/account/prefs/saved-searches.html.tmpl +++ b/template/en/default/account/prefs/saved-searches.html.tmpl @@ -25,7 +25,7 @@ #%] [% IF user.can_bless %] - <script><!-- + <script [% script_nonce FILTER none %]><!-- function update_checkbox(group) { var bless_groups = [[% bless_group_ids.join(",") FILTER js %]]; var checkbox = document.getElementById(group.name.replace(/share_(\d+)/, "force_$1")); diff --git a/template/en/default/account/prefs/settings.html.tmpl b/template/en/default/account/prefs/settings.html.tmpl index b09d7a491..c7208ff29 100644 --- a/template/en/default/account/prefs/settings.html.tmpl +++ b/template/en/default/account/prefs/settings.html.tmpl @@ -80,7 +80,7 @@ </table> [% END %] -<script> +<script [% script_nonce FILTER none %]> $().ready(function() { var id = document.location.hash.substring(1) + '_row'; $('#' + id).addClass('highlighted'); diff --git a/template/en/default/admin/custom_fields/create.html.tmpl b/template/en/default/admin/custom_fields/create.html.tmpl index 41852de03..2b3f0eadb 100644 --- a/template/en/default/admin/custom_fields/create.html.tmpl +++ b/template/en/default/admin/custom_fields/create.html.tmpl @@ -32,7 +32,7 @@ %] [%# set initial editability of fields such as Reverse Relationship Description %] -<script> +<script [% script_nonce FILTER none %]> YAHOO.util.Event.onDOMReady(function() {onChangeType(document.getElementById('type'))}); </script> diff --git a/template/en/default/admin/params/common.html.tmpl b/template/en/default/admin/params/common.html.tmpl index 4941afa38..cd135e1d2 100644 --- a/template/en/default/admin/params/common.html.tmpl +++ b/template/en/default/admin/params/common.html.tmpl @@ -111,7 +111,7 @@ </tr> </table> - <script> + <script [% script_nonce FILTER none %]> bz_toggleClass("input_[% param.name FILTER html %]", "bz_default_hidden"); bz_toggleClass("table_[% param.name FILTER html %]", "bz_default_hidden"); </script> diff --git a/template/en/default/admin/workflow/comment.html.tmpl b/template/en/default/admin/workflow/comment.html.tmpl index 9b447f777..8f64c77a6 100644 --- a/template/en/default/admin/workflow/comment.html.tmpl +++ b/template/en/default/admin/workflow/comment.html.tmpl @@ -21,7 +21,7 @@ style_urls = ['skins/standard/admin.css'] %] -<script> +<script [% script_nonce FILTER none %]> <!-- function toggle_cell(cell) { if (cell.checked) diff --git a/template/en/default/admin/workflow/edit.html.tmpl b/template/en/default/admin/workflow/edit.html.tmpl index 5646c294d..97bbec796 100644 --- a/template/en/default/admin/workflow/edit.html.tmpl +++ b/template/en/default/admin/workflow/edit.html.tmpl @@ -21,7 +21,7 @@ style_urls = ['skins/standard/admin.css'] %] -<script> +<script [% script_nonce FILTER none %]> <!-- function toggle_cell(cell) { if (cell.checked) diff --git a/template/en/default/attachment/create.html.tmpl b/template/en/default/attachment/create.html.tmpl index e058b3def..329e0ab49 100644 --- a/template/en/default/attachment/create.html.tmpl +++ b/template/en/default/attachment/create.html.tmpl @@ -39,7 +39,7 @@ doc_section = "attachments.html" %] -<script> +<script [% script_nonce FILTER none %]> <!