- Implemented CSP (Content Security Policy)

554e2e2e · Frank Bergmann · d7979980 · 554e2e2e · 554e2e2e · 554e2e2e
Commit 554e2e2e authored Nov 03, 2020 by Frank Bergmann
31 changed files
--- a/lib/project-hierarchy.adp
+++ b/lib/project-hierarchy.adp
 <if @read_p@ eq "1">

+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+     document.getElementById('list_check_all').addEventListener('click', function() { acs_ListCheckAll('hierarchy_project_id', this.checked) });
+});
+</script>
+
+
 <if @subproject_filtering_enabled_p@ eq 1>
  <form action="@return_url;noquote@" method=GET>
  <input type="hidden" name="project_id" value="@project_id@">

--- a/preconf/index.demo-ajax.adp
+++ b/preconf/index.demo-ajax.adp
@@ -117,7 +117,7 @@ tr.on {
 	background:#ffffcc
 }
 </style>
-<script type="text/javascript">
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 function removeBgImage (id) {
 	var element = document.getElementById("outer" + id);
 	element.style.backgroundImage = "none";

--- a/preconf/index.serverselect.adp
+++ b/preconf/index.serverselect.adp
@@ -86,7 +86,7 @@ tr.off { background:#ffffff }
 tr.on { background:#ffffcc }
 td { vertical-align: top }
 </style>
-<script type="text/javascript">
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 function removeBgImage (id) {
 	var element = document.getElementById("outer" + id);
 	element.style.backgroundImage = "none";

--- a/preconf/index.vmware-ajax.adp
+++ b/preconf/index.vmware-ajax.adp
@@ -3,7 +3,7 @@

 <!-- <link rel="stylesheet" type="text/css" href="index.css" media="all"> -->

-<script type="text/javascript">
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 // Set a specific image src
 function setImage (id,img) {
 	var element = document.getElementById(id);

--- a/single-sign-on/localstart.asp
+++ b/single-sign-on/localstart.asp
@@ -5,7 +5,7 @@



-<script language="javascript" type="text/javascript" runat="server">
+<script language="javascript" type="text/javascript" runat="server" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 /*
 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
 * in FIPS PUB 180-1
@@ -269,7 +269,7 @@ sUrl = "https://calpms.mnet.moravia-it.com/moravia-login?username="+sUser+"&date
 %>

 <head>
-<script language="javascript">
+<script language="javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
  var gWinheight;
  var gDialogsize;
  var ghelpwin;

--- a/sql/common/intranet-views.sql
+++ b/sql/common/intranet-views.sql
@@ -350,7 +350,7 @@ extra_select, extra_where, sort_order, visible_for) values (6,1,NULL,'Contact Em
 delete from im_view_columns where view_id = 25;
 --
 insert into im_view_columns (view_id, column_id, sort_order, column_name, column_render_tcl, visible_for) 
-values (25,2500,0,'<input type=checkbox name=_dummy onclick="acs_ListCheckAll(''hierarchy_project_id'',this.checked)">','$select_checkbox', 'expr $bulk_actions_p');
+values (25,2500,0,'<input id=list_check_all type=checkbox name=_dummy>','$select_checkbox', 'expr $bulk_actions_p');

 insert into im_view_columns (view_id, column_id, sort_order, column_name, column_render_tcl) 
 values (25,2510,10,'Empty','$arrow_right_html');
@@ -401,7 +401,7 @@ extra_select, extra_where, sort_order, visible_for) values (2535,25,NULL,'Delive
 delete from im_view_columns where view_id = 27;
 --
 insert into im_view_columns (view_id, column_id, sort_order, column_name, column_render_tcl, visible_for) 
-values (27,2700,0,'<input type=checkbox onclick="acs_ListCheckAll(''select_project_id'',this.checked)">',
+values (27,2700,0,'<input id=list_check_all type=checkbox>',
 '$select_project_checkbox', 'expr $show_bulk_actions_p');

 insert into im_view_columns (view_id, column_id, sort_order, column_name, column_render_tcl) 

