Bug 1286290 - CSP compliant bug modal

11 files changed, 35 insertions, 19 deletions

diff --git a/extensions/BMO/template/en/default/hook/bug_modal/edit-top_actions.html.tmpl b/extensions/BMO/template/en/default/hook/bug_modal/edit-top_actions.html.tmpl
index 03c7d2e49..a21e8a441 100644
--- a/extensions/BMO/template/en/default/hook/bug_modal/edit-top_actions.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug_modal/edit-top_actions.html.tmpl
@@ -16,7 +16,7 @@
     END;
   END;
 %]
-<button type="button" class="minor"
-  onclick="document.location='page.cgi?id=attachment_bounty_form.html&amp;bug_id=[% bug.id FILTER none %]'">
+<button type="button" class="minor button-link"
+  data-href="page.cgi?id=attachment_bounty_form.html&amp;bug_id=[% bug.id FILTER none %]">
   [% has_bounty_attachment ? "Edit" : "Add" %] Bounty Tracking Attachment
 </button>
diff --git a/extensions/BMO/web/js/edituser_menu.js b/extensions/BMO/web/js/edituser_menu.js
index 707e35b6e..7008a2b84 100644
--- a/extensions/BMO/web/js/edituser_menu.js
+++ b/extensions/BMO/web/js/edituser_menu.js
@@ -45,3 +45,9 @@ function show_usermenu(id, email, show_edit) {
     });
 }
 
+$(function() {
+  $('.show_usermenu').on("click", function (event) {
+    var $this = $(this);
+    return show_usermenu($this.data('user-id'), $this.data('user-email'), $this.data('show-edit'));
+  });
+});
diff --git a/extensions/BugModal/template/en/default/bug_modal/edit.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/edit.html.tmpl
index fe0a7d4fe..acdd55ee2 100644
--- a/extensions/BugModal/template/en/default/bug_modal/edit.html.tmpl
+++ b/extensions/BugModal/template/en/default/bug_modal/edit.html.tmpl
@@ -1194,7 +1194,7 @@
 
 [%# === initialise module visibility === %]
 
-<script>
+<script [% script_nonce FILTER none %]>
   init_module_visibility();
 </script>
 
diff --git a/extensions/BugModal/template/en/default/bug_modal/user.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/user.html.tmpl
index 4c28936cc..5c630ba07 100644
--- a/extensions/BugModal/template/en/default/bug_modal/user.html.tmpl
+++ b/extensions/BugModal/template/en/default/bug_modal/user.html.tmpl
@@ -41,11 +41,12 @@ END;
           width="[% gravatar_size FILTER none %]" height="[% gravatar_size FILTER none %]">
       [% END %]
       [% UNLESS gravatar_only %]
-        <a class="email [%= "disabled" UNLESS u.is_enabled %]"
+        <a class="email [%= "disabled" UNLESS u.is_enabled %] [%= "show_usermenu" IF user.id %]"
           [% IF user.id %]
             href="mailto:[% u.email FILTER html %]"
-            onclick="return show_usermenu([% u.id FILTER none %], '[% u.email FILTER js %]',
-              [% user.in_group('editusers') || user.bless_groups.size > 0 ? "true" : "false" %])"
+            data-user-id="[% u.id FILTER html %]"
+            data-user-email="[% u.email FILTER html %]"
+            data-show-edit="[% user.in_group('editusers') || user.bless_groups.size > 9 ? 'true' : 'false' %]"
             title="[% u.identity FILTER html %]"
           [% ELSE %]
             href="user_profile?user_id=[% u.id FILTER none %]"
diff --git a/extensions/BugModal/web/bug_modal.js b/extensions/BugModal/web/bug_modal.js
index d77821929..01be1fd2c 100644
--- a/extensions/BugModal/web/bug_modal.js
+++ b/extensions/BugModal/web/bug_modal.js
@@ -1483,6 +1483,13 @@ function lb_close(event) {
     $('#lb_overlay, #lb_overlay2, #lb_close_btn, #lb_img, #lb_text').remove();
 }
 
+$(function() {
+    $("button.button-link").on("click", function (event) {
+        event.preventDefault();
+        window.location = $(this).data("href");
+    });
+});
+
 // extensions
 
 (function($) {
diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
index adcd9e067..801d3d5fa 100644
--- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
@@ -8,7 +8,7 @@
 [% USE Bugzilla %]
 
 [% IF Param('user_info_class').split(',').contains('GitHubAuth') %]
-  <script type="text/javascript">
+  <script [% script_nonce FILTER none %] type="text/javascript">
    YAHOO.util.Event.addListener('login_link[% qs_suffix FILTER js %]','click', function () {
      var login_link = YAHOO.util.Dom.get('github_mini_login[% qs_suffix FILTER js %]');
      YAHOO.util.Dom.removeClass(login_link, 'bz_default_hidden');
diff --git a/extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl b/extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl
index 4d2a39f38..915379316 100644
--- a/extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl
+++ b/extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl
@@ -39,7 +39,7 @@
   RETURN UNLESS needinfo_flagtype;
 %]
 