-- TUI_hide_default('attachment_text_field'); --> diff --git a/template/en/default/attachment/createformcontents.html.tmpl b/template/en/default/attachment/createformcontents.html.tmpl index dc861b7a6..41a02a913 100644 --- a/template/en/default/attachment/createformcontents.html.tmpl +++ b/template/en/default/attachment/createformcontents.html.tmpl @@ -21,13 +21,22 @@ # Marc Schumann <wurblzap@gmail.com> #%] +<script [% script_nonce FILTER none %]> + document.addEventListener("DOMContentLoaded", function (event) { + document.querySelector("#attachment_data_controller").addEventListener( + "click", function (event) { + TUI_toggle_class('attachment_text_field'); + TUI_toggle_class('attachment_data'); + }); + }); +</script> + <tr class="attachment_data"> <th><label for="data">File</label>:</th> <td> <em>Enter the path to the file on your computer</em> (or - <a id="attachment_data_controller" href="javascript:TUI_toggle_class('attachment_text_field'); - javascript:TUI_toggle_class('attachment_data')" - >paste text as attachment</a>).<br> + <a id="attachment_data_controller"> + paste text as attachment</a>).<br> <input type="file" id="data" name="data" size="50"> </td> </tr> @@ -58,7 +67,7 @@ <input type="checkbox" id="ispatch" name="ispatch" value="1"> <label for="ispatch">patch</label><br><br> [%# Reset this whenever the page loads so that the JS state is up to date %] - <script [% csp_nonce FILTER none %]> + <script [% script_nonce FILTER none %]> $(function() { $("#file").on("change", function() { DataFieldHandler(); diff --git a/template/en/default/attachment/diff-file.html.tmpl b/template/en/default/attachment/diff-file.html.tmpl index 70fbf554c..d510b5a5e 100644 --- a/template/en/default/attachment/diff-file.html.tmpl +++ b/template/en/default/attachment/diff-file.html.tmpl @@ -45,7 +45,7 @@ [% END %] [% END %] </td></tr></thead><tbody class="[% collapsed ? 'file_collapse' : 'file' %]"> -<script> +<script [% script_nonce FILTER none %]> incremental_restore() </script> diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index 43bf4c83c..d06d4ad56 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -219,7 +219,7 @@ <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b> </iframe> [% END %] - <script> + <script [% script_nonce FILTER none %]> <!-- var patchviewerinstalled = 0; var attachment_id = [% attachment.id %]; @@ -328,7 +328,7 @@ [% END %] </div> [% IF can_edit %] - <script> + <script [% script_nonce FILTER none %]> <!-- YAHOO.util.Dom.removeClass( document.body, "no_javascript" ); toggle_attachment_details_visibility( ); diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index 50800dd8e..16e94586c 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -19,7 +19,7 @@ # Frédéric Buclin <LpSolit@gmail.com> #%] -<script> +<script [% script_nonce FILTER none %]> <!-- function toggle_display(link) { var table = document.getElementById("attachment_table"); diff --git a/template/en/default/bug/comments.html.tmpl b/template/en/default/bug/comments.html.tmpl index 2346983b2..7af08efde 100644 --- a/template/en/default/bug/comments.html.tmpl +++ b/template/en/default/bug/comments.html.tmpl @@ -25,7 +25,7 @@ <script src="[% 'js/comments.js' FILTER version %]"> </script> -<script> +<script [% script_nonce FILTER none %]> <!-- /* Adds the reply text to the 'comment' textarea */ function replyToComment(id, real_id, name) { @@ -191,13 +191,13 @@ [% IF comment.collapsed %] </span> [% END %] - <script> + <script [% script_nonce FILTER none %]> addCollapseLink([% comment.count %], [% comment.collapsed FILTER js %], 'Toggle comment display'); </script> </span> [% ELSIF comment.collapsed %] <span class="bz_comment_actions"> - <script> + <script [% script_nonce FILTER none %]> addCollapseLink([% comment.count %], [% comment.collapsed FILTER js %], 'Toggle comment display'); </script> </span> @@ -270,7 +270,7 @@ [% " bz_default_hidden" UNLESS comment.tags.size %]"> <span id="ct_[% comment.count %]"> [% IF comment.tags.size %] - <script> + <script [% script_nonce FILTER none %]> YAHOO.bugzilla.commentTagging.showTags([% comment.id