Bug 1286290 - CSP compliant bug modal

8 files changed, 57 insertions, 40 deletions

diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index 111aca0dd..b182ddef3 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -38,14 +38,15 @@
   [% END %]
   [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
   <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
-     onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
+     class='show_mini_login_form' data-qs-suffix="[% qs_suffix FILTER html %]">Log In</a>
 
   [% Hook.process('additional_methods') %]
   
   <form action="[% login_target FILTER html %]" method="POST" 
         class="mini_login bz_default_hidden"
         id="mini_login[% qs_suffix FILTER html %]"
-        onsubmit="return check_mini_login_fields( '[% qs_suffix FILTER html %]' );"
+        class="check_mini_login_fields"
+        data-qs-suffix="[% qs_suffix FILTER html %]"
   >
     
     <input id="Bugzilla_login[% qs_suffix FILTER html %]" 
@@ -77,13 +78,14 @@
     <input type="submit" name="GoAheadAndLogIn" value="Log in"
             id="log_in[% qs_suffix %]">
     <a href="#" id="hide_mini_login[% qs_suffix FILTER html %]" 
-       onclick="return hide_mini_login_form('[% qs_suffix %]')">[x]</a>
+       class="hide_mini_login_form" data-qs-suffix="[% qs_suffix FILTER html %]">[x]</a>
   </form>
 </li>
 <li id="forgot_container[% qs_suffix %]">
   <span class="separator">| </span>
   <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
-     onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
+     class='show_forgot_form'
+     data-qs-suffix="[% qs_suffix FILTER html %]">Forgot Password</a>
   <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
         class="mini_forgot bz_default_hidden">
     <label for="login[% qs_suffix FILTER html %]">Login:</label>
@@ -92,6 +94,6 @@
            type="submit">
     <input type="hidden" name="a" value="reqpw">
     <input type="hidden" id="token[% qs_suffix FILTER html %]" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
-    <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
+    <a href="#" class="hide_forgot_form" data-qs-suffix="[% qs_suffix FILTER html %]">[x]</a>
   </form>
 </li>
diff --git a/template/en/default/bug/process/bugmail.html.tmpl b/template/en/default/bug/process/bugmail.html.tmpl
index 0c4f2f27d..0e392c760 100644
--- a/template/en/default/bug/process/bugmail.html.tmpl
+++ b/template/en/default/bug/process/bugmail.html.tmpl
@@ -35,20 +35,25 @@
 %]
 [% recipient_count = sent_bugmail.sent.size %]
 
-<script>
-function toggleBugmailRecipients(bug_id, show) {
-  if (show) {
-    YAHOO.util.Dom.removeClass('bugmail_summary_' + bug_id, 'bz_default_hidden');
-    YAHOO.util.Dom.addClass('bugmail_summary_' + bug_id + '_short', 'bz_default_hidden');
-  } else {
-    YAHOO.util.Dom.addClass('bugmail_summary_' + bug_id, 'bz_default_hidden');
-    YAHOO.util.Dom.removeClass('bugmail_summary_' + bug_id + '_short', 'bz_default_hidden');
+<script [% script_nonce FILTER none %]>
+  function toggleBugmailRecipients(bug_id, show) {
+    if (show) {
+      $("#bugmail_summary_" + bug_id).show();
+      $("#bugmail_summary_" + bug_id + "_short").hide();
+    } else {
+      $("#bugmail_summary_" + bug_id).hide();
+      $("#bugmail_summary_" + bug_id + "_short").show();
+    }
+    $.cookie('show_bugmail_recipients', (show ? 1 : 0), {
+        expires: new Date("January 12, 2025")
+    });
   }
-  YAHOO.util.Cookie.set('show_bugmail_recipients', (show ? 1 : 0), {
-    expires: new Date("January 12, 2025")
-  });
-  return false;
-}
+  $(function() {
+    $(".toggleBugmailRecipients").on("click", function (event) {
+      event.preventDefault();
+      toggleBugmailRecipients($(this).data('mailing-bugid'), $(this).data('mailing-show'));
+     });
+   });
 </script>
 
