Bug 1286290 - CSP compliant bug modal

author: Dylan William Hardison <dylan@hardison.net> 2017-01-25 21:04:07 +0100
committer: Dylan William Hardison <dylan@hardison.net> 2017-01-25 21:04:21 +0100
commit: 6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5 (patch)
tree: 28aea39d85e63a901744c6319f6dc06884040daf /template/en/default/global
parent: ec963661fb29c191fec645a956cbddc670cfa3da (diff)
download: bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.gz
bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.xz
4 files changed, 20 insertions, 14 deletions
diff --git a/template/en/default/global/common-links.html.tmpl b/template/en/default/global/common-links.html.tmpl
index 50cfa020c..76b0855d8 100644
--- a/template/en/default/global/common-links.html.tmpl
+++ b/template/en/default/global/common-links.html.tmpl
@@ -31,9 +31,7 @@
   <li class="form quicksearch_form">
     <span class="separator">| </span>
     <form action="buglist.cgi" method="get"
-        onsubmit="if (this.quicksearch.value == '')
-                  { alert('Please enter one or more search terms first.');
-                    return false; } return true;">
+      class='quicksearch_check_empty'>
     <input class="txt" type="text" id="quicksearch[% qs_suffix FILTER html %]" name="quicksearch" 
            title="Quick Search" value="[% quicksearch FILTER html %]">
     <input class="btn" type="submit" value="Search" 
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 1ef96a553..2e08a461d 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -181,15 +181,17 @@
       [% PROCESS format_js_link %]
     [% END %]
 
-    <script type="text/javascript">
+    <script [% script_nonce FILTER none %] type="text/javascript">
     <!--
         [% IF NOT no_yui %]
           YAHOO.namespace('bugzilla');
+          [% IF 0 %]
           YAHOO.util.Event.addListener = function (el, sType, fn, obj, overrideContext) {
               if ( ("onpagehide" in window || YAHOO.env.ua.gecko) && sType === "unload") { sType = "pagehide"; };
               var capture = ((sType == "focusin" || sType == "focusout") && !YAHOO.env.ua.ie) ? true : false;
               return this._addListener(el, this._getType(sType), fn, obj, overrideContext, capture);
           };
+          [% END %]
           if ( "onpagehide" in window || YAHOO.env.ua.gecko) {
               YAHOO.util.Event._simpleRemove(window, "unload",
                                              YAHOO.util.Event._unload);
@@ -277,8 +279,12 @@
 [%# Migration note: contents of the old Param 'bodyhtml' go in the body tag,
   # but set the onload attribute in the DEFAULT directive above.
   #%]
-
-  <body onload="[% onload %]"
+  [% IF onload %]
+  <script [% script_nonce FILTER none %]>
+  $(function() { [% onload %] });
+  </script>
+  [% END %]
+  <body
         class="[% urlbase.replace('^https?://','').replace('/$','').replace('[-~@:/.]+','-') FILTER css_class_quote %]
                skin-[% user.settings.skin.value FILTER css_class_quote %]
                [% FOREACH class = bodyclasses %]
@@ -445,5 +451,5 @@
 [% END %]
 
 [% BLOCK format_js_link %]
-  <script type="text/javascript" src="[% asset_url FILTER mtime FILTER html %]"></script>
+  <script [% script_nonce FILTER none %] type="text/javascript" src="[% asset_url FILTER mtime FILTER html %]"></script>
 [% END %]
diff --git a/template/en/default/global/per-bug-queries.html.tmpl b/template/en/default/global/per-bug-queries.html.tmpl
index 90418981f..71723c178 100644
--- a/template/en/default/global/per-bug-queries.html.tmpl
+++ b/template/en/default/global/per-bug-queries.html.tmpl
@@ -15,7 +15,7 @@
 
 [% IF user.id && user.settings.per_bug_queries.value == "on" %]
   <li id="links-special">
-    <script type="text/javascript">
+    <script [% script_nonce FILTER none %] type="text/javascript">
       <!--
       function update_text() {
         // 'lob' means list_of_bugs.
@@ -48,6 +48,10 @@
           old_lists.disabled = false;
         }
       }
+      $(function() {
+        $("#lob_action").on("change", update_text);
+        $("#lob_newqueryname").on("keyup", manage_old_lists);
+      });
       //-->
     </script>
 
@@ -58,7 +62,7 @@
         <input type="hidden" name="remtype" value="asnamed">
         <input type="hidden" name="list_of_bugs" value="1">
         <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
-        <select id="lob_action" name="action" onchange="update_text();">
+        <select id="lob_action" name="action" >
           <option value="add">Add</option>
           [% IF user.tags.size %]
             <option value="remove">Remove</option>
@@ -81,8 +85,7 @@
         <span id="lob_new_query_text">
           [% " or create and add the tag" IF user.tags.size %]
           <input class="txt" type="text" id="lob_newqueryname"
-                 size="20" maxlength="64" name="newqueryname"
-                 onkeyup="manage_old_lists();">
+                 size="20" maxlength="64" name="newqueryname">
         </span>
         <span id="lob_direction">to</span>
         [%+ terms.bugs %]
diff --git a/template/en/default/global/userselect.html.tmpl b/template/en/default/global/userselect.html.tmpl
index f7dc03d89..5577448fb 100644
--- a/template/en/default/global/userselect.html.tmpl
+++ b/template/en/default/global/userselect.html.tmpl
@@ -11,7 +11,6 @@
   # id: optional; field id
   # value: optional; default field value/selection
   # classes: optional; an array of classes to be added
-  # onchange: optional; onchange attribute value
   # disabled: optional; if true, the field is disabled
   # accesskey: optional, input only; accesskey attribute value
   # size: optional, input only; size attribute value
@@ -24,11 +23,12 @@
   # mandatory: optional; if true, the field cannot be empty.
   #%]
 
+[% THROW "onchange is not allowed" IF onchange %]
+
 [% IF Param("usemenuforusers") %]
 <select name="[% name FILTER html %]"
   [% IF id %] id="[% id FILTER html %]" [% END %]
   [% IF classes %] class="[% classes.join(' ') FILTER html %]" [% END %]
-  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
   [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
   [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
   [% IF multiple %] multiple="multiple" size="[% multiple FILTER html %]" [% END %]
@@ -86,7 +86,6 @@
     name="[% name FILTER html %]"
     value="[% value FILTER html %]"
     [% IF classes %] class="[% classes.join(' ') FILTER html %]" [% END %]
-    [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
     [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
     [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
     [% IF field_title %] title="[% field_title FILTER html %]" [% END %]
author	Dylan William Hardison <dylan@hardison.net>	2017-01-25 21:04:07 +0100
committer	Dylan William Hardison <dylan@hardison.net>	2017-01-25 21:04:21 +0100
commit	6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5 (patch)
tree	28aea39d85e63a901744c6319f6dc06884040daf /template/en/default/global
parent	ec963661fb29c191fec645a956cbddc670cfa3da (diff)
download	bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.gz bugzilla-6a727b70a9f7d3deb690dffd818d7bb5e9eb7bf5.tar.xz