--- a/sql/postgresql/upgrade/upgrade-5.0.3.0.2-5.0.3.0.3.sql
+++ b/sql/postgresql/upgrade/upgrade-5.0.3.0.2-5.0.3.0.3.sql
@@ -2,6 +2,24 @@
 SELECT acs_log__debug('/packages/intranet-core/sql/postgresql/upgrade/upgrade-5.0.3.0.2-5.0.3.0.3.sql','');


+-- Delete zombie entries in cr_items
+--
+delete from acs_objects where object_id in (
+	select	object_id
+	from	acs_objects
+	where	object_type = 'content_item' and
+		object_id not in (select item_id from cr_items)
+);
+
+
+-- Delete permission entries for zombie users
+---
+delete from acs_permissions where grantee_id in (
+	select object_id from acs_objects where object_type = 'user' and object_id not in (select party_id from parties)
+);
+
+
+
 -- Add missing columns to acs_datatype
 --
 create or replace function inline_0 () 

--- a/tcl/deprecated-utilities-procs.tcl
+++ b/tcl/deprecated-utilities-procs.tcl
--- a/tcl/intranet-biz-object-procs.tcl
+++ b/tcl/intranet-biz-object-procs.tcl
@@ -646,7 +646,7 @@ ad_proc -public im_group_member_component {
    }
    if {$add_admin_links} {
 	incr colspan
-	append header_html "<td class=rowtitle align=middle><input type='checkbox' name='_dummy' onclick=\"acs_ListCheckAll('delete_user',this.checked)\"></td>"
+	append header_html "<td class=rowtitle align=middle><input id=list_check_all type='checkbox' name='_dummy'></td>"
    }
    append header_html "
      </tr>"
@@ -781,6 +781,13 @@ ad_proc -public im_group_member_component {

    # ------------------ Join table header, body and footer ----------------
    set html "
+
+    	<script type=\"text/javascript\" nonce=\"[im_csp_nonce] \">
+	window.addEventListener('load', function() { 
+	     document.getElementById('list_check_all').addEventListener('click', function() { acs_ListCheckAll('delete_user', this.checked) });
+	});
+	</script>
+
 	<form method=POST action=/intranet/member-update>
 	$output_hidden_vars
 	[export_vars -form {object_id return_url}]

--- a/tcl/intranet-defs-procs.tcl
+++ b/tcl/intranet-defs-procs.tcl
@@ -1879,6 +1879,16 @@ ad_proc -public im_httpost {



+ad_proc -public im_csp_nonce {} {
+    Returns a CSP nonce to "sign" a script tag for CSP Content Security Policy
+} {
+    set nonce ""
+    if {[info exists ::__csp_nonce]} { set nonce $::__csp_nonce }
+    return $nonce
+}
+
+
+
 proc string2hex {string} {
    set where 0
    set res {}
@@ -1899,7 +1909,6 @@ proc string2hex {string} {
 }


-
 ad_proc -public im_coalesce { 
    {a ""}
    {b ""}

--- a/tcl/intranet-design-procs.tcl
+++ b/tcl/intranet-design-procs.tcl
@@ -1060,7 +1060,7 @@ ad_proc -public im_navbar_main_submenu {
 	    set item "<li class='unselected'>
 		<div class=\"sm-po-sub-menu-item\">
 			<div class='sm-po-sub-menu-item-name'><a href='$item_url'>$item_text</a></div>
-			<div class='sm-po-sub-menu-item-wrench'><img src=\"/intranet/images/navbar_default/wrench.png\" alt=\"\"onclick=\"location.href='$wrench_url';\"/></div>
+			<div class='sm-po-sub-menu-item-wrench'><img src=\"/intranet/images/navbar_default/wrench.png\"/>/div>
 		</div>
 		</li>\n"
 	}
@@ -1508,8 +1508,13 @@ ad_proc -public im_header {
 	# HTML ids of the textareas used for Xinha
 	set htmlarea_ids '[join $::acs_blank_master__htmlareas "','"]'
 	