FILTER none %], [% comment.count FILTER none %], [ [% FOREACH tag = comment.tags %] diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl index 9420f1330..a1c2c2e08 100644 --- a/template/en/default/bug/create/create-guided.html.tmpl +++ b/template/en/default/bug/create/create-guided.html.tmpl @@ -41,7 +41,7 @@ [% tablecolour = "#FFFFCC" %] [%# This script displays the descriptions for selected components. %] -<script> +<script [% script_nonce FILTER none %]> var descriptions = [ [% FOREACH c = product.components %] '[% c.description FILTER js %]', @@ -181,7 +181,7 @@ function PutDescription() { <td valign="top" width="100%"> <div id="description" style="color: green; margin-left: 10px; height: 5em; overflow: auto;"> - <script> + <script [% script_nonce FILTER none %]> if ((document.getElementById) && (document.body.innerHTML)) { document.write("\ Select a component to see its description here."); diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl index 567c58d58..3185374e5 100644 --- a/template/en/default/bug/create/create.html.tmpl +++ b/template/en/default/bug/create/create.html.tmpl @@ -40,7 +40,7 @@ onload = "init();" %] -<script> +<script [% script_nonce FILTER none %]> <!-- function init() { @@ -217,7 +217,7 @@ TUI_hide_default('attachment_text_field'); <input type="button" id="expert_fields_controller" value="Hide Advanced Fields" onClick="toggleAdvancedFields()"> [%# Show the link if the browser supports JS %] - <script> + <script [% script_nonce FILTER none %]> YAHOO.util.Dom.removeClass('expert_fields_controller', 'bz_default_hidden'); </script> @@ -276,7 +276,7 @@ TUI_hide_default('attachment_text_field'); [%- END %] </select> - <script> + <script [% script_nonce FILTER none %]> <!-- [%+ INCLUDE "bug/field-events.js.tmpl" field = bug_fields.component, product = product %] @@ -492,7 +492,7 @@ TUI_hide_default('attachment_text_field'); <th>Possible<br>Duplicates:</th> <td colspan="3"> <div id="possible_duplicates"></div> - <script> + <script [% script_nonce FILTER none %]> var dt_columns = [ { key: "id", label: "[% field_descs.bug_id FILTER js %]", formatter: YAHOO.bugzilla.dupTable.formatBugLink }, diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index 84a20b97e..b424d5542 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -49,7 +49,7 @@ </div> [% END %] [% IF user.id %] - <script> + <script [% script_nonce FILTER none %]> YAHOO.bugzilla.commentTagging.init([% user.can_tag_comments ? 'true' : 'false' %]); YAHOO.bugzilla.commentTagging.min_len = [% constants.MIN_COMMENT_TAG_LENGTH FILTER js %]; YAHOO.bugzilla.commentTagging.max_len = [% constants.MAX_COMMENT_TAG_LENGTH FILTER js %]; @@ -64,7 +64,7 @@ [% END %] [% END %] -<script> +<script [% script_nonce FILTER none %]> <!-- [% IF user.is_timetracker %] var fRemainingTime = [% bug.remaining_time %]; // holds the original value @@ -300,7 +300,7 @@ </table> </div> </div> - <script> + <script [% script_nonce FILTER none %]> hideAliasAndSummary('[% bug.short_desc FILTER js %]', '[% bug.alias FILTER js %]'); </script> [% END %] @@ -591,7 +591,7 @@ [%# BMO - hook for adding mentors %] [% Hook.process("after_people", "bug/edit.html.tmpl") %] - <script> + <script [% script_nonce FILTER none %]> assignToDefaultOnChange(['product', 'component'], '[% bug.component_obj.default_assignee.login FILTER js %]', '[% bug.component_obj.default_qa_contact.login FILTER js %]'); @@ -998,7 +998,7 @@ [% IF !bug_flags_set %]<em>None yet set</em>[% END %] (<a href="#" id="bz_flags_more_action">[% IF !bug_flags_set %]set[% ELSE %]more[% END %] flags</a>) </span> - <script> + <script [% script_nonce