 <dl id="bugmail_summary_[% mailing_bugid FILTER none %]"
@@ -63,7 +68,8 @@ function toggleBugmailRecipients(bug_id, show) {
     [% ELSE %]
       no one
     [% END %]
-    (<a href="#" onclick="return toggleBugmailRecipients([% mailing_bugid FILTER none %], false)">hide</a>)
+    (<a href="#" class="toggleBugmailRecipients" data-mailing-bugid="[% mailing_bugid FILTER html %]"
+        data-mailing-show="false">hide</a>)
   [% ELSE %]
     (list of e-mails not available)
   [% END %]
@@ -74,7 +80,8 @@ function toggleBugmailRecipients(bug_id, show) {
      class="[% show_recipients ? "bz_default_hidden" : "" %]">
   [% IF recipient_count > 0 %]
     Email sent to [% recipient_count FILTER html %] recipient[% 's' UNLESS recipient_count == 1 %].
-    (<a href="#" onclick="return toggleBugmailRecipients([% mailing_bugid FILTER none %], true)">show</a>)
+    (<a href="#" class="toggleBugmailRecipients" data-mailing-bugid="[% mailing_bugid FILTER html %]"
+                                                 data-mailing-show="true">show</a>)
   [% ELSE %]
     No emails were sent.
   [% END %]
diff --git a/template/en/default/global/common-links.html.tmpl b/template/en/default/global/common-links.html.tmpl
index 50cfa020c..76b0855d8 100644
--- a/template/en/default/global/common-links.html.tmpl
+++ b/template/en/default/global/common-links.html.tmpl
@@ -31,9 +31,7 @@
   <li class="form quicksearch_form">
     <span class="separator">| </span>
     <form action="buglist.cgi" method="get"
-        onsubmit="if (this.quicksearch.value == '')
-                  { alert('Please enter one or more search terms first.');
-                    return false; } return true;">
+      class='quicksearch_check_empty'>
     <input class="txt" type="text" id="quicksearch[% qs_suffix FILTER html %]" name="quicksearch" 
            title="Quick Search" value="[% quicksearch FILTER html %]">
     <input class="btn" type="submit" value="Search" 
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 1ef96a553..2e08a461d 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -181,15 +181,17 @@
       [% PROCESS format_js_link %]
     [% END %]
 
-    <script type="text/javascript">
+    <script [% script_nonce FILTER none %] type="text/javascript">
     <!--
         [% IF NOT no_yui %]
           YAHOO.namespace('bugzilla');
+          [% IF 0 %]
           YAHOO.util.Event.addListener = function (el, sType, fn, obj, overrideContext) {
               if ( ("onpagehide" in window || YAHOO.env.ua.gecko) && sType === "unload") { sType = "pagehide"; };
               var capture = ((sType == "focusin" || sType == "focusout") && !YAHOO.env.ua.ie) ? true : false;
               return this._addListener(el, this._getType(sType), fn, obj, overrideContext, capture);
           };
+          [% END %]
           if ( "onpagehide" in window || YAHOO.env.ua.gecko) {
               YAHOO.util.Event._simpleRemove(window, "unload",
                                              YAHOO.util.Event._unload);
@@ -277,8 +279,12 @@
 [%# Migration note: contents of the old Param 'bodyhtml' go in the body tag,
   # but set the onload attribute in the DEFAULT directive above.
   #%]
-
-  <body onload="[% onload %]"
+  [% IF onload %]
+  <script [% script_nonce FILTER none %]>
+  $(function() { [% onload %] });
+  </script>
+  [% END %]
+  <body
         class="[% urlbase.replace('^https?://','').replace('/$','').replace('[-~@:/.]+','-') FILTER css_class_quote %]
                skin-[% user.settings.skin.value FILTER css_class_quote %]
                [% FOREACH class = bodyclasses %]
@@ -445,5 +451,5 @@
 [% END %]
 
 [% BLOCK format_js_link %]
-  <script type="text/javascript" src="[% asset_url FILTER mtime FILTER html %]"></script>
+  <script [% script_nonce FILTER none %] type="text/javascript" src="[% asset_url FILTER mtime FILTER html %]"></script>
 [% END %]
diff --git a/template/en/default/global/per-bug-queries.html.tmpl b/template/en/default/global/per-bug-queries.html.tmpl
index 90418981f..71723c178 100644
--- a/template/en/default/global/per-bug-queries.html.tmpl
+++ b/template/en/default/global/per-bug-queries.html.tmpl
@@ -15,7 +15,7 @@
 
 [% IF user.id && user.settings.per_bug_queries.value == "on" %]
   <li id="links-special">
-    <script type="text/javascript">
+    <script [% script_nonce FILTER none %] type="text/javascript">
       <!--
       function update_text() {
         // 'lob' means list_of_bugs.
@@ -48,6 +48,10 @@
           old_lists.disabled = false;
         }
       }
+      $(function() {
+        $("#lob_action").on("change", update_text);
+        $("#lob_newqueryname").on("keyup", manage_old_lists);
+      });
       //-->
     </script>
 