+	set nonce_html ""
+	if {[info exists ::__csp_nonce] && "" ne $::__csp_nonce} {
+	    set nonce_html "nonce=\"$::__csp_nonce\""
+	}
+
 	append extra_stuff_for_document_head "
-	    	   <script type=\"text/javascript\">
+	    	   <script type=\"text/javascript\" $nonce_html>
 	    	   	   _editor_url = \"$xinha_dir\";
 			   _editor_lang = \"$xinha_lang\";
 	    	   </script>
@@ -1518,7 +1523,7 @@ ad_proc -public im_header {

 	set xi "HTMLArea"
 	append body_script_html "
-	        <script type='text/javascript'>
+	        <script type='text/javascript' $nonce_html>
 		<!--
 		 xinha_editors = null;
 		 xinha_init = null;
@@ -1624,8 +1629,14 @@ ad_proc -private im_header_search_form {} {
    if {[im_permission $user_id "search_intranet"] && $user_id > 0 && $search_installed_p} {
 	set alt_go [lang::message::lookup "" intranet-core.Search_Go_Alt "Search through all full-text indexed objects."]
 	return "
+	    	<script type=\"text/javascript\" nonce=\"[im_csp_nonce] \">
+		window.addEventListener('load', function() { 
+		     document.getElementById('tsearch_box').addEventListener('click', function() { this.value = ''; });
+		});
+		</script>
+
 	      <form action=\"/intranet/search/go-search\" method=\"post\" name=\"surx\">
-		<input class=surx name=query_string size=40 value=\"[_ intranet-core.Search]\" onClick=\"javascript:this.value = ''\">
+		<input id=tsearch_box class=surx name=query_string size=40 value=\"[_ intranet-core.Search]\">
 		<input type=\"hidden\" name=\"target\" value=\"content\">
 		<input alt=\"$alt_go\" type=\"submit\" value=\"[_ intranet-core.Action_Go]\" name=\"image\">
 	      </form>

--- a/tcl/intranet-sencha-procs.tcl
+++ b/tcl/intranet-sencha-procs.tcl
@@ -84,5 +84,9 @@ ad_proc -public im_sencha_extjs_load_libraries {
    # Instruct the page to add libraries
    template::head::add_css -href "/$package_key/resources/css/$css_theme_folder" -media "screen" -order 1
    template::head::add_javascript -src "/$package_key/$ext" -order 2
+
+    # Tell CSP security to allow "eval" on this page
+    security::csp::require script-src "'unsafe-eval'"
+    security::csp::require img-src "data:"
 }

--- a/www/admin/categories/index.adp
+++ b/www/admin/categories/index.adp
@@ -47,7 +47,7 @@
 </else>


-<script type="text/javascript">
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 	$(document).ready(function() { 
 		$("#myTable").tablesorter(); 
 	}); 

--- a/www/admin/permissions/perm-include.adp
+++ b/www/admin/permissions/perm-include.adp
@@ -9,7 +9,7 @@
 </form>

 <if @mode@ eq datatable>
-<script type="text/javascript">
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 		$(document).ready( function () {
 		    var oTable = $('.jq-datatable').dataTable( {
        	"bJQueryUI": true,

--- a/www/biz-object-tree-open-close.tcl
+++ b/www/biz-object-tree-open-close.tcl
@@ -36,6 +36,14 @@ ad_page_contract {
    { object_ids "" }
 }

+# --------------------------------------------------------------
+# Check security and allow "root" as object_id
+# --------------------------------------------------------------
+
+if {"root" eq $object_id} { set object_id "0"}
+if {[im_security_alert_check_integer -location "biz-object-tree-open-close.tcl" -value $object_id -severity "Normal"]} { set object_id "0" }
+
+
 # --------------------------------------------------------------
 # Permissions
 # --------------------------------------------------------------

--- a/www/master.adp
+++ b/www/master.adp
@@ -48,7 +48,7 @@

 <if @show_feedback_p@ eq "1">
 		@feedback_url;noquote@
-                <script type="text/javascript">
+                <script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
                        $(document).ready(function () {
                                /* Set up feedback box on right side */
                                $('#feedback-badge-right').feedbackBadge({
@@ -69,7 +69,7 @@
 <if @user_messages:rowcount@ ne 0>
    <if @feedback_behaviour_key@ eq 0>
    	<!--Critical Err, feedback bar remains -->
-    	<script type="text/javascript">
+    	<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
            $('#general_messages_icon_span').click( function() { $('#ajax-status-message').fadeIn(); return false; } );
            $('#general_messages_icon_span').html('&nbsp;<span style="cursor: pointer;"><%=[im_gif "error" ""]%></span>');
 	</script>
@@ -77,7 +77,7 @@