FILTER none %]> YAHOO.util.Dom.removeClass('bz_flags_more_container', 'bz_default_hidden'); var table = YAHOO.util.Dom.get("flags"); var rows = YAHOO.util.Dom.getElementsByClassName('bz_flag_type', 'tbody', table); @@ -1248,7 +1248,7 @@ [% BLOCK summon_comment_box %] <div id="comment_top_hat"> - <script> + <script [% script_nonce FILTER none %]> function summonCommentBox() { var commentbox = document.getElementById('add_comment'); document.getElementById('comment_top_hat').appendChild(commentbox); diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl index b9bee6de3..1d6048cdd 100644 --- a/template/en/default/bug/field.html.tmpl +++ b/template/en/default/bug/field.html.tmpl @@ -74,7 +74,7 @@ <div id="con_calendar_[% field.name FILTER html %]"></div> - <script> + <script [% script_nonce FILTER none %]> createCalendar('[% field.name FILTER js %]') </script> [% CASE constants.FIELD_TYPE_BUG_ID %] @@ -91,7 +91,7 @@ <span id="[% field.name FILTER html %]_edit_container" class="edit_me bz_default_hidden"> (<a href="#" id="[% field.name FILTER html %]_edit_action">edit</a>) </span> - <script> + <script [% script_nonce FILTER none %]> hideEditableField('[% field.name FILTER js %]_edit_container', '[% field.name FILTER js %]_input_area', '[% field.name FILTER js %]_edit_action', @@ -175,7 +175,7 @@ <input type="hidden" name="defined_[% field.name FILTER html %]"> [% END %] - <script> + <script [% script_nonce FILTER none %]> <!-- initHidingOptionsForIE('[% field.name FILTER js %]'); [%+ INCLUDE "bug/field-events.js.tmpl" @@ -197,7 +197,7 @@ id = field.name name = field.name minrows = 4 maxrows = 8 cols = 60 defaultcontent = value mandatory = field.is_mandatory %] </div> - <script> + <script [% script_nonce FILTER none %]> hideEditableField('[% field.name FILTER js %]_edit_container', '[% field.name FILTER js %]_input', '[% field.name FILTER js %]_edit_action', @@ -230,7 +230,7 @@ [% IF !bug.id %]value="[% value FILTER html %]"[% END %]> </div> [% IF bug.id %] - <script> + <script [% script_nonce FILTER none %]> setupEditLink('[% field.name FILTER js %]'); </script> [% END %] @@ -241,7 +241,7 @@ name="[% field.name FILTER html %]" data-values="[% field.name FILTER html %]" value="[% value FILTER html %]"> - <script> + <script [% script_nonce FILTER none %]> if (typeof BUGZILLA.autocomplete_values === 'undefined') BUGZILLA.autocomplete_values = []; BUGZILLA.autocomplete_values['[% field.name FILTER js %]'] = [ diff --git a/template/en/default/bug/knob.html.tmpl b/template/en/default/bug/knob.html.tmpl index a0a5dc647..16aa160f6 100644 --- a/template/en/default/bug/knob.html.tmpl +++ b/template/en/default/bug/knob.html.tmpl @@ -70,7 +70,7 @@ [% END %] </div> -<script> +<script [% script_nonce FILTER none %]> var close_status_array = [ [% FOREACH status = bug.choices.bug_status %] [% NEXT IF status.is_open %] diff --git a/template/en/default/bug/summarize-time.html.tmpl b/template/en/default/bug/summarize-time.html.tmpl index 120bd74ad..9f2742694 100644 --- a/template/en/default/bug/summarize-time.html.tmpl +++ b/template/en/default/bug/summarize-time.html.tmpl @@ -341,7 +341,7 @@ </tr></table> </form> -<script> +<script [% script_nonce FILTER none %]> <!