Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[waiting for django5.1] Content Security Policy #2099

Closed
wants to merge 13 commits into from
Closed

[waiting for django5.1] Content Security Policy #2099

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
4063a40
Add mozilla-django-csp. Add CSP-nonces to everything. Inline-code is …
richardebeling Sep 25, 2023
111e100
CSP-compliant navbar
richardebeling Nov 13, 2023
03e92f7
rewrite onclick-attributes of modal buttons
richardebeling Nov 29, 2023
9d167f1
Rewrite non-modal onclick handlers
richardebeling Nov 29, 2023
2686535
Use utility classes instead of inline width styles
richardebeling Nov 29, 2023
1793174
Use d-none over inline display: none
richardebeling Nov 29, 2023
28f83c9
Fix JS error on login page
richardebeling Dec 18, 2023
3368115
Allow inline images and inline style for now
richardebeling Jan 8, 2024
216edd7
fixup! Add mozilla-django-csp. Add CSP-nonces to everything. Inline-c…
richardebeling Jan 22, 2024
a20173e
fixup! Use utility classes instead of inline width styles
richardebeling Jan 22, 2024
2aec369
fixup! Rewrite non-modal onclick handlers
richardebeling Jan 22, 2024
799063f
Formatting
richardebeling Jan 22, 2024
0eb488b
Merge remote-tracking branch 'upstream/main' into csp
richardebeling Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions evap/contributor/templates/contributor_evaluation_form.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,8 @@ <h5 class="card-title me-auto">{% trans 'Evaluation data' %}</h5>
<button name="operation" value="preview" type="submit" class="btn btn-light">{% trans 'Preview' %}</button>
<button name="operation" value="save" type="submit" class="btn btn-primary">{% trans 'Save' %}</button>
{# webtest does not allow submission with value "approve" if no such button exists #}
<button style="display: none" name="operation" value="approve" type="submit"></button>
<button type="button" onclick="approveEvaluationModalShow(0, '');" class="btn btn-success">{% trans 'Save and approve' %}</button>
<button class="d-none" name="operation" value="approve" type="submit"></button>
<button type="button" id="approve-button" class="btn btn-success">{% trans 'Save and approve' %}</button>
{% endif %}
<a href="{% url 'contributor:index' %}" class="btn btn-light">{% if edit %}{% trans 'Cancel' %}{% else %}{% trans 'Back' %}{% endif %}</a>
</div>
Expand Down Expand Up @@ -125,7 +125,7 @@ <h5 class="modal-title" id="previewModalLabel">{% trans 'Preview' %}</h5>
{% blocktrans asvar question%}Do you want to approve this evaluation? This will allow the evaluation team to proceed with the preparation, but you won't be able to make any further changes.{% endblocktrans %}
{% trans 'Approve evaluation' as action_text %}
{% include 'confirmation_modal.html' with modal_id='approveEvaluationModal' title=title question=question action_text=action_text btn_type='primary' %}
<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
function approveEvaluationModalAction(dataId) {
const input = document.createElement("input");
input.type = "hidden";
Expand All @@ -136,6 +136,7 @@ <h5 class="modal-title" id="previewModalLabel">{% trans 'Preview' %}</h5>
form.appendChild(input);
form.requestSubmit();
};
document.getElementById("approve-button").addEventListener("click", () => approveEvaluationModalShow(0, ''));
</script>

{% blocktrans asvar title with evaluation_name=evaluation.full_name %}Request account creation for {{ evaluation_name }}{% endblocktrans %}
Expand All @@ -151,7 +152,7 @@ <h5 class="modal-title" id="previewModalLabel">{% trans 'Preview' %}</h5>
{% include 'evap_evaluation_edit_js.html' %}