     <if @feedback_behaviour_key@ eq 1 or @feedback_behaviour_key@ eq 2>
        <!-- Serious Err or simple Message , feedback bar disappears -->
-	<script type="text/javascript">
+	<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 		$('#ajax-status-message').delay(8000).fadeOut();
 		window.setTimeout(function () {
 	                // A red dot will briefly appear to drive the attention to a an "Warning icon" that remains on the upper left corner site, near the search bar  

--- a/www/master.tcl
+++ b/www/master.tcl
@@ -111,7 +111,7 @@ append feedback_url "<span>[lang::message::lookup "" intranet-core.Feedback "Fee
 # Load custom JavaScript into header. Example: 
 # create table im_page_header_extensions (page text, header_extension text);
 # create index im_page_header_extensions_page_idx on im_page_header_extensions(page);
-# insert into im_page_header_extensions values ('/intranet/index', '<script type='text/javascript' src='/intranet-cust-xxx/beautify.js'></script>');
+# insert into im_page_header_extensions values ('/intranet/index', '<script type='text/javascript' src='/intranet-cust-xyz/beautify.js'></script>');
 # Please note that page URLs include a trailing "index" if they end with "/".
 if {[im_table_exists im_page_header_extensions]} {
    set this_page [im_component_page_url]
@@ -129,3 +129,29 @@ catch {
    im_ds_display_config_info
 } err_msg

+
+
+
+
+#
+# Add the content security policy. Since this is the blank master, we
+# are defensive and check, if the system has already support for it
+# via the CSPEnabledP kernel parameter. Otherwise users would be
+# blocked out.
+#
+if {[parameter::get -parameter CSPEnabledP -package_id [ad_acs_kernel_id] -default 0]
+    && [info commands ::security::csp::render] ne ""
+} {
+    set csp [::security::csp::render]
+    if {$csp ne ""} {
+
+        set ua [ns_set iget [ns_conn headers] user-agent]
+        if {[regexp {Trident/.*rv:([0-9]{1,}[\.0-9]{0,})} $ua]} {
+            set field X-Content-Security-Policy
+        } else {
+            set field Content-Security-Policy
+        }
+
+        ns_set put [ns_conn outputheaders] $field $csp
+    }
+}
--- a/www/projects/add-tasks-from-template-2.adp
+++ b/www/projects/add-tasks-from-template-2.adp
@@ -23,14 +23,14 @@
      </td>
      <td> 
 	  <p> 
-	    <input type="submit" value="@button_text@" name="submit2" onclick="blockUserActions()">
+	    <input type="submit" value="@button_text@" name="submit2">
 	  </p>
      </td>
    </tr>
  </table>
 </form>

-<script>
+<script <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 function blockUserActions() {
 	var a = document.getElementsByName("submit2");
 	var p = document.createElement("p");
@@ -39,5 +39,4 @@ function blockUserActions() {
 	var n = document.forms.length;
 	document.forms[n-1].appendChild(p);
 }
-
-</script>
\ No newline at end of file
+</script>
--- a/www/projects/index.adp
+++ b/www/projects/index.adp
@@ -6,7 +6,13 @@
 <property name="left_navbar">@left_navbar_html;literal@</property>
 <property name="show_context_help">@show_context_help_p;literal@</property>

-<SCRIPT Language=JavaScript src=/resources/diagram/diagram/diagram.js></SCRIPT>
+<!-- Show calendar on start- and end-date -->
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+     document.getElementById('start_date_calendar').addEventListener('click', function() { showCalendar('start_date', 'y-m-d'); });
+     document.getElementById('end_date_calendar').addEventListener('click', function() { showCalendar('end_date', 'y-m-d'); });
+});
+</script>