-- createCalendar('start_date'); createCalendar('end_date'); diff --git a/template/en/default/list/edit-multiple.html.tmpl b/template/en/default/list/edit-multiple.html.tmpl index 427acba37..eb989d15c 100644 --- a/template/en/default/list/edit-multiple.html.tmpl +++ b/template/en/default/list/edit-multiple.html.tmpl @@ -28,7 +28,7 @@ <input type="hidden" name="dontchange" value="[% dontchange FILTER html %]"> <input type="hidden" name="token" value="[% token FILTER html %]"> -<script> +<script [% script_nonce FILTER none %]> function SetCheckboxes(value) { var elements = document.forms.changeform.getElementsByTagName('input'), numelements = elements.length, @@ -328,7 +328,7 @@ [% IF groups.size > 0 %] - <script> + <script [% script_nonce FILTER none %]> function turn_off(myself, id) { var other_checkbox = document.getElementById(id); if (myself.checked && other_checkbox) { @@ -443,7 +443,7 @@ </select> </span> - <script> + <script [% script_nonce FILTER none %]> var close_status_array = new Array("[% closed_status_array.join('", "') FILTER none %]"); YAHOO.util.Event.addListener('bug_status', "change", showHideStatusItems, '[% "is_duplicate" IF bug.dup_id %]'); YAHOO.util.Event.onDOMReady( showHideStatusItems ); diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl index 671722c85..8714fec7d 100644 --- a/template/en/default/list/quips.html.tmpl +++ b/template/en/default/list/quips.html.tmpl @@ -140,7 +140,7 @@ [% END %] </tbody> </table> - <script><!-- + <script [% script_nonce FILTER none %]><!-- var numelements = document.forms.editform.elements.length; function SetCheckboxes(value) { var item; diff --git a/template/en/default/mfa/duo/verify.html.tmpl b/template/en/default/mfa/duo/verify.html.tmpl index 799efba7b..f3f49657a 100644 --- a/template/en/default/mfa/duo/verify.html.tmpl +++ b/template/en/default/mfa/duo/verify.html.tmpl @@ -84,7 +84,7 @@ $(function() { [% END %] </form> -<script> +<script [% script_nonce FILTER none %]> Duo.init({ 'host': '[% Param('duo_host') FILTER js %]', 'sig_request': '[% sig_request FILTER js %]', diff --git a/template/en/default/reports/create-chart.html.tmpl b/template/en/default/reports/create-chart.html.tmpl index 1e6945ebc..e20d8522f 100644 --- a/template/en/default/reports/create-chart.html.tmpl +++ b/template/en/default/reports/create-chart.html.tmpl @@ -33,7 +33,7 @@ donames = 1 %] -<script> +<script [% script_nonce FILTER none %]> [%# This function takes necessary action on selection of a subcategory %] function subcatSelected() { var cat = document.chartform.category.value; @@ -55,6 +55,15 @@ function subcatSelected() { checkNewState(); } +document.addEventListener("DOMContentLoaded", function(event) { + document.chartform.category.addEventListener("change", function (event) { + catSelected(); + return subcatSelected(); + }); + document.chartform.subcategory.addEventListener("change", function (event) { + return subcatSelected(); + }); +}); </script> [% gttext = "Grand Total" %] @@ -79,23 +88,20 @@ function subcatSelected() { </th> </tr> <tr> - - [% PROCESS series_select sel = { name => 'category', - size => 5, - onchange = "catSelected(); - subcatSelected();" } %] - + + [% PROCESS series_select sel = { name => 'category', + size => 5 } %] + <td> <noscript> <input type="submit" name="action-assemble" value="Update -->" id="action-assemble"> </noscript> </td> - - [% PROCESS series_select sel = { name => 'subcategory', - size => 5, - onchange = "subcatSelected()" } %] - + + [% PROCESS series_select sel = { name => 'subcategory', + size => 5 } %] + <td> <noscript> <input type="submit" name="action-assemble" value="Update -->" diff --git a/template/en/default/reports/keywords.html.tmpl b/template/en/default/reports/keywords.html.tmpl index 97a2d44d2..491bac78e 100644 --- a/template/en/default/reports/keywords.html.tmpl +++ b/template/en/default/reports/keywords.html.tmpl @@ -34,7 +34,7 @@ title = "$terms.Bugzilla Keyword Descriptions" %] -<script> +<script [% script_nonce FILTER none %]> $(document).ready(function () { var show_inactive_keywords = [% show_inactive_keywords ? "true" : "false" FILTER none %], link = $("#keywords_show_hide"), diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index e8f926f64..096eb171a 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -46,7 +46,7 @@ [% urlbase = BLOCK %][% urlbase %]&[% tbl_field FILTER uri %]=[% tbl FILTER uri %][% END %] [% END %] -<script> +<script [% script_nonce FILTER none %]> function bz_encode (str, decode) { // First decode HTML entities, if requested. if (decode) diff --git a/template/en/default/reports/series-common.html.tmpl b/template/en/default/reports/series-common.html.tmpl index 469eb79c5..b8032255d 100644 --- a/template/en/default/reports/series-common.html.tmpl +++ b/template/en/default/reports/series-common.html.tmpl @@ -29,7 +29,7 @@ [% subcategory = category.${default.category} %] [% name = subcategory.${default.subcategory} %] -<script> +<script [% script_nonce FILTER none %]> [%# This structure holds details of the series the user can select from. %] var series = { [% FOREACH c = category.keys.sort %] diff --git a/template/en/default/reports/series.html.tmpl b/template/en/default/reports/series.html.tmpl index 3cf939003..164c30355 100644 --- a/template/en/default/reports/series.html.tmpl +++ b/template/en/default/reports/series.html.tmpl @@ -29,7 +29,16 @@ [% PROCESS "reports/series-common.html.tmpl" newtext = "New (name below)" %] - + +<script [% script_nonce FILTER none %]> + document.addEventListener("DOMContentLoaded", function (event) { + if (document.chartform) { + document.chartform.category.addEventListener("change", (event) => catSelected()); + document.chartform.subcategory.addEventListener("change", (event) => checkNewState()); + } + }); +</script> + <table cellpadding="2" cellspacing="2" border="0" style="text-align: left; margin-left: 20px"> <tbody> @@ -42,19 +51,17 @@ </tr> <tr> [% PROCESS series_select sel = { name => 'category', - size => 5, - onchange => "catSelected()" } %] + size => 5 } %] <td> <noscript> <input type="submit" name="action-edit" value="Update -->" id="action-edit"> </noscript> </td> - - [% PROCESS series_select sel = { name => 'subcategory', - size => 5, - onchange => "checkNewState()" } %] - + + [% PROCESS series_select sel = { name => 'subcategory', + size => 5 } %] + <td valign="top" name="name"> <input type="text" name="name" maxlength="64" value="[% default.name.0 FILTER html %]" size="25"> diff --git a/template/en/default/request/queue.html.tmpl b/template/en/default/request/queue.html.tmpl index d40281f50..c4b48b024 100644 --- a/template/en/default/request/queue.html.tmpl +++ b/template/en/default/request/queue.html.tmpl @@ -31,7 +31,7 @@ style_urls = ['skins/standard/buglist.css'] %] -<script> +<script [% script_nonce FILTER none %]> var useclassification = false; // No classification level in use var first_load = true; // Is this the first time we load the page? var last_sel = []; // Caches last selection diff --git a/template/en/default/search/boolean-charts.html.tmpl b/template/en/default/search/boolean-charts.html.tmpl index 455cb48b8..767ea7563 100644 --- a/template/en/default/search/boolean-charts.html.tmpl +++ b/template/en/default/search/boolean-charts.html.tmpl @@ -70,7 +70,7 @@ with_buttons = 1 condition = { f => 'noop' } cond_num = cond_num + 1 %] - <script> + <script [% script_nonce FILTER none %]> TUI_alternates['custom_search_query'] = '►'; TUI_hide_default('custom_search_query'); TUI_alternates['custom_search_advanced'] = "Show Advanced Features"; @@ -78,7 +78,7 @@ </script> <script src="[% 'js/custom-search.js' FILTER version %]"></script> <script src="[% 'js/history.js/native.history.js' FILTER version %]"></script> - <script> + <script [% script_nonce FILTER none %]> redirect_html4_browsers(); [%# These are alternative labels for the AND and OR options in and_all_select %] var cs_and_label = 'Match ALL of the following:'; diff --git a/template/en/default/search/field.html.tmpl b/template/en/default/search/field.html.tmpl index 0d10d4f6b..456cf088a 100644 --- a/template/en/default/search/field.html.tmpl +++ b/template/en/default/search/field.html.tmpl @@ -63,7 +63,7 @@ [% IF onchange %] onchange="[% onchange FILTER html %]"[% END %] value="[% value FILTER html %]" data-values="[% field.name FILTER html %]"> - <script> + <script [% script_nonce FILTER none %]> if (typeof BUGZILLA.autocomplete_values === 'undefined') BUGZILLA.autocomplete_values = []; BUGZILLA.autocomplete_values['[% field.name FILTER js %]'] = [ @@ -100,7 +100,7 @@ <small>(YYYY-MM-DD or relative dates)</small> <span id="con_calendar_[% field.name FILTER html %]to"></span> - <script> + <script [% script_nonce FILTER none %]> createCalendar('[% field.name FILTER js %]'); createCalendar('[% field.name FILTER js %]to'); </script> diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl index 49c311806..4d78a53da 100644 --- a/template/en/default/search/form.html.tmpl +++ b/template/en/default/search/form.html.tmpl @@ -23,7 +23,7 @@ [% PROCESS "global/field-descs.none.tmpl" %] -<script> +<script [% script_nonce FILTER none %]> var first_load = true; [%# is this the first time we load the page? %] var last_sel = new Array(); [%# caches last selection %] @@ -394,7 +394,7 @@ TUI_hide_default('information_query'); onclick="showCalendar('chfieldto')"><span>Calendar</span></button> <div id="con_calendar_chfieldto"></div> (YYYY-MM-DD or relative dates) - <script> + <script [% script_nonce FILTER none %]> createCalendar('chfieldfrom'); createCalendar('chfieldto'); </script> diff --git a/template/en/default/search/search-create-series.html.tmpl b/template/en/default/search/search-create-series.html.tmpl index 335448de9..e0b7ff562 100644 --- a/template/en/default/search/search-create-series.html.tmpl +++ b/template/en/default/search/search-create-series.html.tmpl @@ -56,7 +56,7 @@ <input type="hidden" name="action" value="create"> <input type="hidden" name="token" value="[% issue_hash_token(['create-series']) FILTER html %]"> -<script> +<script [% script_nonce FILTER none %]> document.chartform.category[0].selected = true; catSelected(); checkNewState(); diff --git a/template/en/default/search/search-instant.html.tmpl b/template/en/default/search/search-instant.html.tmpl index 01af804fc..d0cf078e7 100644 --- a/template/en/default/search/search-instant.html.tmpl +++ b/template/en/default/search/search-instant.html.tmpl @@ -19,7 +19,7 @@ [% default.product = [ 'Firefox' ] %] [% END %] -<script> +<script [% script_nonce FILTER none %]> YAHOO.bugzilla.instantSearch.setLabels( { id: "[% field_descs.bug_id FILTER js %]", summary: "[% field_descs.short_desc FILTER js %]", diff --git a/template/en/default/search/search-report-graph.html.tmpl b/template/en/default/search/search-report-graph.html.tmpl index df9c9e8ad..57ca8a8e9 100644 --- a/template/en/default/search/search-report-graph.html.tmpl +++ b/template/en/default/search/search-report-graph.html.tmpl @@ -46,7 +46,7 @@ var queryform = "reportform" [% terms.bugs %] using the rest of the form. </p> -<script><!-- +<script [% script_nonce FILTER none %]><!-- [%# The Y-axis fields are not used for pie charts %] function chartTypeChanged() { // format[2] is the pie chart radio button |