{% if preview_html %}
<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
var previewModal = new bootstrap.Modal(document.getElementById('previewModal'));
previewModal.show();
</script>
Expand Down
26 changes: 17 additions & 9 deletions evap/contributor/templates/contributor_index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@
<table class="table table-seamless-links table-vertically-aligned">
<thead>
<tr>
<th style="width: 35%">{% trans 'Name' %}</th>
<th style="width: 15%">{% trans 'State' %}</th>
<th style="width: 17%">{% trans 'Evaluation period' %}</th>
<th style="width: 15%">{% trans 'Participants' %}</th>
<th style="width: 18%"></th>
<th class="width-percent-35">{% trans 'Name' %}</th>
<th class="width-percent-15">{% trans 'State' %}</th>
<th class="width-percent-17">{% trans 'Evaluation period' %}</th>
<th class="width-percent-15">{% trans 'Participants' %}</th>
<th class="width-percent-18"></th>
</tr>
</thead>
<tbody>
Expand Down Expand Up @@ -157,9 +157,13 @@
<span class="fas fa-pencil"></span>
</a>
{% if not evaluation|has_nonresponsible_editor %}
<a href="#" class="btn btn-sm btn-dark" data-bs-toggle="tooltip"
data-bs-placement="top" title="{% trans 'Delegate preparation' %}"
onclick="delegateSelectionModalShow(`{{ evaluation.full_name }}`, `{% url 'contributor:evaluation_direct_delegation' evaluation.id %}`);return false;"
<a href="#"
class="btn btn-sm btn-dark delegate-button"
data-bs-toggle="tooltip"
data-bs-placement="top"
title="{% trans 'Delegate preparation' %}"
data-evaluation-name="{{ evaluation.full_name }}"
data-delegation-url="{% url 'contributor:evaluation_direct_delegation' evaluation.id %}"
>
<span class="fas fa-hand-point-left"></span>
</a>
Expand Down Expand Up @@ -226,7 +230,7 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{% trans 'Delegate preparation'
</div>
</div>

<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
function {{ modal_id }}Show(evaluationName, action) {
const modal = document.getElementById("{{ modal_id }}");
// set form's action location
Expand All @@ -242,6 +246,10 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{% trans 'Delegate preparation'
var {{ modal_id }} = new bootstrap.Modal(document.getElementById('{{ modal_id }}'));
{{ modal_id }}.show();
}

for (const button of document.querySelectorAll(".delegate-button")) {
button.addEventListener("click", () => delegateSelectionModalShow(button.dataset.evaluationName, button.dataset.delegationUrl));
}
</script>
{% endwith %}
{% endblock %}
20 changes: 10 additions & 10 deletions evap/development/templates/development_components.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -398,11 +398,11 @@ <h6>Special rows</h6>
{% spaceless %}
<div class="distribution-bar-container">
<div class="distribution-bar">
<div class="vote-bg-green" style="width: 52%;">&nbsp;</div>
<div class="vote-bg-lime" style="width: 26%;">&nbsp;</div>
<div class="vote-bg-yellow" style="width: 13%;">&nbsp;</div>
<div class="vote-bg-orange" style="width: 6%;">&nbsp;</div>
<div class="vote-bg-red" style="width: 3%;">&nbsp;</div>
<div class="vote-bg-green width-percent-52">&nbsp;</div>
<div class="vote-bg-lime width-percent-26">&nbsp;</div>
<div class="vote-bg-yellow width-percent-13">&nbsp;</div>
<div class="vote-bg-orange width-percent-6">&nbsp;</div>
<div class="vote-bg-red width-percent-3">&nbsp;</div>
</div>
</div>
{% endspaceless %}
Expand Down Expand Up @@ -449,11 +449,11 @@ <h6>Special rows</h6>
{% spaceless %}
<div class="distribution-bar-container">
<div class="distribution-bar">
<div class="vote-bg-green" style="width: 52%;">&nbsp;</div>
<div class="vote-bg-lime" style="width: 26%;">&nbsp;</div>
<div class="vote-bg-yellow" style="width: 13%;">&nbsp;</div>
<div class="vote-bg-orange" style="width: 6%;">&nbsp;</div>
<div class="vote-bg-red" style="width: 3%;">&nbsp;</div>
<div class="vote-bg-green width-percent-52">&nbsp;</div>
<div class="vote-bg-lime width-percent-26">&nbsp;</div>
<div class="vote-bg-yellow width-percent-13">&nbsp;</div>
<div class="vote-bg-orange width-percent-6">&nbsp;</div>
<div class="vote-bg-red width-percent-3">&nbsp;</div>
</div>
</div>
{% endspaceless %}
Expand Down
38 changes: 19 additions & 19 deletions evap/evaluation/templates/base.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,7 @@
{% endblock %}
</head>
<body>
<script type="text/javascript" src="{% static 'bootstrap/dist/js/bootstrap.bundle.min.js' %}"></script>

{% block modals %}
{% if user.is_authenticated %}
{% trans 'Feedback' as title %}
{% trans 'You are welcome to submit feedback regarding the evaluation platform or specific evaluations. Please let us know how we can improve your experience on EvaP.' as teaser %}
{% include 'contact_modal.html' with modal_id='feedbackModal' user=request.user title=title teaser=teaser %}
{% endif %}
{% endblock %}
<script type="text/javascript" src="{% static 'bootstrap/dist/js/bootstrap.bundle.min.js' %}" nonce="{{ CSP_NONCE }}"></script>