-<script>
+<script [% script_nonce FILTER none%]>
 [% IF needinfo_flags.size > 0 %]
 $(function() {
   [%# Displays NEEDINFO tag in bug header %]
@@ -139,12 +139,11 @@ $(function() {
     $('#needinfo').change();
   }
 
-  function needinfo_from_changed() {
-    $('#needinfo').prop('checked', $('#needinfo_from').val() !== '');
-  }
-
   $(function() {
     needinfo_init();
+    $(".needinfo_from_changed").on("change", function (event) {
+        $("#needinfo").prop("checked", $("#needinfo_from").val() !== '');
+    });
   });
 [% END %]
 </script>
@@ -227,7 +226,7 @@ $(function() {
               value       => ""
               size        => 30
               multiple    => 5
-              onchange    => "needinfo_from_changed()"
+              classes     => ["needinfo_from_changed"]
               field_title => "Enter one or more comma separated users to request more information from"
           %]
         </span>
diff --git a/extensions/Persona/template/en/default/hook/account/auth/login-additional_methods.html.tmpl b/extensions/Persona/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
index c964f9fed..1743db9a6 100644
--- a/extensions/Persona/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
+++ b/extensions/Persona/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
@@ -1,7 +1,7 @@
 [% IF Param('user_info_class').split(',').contains('Persona')
       && Param('persona_includejs_url') %]
 <p>
-  <img src="extensions/Persona/web/images/persona_sign_in.png" width="185" height="25" onclick="persona_sign_in()">
+  <img src="extensions/Persona/web/images/persona_sign_in.png" width="185" height="25" class="persona_sign_in">
 </p>
 <p>
   <strong>Note:</strong> Persona authentication will be removed on October 25th, 2016 (<a href="page.cgi?id=persona_deprecated.html">more info</a>).
diff --git a/extensions/Persona/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl b/extensions/Persona/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
index 5d8503d73..17a86a71d 100644
--- a/extensions/Persona/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
+++ b/extensions/Persona/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
@@ -1,6 +1,6 @@
 [% IF Param('user_info_class').split(',').contains('Persona')
       && Param('persona_includejs_url') %]
-<script type="text/javascript">
+<script [% script_nonce FILTER none %] type="text/javascript">
   YAHOO.util.Event.addListener('login_link[% qs_suffix FILTER js %]','click', function () {
       var login_link = YAHOO.util.Dom.get('persona_mini_login[% qs_suffix FILTER js %]');
       YAHOO.util.Dom.removeClass(login_link, 'bz_default_hidden');
@@ -12,6 +12,6 @@
 </script>
 <span id="persona_mini_login[% qs_suffix FILTER html %]" class="bz_default_hidden">
   <img src="extensions/Persona/web/images/sign_in.png" height="22" width="75" align="absmiddle"
-       title="Sign in with Persona" onclick="persona_sign_in()"> or
+       title="Sign in with Persona" class='persona_sign_in'> or
 </span>
 [% END %]
diff --git a/extensions/Persona/template/en/default/hook/account/create-additional_methods.html.tmpl b/extensions/Persona/template/en/default/hook/account/create-additional_methods.html.tmpl
index 355ce3629..b6fb1eedc 100644
--- a/extensions/Persona/template/en/default/hook/account/create-additional_methods.html.tmpl
+++ b/extensions/Persona/template/en/default/hook/account/create-additional_methods.html.tmpl
@@ -9,5 +9,5 @@
 [% RETURN UNLESS Param('user_info_class').split(',').contains('Persona') %]
 
 Or, use your Persona account:
-<img src="extensions/Persona/web/images/sign_in.png" onclick="persona_sign_in()"
+<img src="extensions/Persona/web/images/sign_in.png" class="persona_sign_in"
      width="95" height="25" align="absmiddle">
diff --git a/extensions/Persona/template/en/default/hook/global/header-additional_header.html.tmpl b/extensions/Persona/template/en/default/hook/global/header-additional_header.html.tmpl
index 5b2fa043b..12282df16 100644
--- a/extensions/Persona/template/en/default/hook/global/header-additional_header.html.tmpl
+++ b/extensions/Persona/template/en/default/hook/global/header-additional_header.html.tmpl
@@ -17,8 +17,8 @@
 [% USE Bugzilla %]
 [% cgi = Bugzilla.cgi %]
 
-<script defer src="[% Param('persona_includejs_url') %]" type="text/javascript"></script>
-<script type="text/javascript">
+<script [% script_nonce FILTER none %] defer src="[% Param('persona_includejs_url') %]" type="text/javascript"></script>
+<script [% script_nonce FILTER none %] type="text/javascript">
 
 function createHidden(name, value, form) {
   var field = document.createElement('input');
@@ -84,4 +84,7 @@ function persona_sign_in() {
   persona_ignore_login = false;
   navigator.id.request({ siteName: '[% terms.BugzillaTitle FILTER js %]' });
 }
+$(function() {
+    $('.persona_sign_in').on("click", persona_sign_in);
+});
 </script>