@@ -58,7 +62,7 @@
         <input type="hidden" name="remtype" value="asnamed">
         <input type="hidden" name="list_of_bugs" value="1">
         <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
-        <select id="lob_action" name="action" onchange="update_text();">
+        <select id="lob_action" name="action" >
           <option value="add">Add</option>
           [% IF user.tags.size %]
             <option value="remove">Remove</option>
@@ -81,8 +85,7 @@
         <span id="lob_new_query_text">
           [% " or create and add the tag" IF user.tags.size %]
           <input class="txt" type="text" id="lob_newqueryname"
-                 size="20" maxlength="64" name="newqueryname"
-                 onkeyup="manage_old_lists();">
+                 size="20" maxlength="64" name="newqueryname">
         </span>
         <span id="lob_direction">to</span>
         [%+ terms.bugs %]
diff --git a/template/en/default/global/userselect.html.tmpl b/template/en/default/global/userselect.html.tmpl
index f7dc03d89..5577448fb 100644
--- a/template/en/default/global/userselect.html.tmpl
+++ b/template/en/default/global/userselect.html.tmpl
@@ -11,7 +11,6 @@
   # id: optional; field id
   # value: optional; default field value/selection
   # classes: optional; an array of classes to be added
-  # onchange: optional; onchange attribute value
   # disabled: optional; if true, the field is disabled
   # accesskey: optional, input only; accesskey attribute value
   # size: optional, input only; size attribute value
@@ -24,11 +23,12 @@
   # mandatory: optional; if true, the field cannot be empty.
   #%]
 
+[% THROW "onchange is not allowed" IF onchange %]
+
 [% IF Param("usemenuforusers") %]
 <select name="[% name FILTER html %]"
   [% IF id %] id="[% id FILTER html %]" [% END %]
   [% IF classes %] class="[% classes.join(' ') FILTER html %]" [% END %]
-  [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
   [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
   [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
   [% IF multiple %] multiple="multiple" size="[% multiple FILTER html %]" [% END %]
@@ -86,7 +86,6 @@
     name="[% name FILTER html %]"
     value="[% value FILTER html %]"
     [% IF classes %] class="[% classes.join(' ') FILTER html %]" [% END %]
-    [% IF onchange %] onchange="[% onchange FILTER html %]" [% END %]
     [% IF disabled %] disabled="[% disabled FILTER html %]" [% END %]
     [% IF accesskey %] accesskey="[% accesskey FILTER html %]" [% END %]
     [% IF field_title %] title="[% field_title FILTER html %]" [% END %]
diff --git a/template/en/default/index.html.tmpl b/template/en/default/index.html.tmpl
index f99287d49..a3fa0a906 100644
--- a/template/en/default/index.html.tmpl
+++ b/template/en/default/index.html.tmpl
@@ -32,7 +32,7 @@
    style_urls = [ 'skins/standard/index.css' ]
 %]
 
-<script type="text/javascript">
+<script [% script_nonce FILTER none %] type="text/javascript">
 function checkQuicksearch( form ) {
   if (form.quicksearch.value == '') {
     alert('Please enter one or more search terms first.');
@@ -40,6 +40,11 @@ function checkQuicksearch( form ) {
   }
   return true;
 }
+$(function () {
+    $("#quicksearchForm").on("submit", function (event) {
+        return checkQuicksearch(this);
+    });
+});
 </script>
 
 <div id="page-index">
@@ -63,8 +68,7 @@ function checkQuicksearch( form ) {
              href="?GoAheadAndLogIn=1"><span>Log In</span></a>
            [% END %]
 
-        <form id="quicksearchForm" name="quicksearchForm" action="buglist.cgi"
-              onsubmit="return checkQuicksearch(this);">
+        <form id="quicksearchForm" name="quicksearchForm" action="buglist.cgi">
           <div>
             <input id="quicksearch_main" type="text" name="quicksearch"
               placeholder="Enter [% terms.abug %] number or some search terms"
diff --git a/template/en/default/pages/quicksearch.html.tmpl b/template/en/default/pages/quicksearch.html.tmpl
index 18bf4dfb1..a3359752f 100644
--- a/template/en/default/pages/quicksearch.html.tmpl
+++ b/template/en/default/pages/quicksearch.html.tmpl
@@ -31,9 +31,7 @@
 <p>Type in one or more words (or pieces of words) to search for:</p>
 
 <form name="f" action="buglist.cgi" method="get"
-      onsubmit="if (this.quicksearch.value == '')
-                { alert('Please enter one or more search terms first.');
-                  return false; } return true;">
+      class='quicksearch_check_empty'>
   <input type="text" size="40" name="quicksearch">
   <input type="submit" value="Search" id="find">
 </form>