<div class="sticky-top d-print-none z-over-fixed">
{% include_navbar user LANGUAGE_CODE %}
Expand Down Expand Up @@ -71,18 +63,26 @@

{% include 'footer.html' %}

<script src="{% url 'javascript-catalog' %}"></script>
{% block modals %}
{% if user.is_authenticated %}
{% trans 'Feedback' as title %}
{% trans 'You are welcome to submit feedback regarding the evaluation platform or specific evaluations. Please let us know how we can improve your experience on EvaP.' as teaser %}
{% include 'contact_modal.html' with modal_id='feedbackModal' user=request.user title=title teaser=teaser %}
{% endif %}
{% endblock %}

<script src="{% url 'javascript-catalog' %}" nonce="{{ CSP_NONCE }}"></script>

<script type="text/javascript" src="{% static 'js/jquery-2.1.3.min.js' %}"></script>
<script type="text/javascript" src="{% static 'js/tom-select.complete.min.js' %}"></script>
<script type="text/javascript" src="{% static 'js/plugins/jquery.formset.js' %}"></script>
<script type="text/javascript" src="{% static 'js/Sortable.min.js' %}"></script>
<script type="text/javascript" src="{% static 'js/jquery-2.1.3.min.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" src="{% static 'js/tom-select.complete.min.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" src="{% static 'js/plugins/jquery.formset.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" src="{% static 'js/Sortable.min.js' %}" nonce="{{ CSP_NONCE }}"></script>

<script type="module" src="{% static 'js/csrf-utils.js' %}"></script>
<script type="module" src="{% static 'js/utils.js' %}"></script>
<script type="module" src="{% static 'js/csrf-utils.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="module" src="{% static 'js/utils.js' %}" nonce="{{ CSP_NONCE }}"></script>

<script type="module" src="{% static 'js/base-template.js' %}"></script>
<script type="text/javascript">
<script type="module" src="{% static 'js/base-template.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
activateTooltips = function(selector = "") {
var tooltipTriggerList = [].slice.call(document.querySelectorAll(selector + ' [data-bs-toggle="tooltip"]'))
var tooltipList = tooltipTriggerList.map(function (tooltipTriggerEl) {
Expand Down Expand Up @@ -207,7 +207,7 @@
};

</script>
<script type="module">
<script type="module" nonce="{{ CSP_NONCE }}">
import { NotebookLogic } from "{% static 'js/notebook.js' %}"

new NotebookLogic("#notebook").attach();
Expand Down
8 changes: 4 additions & 4 deletions evap/evaluation/templates/bootstrap_datetimepicker.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{% load static %}
{% get_current_language as LANGUAGE_CODE %}

<script type="text/javascript" src="{% static 'js/moment.min.js' %}"></script>
<script type="text/javascript" src="{% static 'js/moment_de.js' %}"></script>
<script type="text/javascript" src="{% static 'js/bootstrap-datetimepicker.min.js' %}"></script>
<script type="text/javascript" src="{% static 'js/moment.min.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" src="{% static 'js/moment_de.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" src="{% static 'js/bootstrap-datetimepicker.min.js' %}" nonce="{{ CSP_NONCE }}"></script>

<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
// run the bootstrap datepicker plugin
$("input[name$='date']:not([readonly='True'])").datetimepicker({
locale: "{{ LANGUAGE_CODE }}",
Expand Down
2 changes: 1 addition & 1 deletion evap/evaluation/templates/confirmation_modal.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{{ title }}</h5>
</div>
</div>

<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
function {{ modal_id }}Show(dataId, dataLabel) {
// call the modal's action function when action button was pressed and give dataId as parameter
$('#btn-action-{{ modal_id }}').unbind().click(function(){ {{ modal_id }}Action(dataId); });
Expand Down
6 changes: 4 additions & 2 deletions evap/evaluation/templates/confirmation_text_modal.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{{ title }}</h5>
<div class="modal-body">
{{ question|safe }}
<div class="my-4">
<input type="text" class="form-control" id="{{ modal_id }}ConfirmationText" oninput="{{ modal_id }}CheckValue();" />
<input type="text" class="form-control check-value-input" id="{{ modal_id }}ConfirmationText"/>
</div>
<div class="modal-submit-group">
<button type="button" class="btn btn-light" data-bs-dismiss="modal">{% trans 'Cancel' %}</button>
Expand All @@ -23,7 +23,7 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{{ title }}</h5>
</div>
</div>