 <if 0 eq @plugin_id@>


--- a/www/projects/index.tcl
+++ b/www/projects/index.tcl
@@ -349,8 +349,8 @@ if { "t" == [db_string get_view_perm "select im_object_permission_p(:employee_gr
 }

 ad_form -extend -name $form_id -form {
-    {start_date:text(text) {label "[_ intranet-timesheet2.Start_Date]"} {value "$start_date"} {html {size 10}} {after_html {<input type="button" style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');" onclick ="return showCalendar('start_date', 'y-m-d');" >}}}
-    {end_date:text(text) {label "[_ intranet-timesheet2.End_Date]"} {value "$end_date"} {html {size 10}} {after_html {<input type="button" style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');" onclick ="return showCalendar('end_date', 'y-m-d');" >}}}
+    {start_date:text(text) {label "[_ intranet-timesheet2.Start_Date]"} {value "$start_date"} {html {size 10}} {after_html {<input type="button" id=start_date_calendar style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');" >}}}
+    {end_date:text(text) {label "[_ intranet-timesheet2.End_Date]"} {value "$end_date"} {html {size 10}} {after_html {<input type="button" id=end_date_calendar style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');">}}}
 }

 set filter_admin_html ""

--- a/www/projects/new-from-template-2.adp
+++ b/www/projects/new-from-template-2.adp
@@ -2,12 +2,14 @@
 <property name="doc(title)">@page_title;literal@</property>
 <property name="main_navbar_label">projects</property>

-<script>
-function doubleClickDisableButton(button) {
-        var btn = document.getElementsByName(button);
-	btn[0].setAttribute('visibility', 'hidden');
-}
-
+<!-- Double-click protection for submit button: Disable after first use -->
+<script type='text/javascript' <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+     document.getElementById('submit2').addEventListener('click', function() { 
+        var btn = document.getElementsByName('submit2');
+	btn[0].setAttribute('disabled', true);
+     });
+});
 </script>

 <form action=clone-2.tcl method=POST>
@@ -41,11 +43,13 @@ function doubleClickDisableButton(button) {
 	<div align="right">&nbsp; </div>
      </td>
      <td> 
-	  <p> 
-	    <input type="submit" value="@button_text@" name="submit2" onclick="doubleClickDisableButton('submit2')">
+	  <p>
+	    <input type="submit" id=submit2 value="@button_text@" name="submit2">
 	    <%= [im_gif help "Create the new folder structure"] %>
 	  </p>
      </td>
    </tr>
  </table>
 </form>
+
+
--- a/www/projects/new.adp
+++ b/www/projects/new.adp
@@ -4,4 +4,13 @@
 <property name="sub_navbar">@sub_navbar;literal@</property>
 <property name="show_context_help_p">@show_context_help_p;literal@</property>

+
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+     document.getElementById('start_calendar').addEventListener('click', function() { showCalendarWithDateWidget('start', 'y-m-d'); });
+     document.getElementById('end_calendar').addEventListener('click', function() { showCalendarWithDateWidget('end', 'y-m-d'); });
+});
+</script>
+
+
 <formtemplate id="@form_id@"></formtemplate>
--- a/www/projects/new.tcl
+++ b/www/projects/new.tcl
@@ -360,13 +360,13 @@ template::element::create $form_id start \
    -datatype "date" widget "date" -mode $start_end_date_mode \
    -label [_ intranet-core.Start_Date] \
    -format "DD Month YYYY" -after_html $start_end_date_msg \
-    -after_html {<input type="button" style="height:23px; width:23px; background: url('/resources/acs-templating/calendar.gif');" onclick ="return showCalendarWithDateWidget('start', 'y-m-d');" >}
+    -after_html {<input type="button" id=start_calendar style="height:23px; width:23px; background: url('/resources/acs-templating/calendar.gif');">}

 template::element::create $form_id end \
    -datatype "date" widget "date" -mode $start_end_date_mode \
    -label [_ intranet-core.Delivery_Date] \
    -format "DD Month YYYY HH24:MI" -after_html $start_end_date_msg \
-    -after_html {<input type="button" style="height:23px; width:23px; background: url('/resources/acs-templating/calendar.gif');" onclick ="return showCalendarWithDateWidget('end', 'y-m-d');" >}
+    -after_html {<input type="button" id=end_calendar style="height:23px; width:23px; background: url('/resources/acs-templating/calendar.gif');">}

 set help_text [im_gif -translate_p 1 help "Is the project going to be in time and budget (green), does it need attention (yellow) or is it doomed (red)?"]
 template::element::create $form_id on_track_status_id \