<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
function {{ modal_id }}Show(dataId, dataLabel) {
// call the modal's action function when action button was pressed and give dataId as parameter
$('#{{ modal_id }} #{{ modal_id }}ActionButton').unbind().click(function(){ {{ modal_id }}Action(dataId); });
Expand All @@ -41,4 +41,6 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{{ title }}</h5>
$('#{{ modal_id }}ActionButton').prop('disabled', true);
}
}

document.querySelectorAll(".check-value-input").forEach(input => input.addEventListener("input", {{modal_id}}CheckValue));
</script>
2 changes: 1 addition & 1 deletion evap/evaluation/templates/contact_modal.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ <h5 class="modal-title" id="{{ modal_id }}Label">{{ title }}</h5>
</div>
</div>
</div>
<script type="module">
<script type="module" nonce="{{ CSP_NONCE }}">
import { ContactModalLogic } from "{% static 'js/contact_modal.js' %}";

new ContactModalLogic("{{ modal_id }}", "{{ title|escapejs }}").attach();
Expand Down
8 changes: 4 additions & 4 deletions evap/evaluation/templates/contribution_formset.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ <h5 class="card-title me-auto">{% trans 'Contributors' %}</h5>
<thead>
<tr>
<th></th>
<th style="width: 30%">{% trans 'Contributor' %}</th>
<th style="width: 30%">{% trans 'Questionnaires' %}</th>
<th style="width: 30%">{% trans 'Options' %}</th>
<th style="width: 10%"></th>
<th class="width-percent-30">{% trans 'Contributor' %}</th>
<th class="width-percent-30">{% trans 'Questionnaires' %}</th>
<th class="width-percent-30">{% trans 'Options' %}</th>
<th class="width-percent-10"></th>
</tr>
</thead>
<tbody>
Expand Down
6 changes: 3 additions & 3 deletions evap/evaluation/templates/evap_evaluation_edit_js.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{% load static %}

{% if editable %}
<script src="{% static 'js/sortable_form.js' %}"></script>
<script type="text/javascript">
<script src="{% static 'js/sortable_form.js' %}" nonce="{{ CSP_NONCE }}"></script>
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
rowChanged = function(row) {
name = $(row.find("select[id$=-contributor]")).find(":selected").text();
nameChanged = name && name != "---------";
Expand Down Expand Up @@ -30,7 +30,7 @@
</script>
{% endif %}

<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
function makeDoesNotContributeChangeHandler(i) {
return () => {
const doesNotContributeInput = document.querySelector("input[name=contributions-" + i + "-does_not_contribute]");
Expand Down
2 changes: 1 addition & 1 deletion evap/evaluation/templates/faq.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ <h2 id="faq-{{ question.id }}-q" class="accordion-header">
{% endblock %}

{% block additional_javascript %}
<script type="text/javascript">
<script type="text/javascript" nonce="{{ CSP_NONCE }}">
const anchor = window.location.hash.replace("#", "").split('-');
const id = anchor[1];
const type = anchor[2];
Expand Down
10 changes: 5 additions & 5 deletions evap/evaluation/templates/footer.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
<div class="footer d-print-none">
<div class="color-bar">
<div class="vote-bg-green" style="width: 52%;"></div>
<div class="vote-bg-lime" style="width: 26%;"></div>
<div class="vote-bg-yellow" style="width: 13%;"></div>
<div class="vote-bg-orange" style="width: 6%;"></div>
<div class="vote-bg-red" style="width: 3%;"></div>
<div class="vote-bg-green width-percent-52"></div>
<div class="vote-bg-lime width-percent-26"></div>
<div class="vote-bg-yellow width-percent-13"></div>
<div class="vote-bg-orange width-percent-6"></div>
<div class="vote-bg-red width-percent-3"></div>
</div>
<nav class="navbar navbar-expand">
<div class="collapse navbar-collapse justify-content-between">
Expand Down
4 changes: 2 additions & 2 deletions evap/evaluation/templates/infobox.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,15 @@
</div>
<div class="callout-content small">
{# Inline script to interrupt loading of the page, so the content does not jump up. #}
<script>
<script nonce="{{ CSP_NONCE }}">
if (localStorage["infobox-{{ infotext.page }}"] === "hide")
document.querySelector("#infobox-{{ infotext.page }}").classList.add("closed");
</script>
{{ infotext.content|safe }}
</div>
</div>

<script type="module">
<script type="module" nonce="{{ CSP_NONCE }}">
import { InfoboxLogic } from "{% static 'js/infobox.js' %}";

new InfoboxLogic("{{ infotext.page }}").attach();
Expand Down
Loading
Loading