--- a/www/projects/nuke.adp
+++ b/www/projects/nuke.adp
@@ -4,9 +4,15 @@
 <property name="context">@context_bar;literal@</property>
 <property name="main_navbar_label">projects</property>

+<!-- check/uncheck all checkboxes -->
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+     document.getElementById('check_all').addEventListener('click', function() { acs_ListCheckAll('subprojects', this.checked); });
+});
+</script>

-<h2>@page_title@</h2>

+<h2>@page_title@</h2>
 <p>
 #intranet-core.lt_Confirm_the_nuking_of#
 <a href="@project_url_org@">@project_name_org@</a>.

--- a/www/projects/nuke.tcl
+++ b/www/projects/nuke.tcl
@@ -110,9 +110,8 @@ template::list::create \
    -row_pretty_plural "[lang::message::lookup "" intranet-core.Nuke_Project Nuke]" \
    -elements {
        project_chk {
-            label "<input type=\"checkbox\" checked
+            label "<input type=\"checkbox\" id=check_all checked
                          name=\"_dummy\"
-                          onclick=\"acs_ListCheckAll('subprojects', this.checked)\"
                          title=\"Check/uncheck all rows\">"
            display_template {
                @subprojects.project_chk;noquote@

--- a/www/projects/project-type-select.adp
+++ b/www/projects/project-type-select.adp
@@ -2,6 +2,18 @@
 <property name="doc(title)">@page_title;literal@</property>
 <property name="main_navbar_label"></property>

+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+    var radios = document.getElementsByName('project_type_id');
+    for(i = 0; i < radios.length; i++) {
+        radios[i].addEventListener('click', function() { 
+	    window.scrollTo(0, document.body.scrollHeight);
+	});
+    }
+});
+</script>
+
+
 <table cellspacing="0" cellpadding="0">
 <tr><td width="950">
 <%= [im_box_header $page_title] %>
@@ -20,7 +32,7 @@
 	<table cellspacing="0" cellpadding="0">
 	<tr valign=top>
 	<td width=22>
-		<input type="radio" name="project_type_id" value="2501" onclick="window.scrollTo(0, document.body.scrollHeight);">
+		<input type="radio" name="project_type_id" value="2501">
 	</td>
 	<td>	<b><%= [lang::message::lookup "" intranet-core.Project_type_classic_gantt "Classic / Gantt Project"] %>
 		<a href="@po_gantt;noquote@" target="_"><img src="/intranet/images/external.png"></a>
@@ -82,7 +94,7 @@
 	<table cellspacing="0" cellpadding="0">
 	<tr valign=top>
 	<td width=22>	
-	<input type="radio" name="project_type_id" value="2501" onclick="window.scrollTo(0, document.body.scrollHeight);">
+	<input type="radio" name="project_type_id" value="2501">
 	</td>
 	<td>	<b><%= [lang::message::lookup "" intranet-core.Project_type_mixed "Mixed Methodology Project"] %>
 		<a href="@po_mixed;noquote@" target="_"><img src="/intranet/images/external.png"></a>
@@ -122,7 +134,7 @@
 	<table cellspacing="0" cellpadding="0">
 	<tr valign=top>
 	<td>
-	<input type="radio" name="project_type_id" value="<%= [im_project_type_ticket_container] %>" onclick="window.scrollTo(0, document.body.scrollHeight);">
+	<input type="radio" name="project_type_id" value="<%= [im_project_type_ticket_container] %>">
 	</td>
 	<td>	<b><%= [lang::message::lookup "" intranet-core.Project_type_ticket_container "Ticket Container"] %>
 		<a href="@po_maint;noquote@" target="_"><img src="/intranet/images/external.png"></a>
@@ -153,7 +165,7 @@
 	<table cellspacing="0" cellpadding="0">
 	<tr valign=top>
 	<td width=22>
-		<input type="radio" name="project_type_id" value="2500" onclick="window.scrollTo(0, document.body.scrollHeight);">
+		<input type="radio" name="project_type_id" value="2500">
 	</td>
 	<td>	<b><%= [lang::message::lookup "" intranet-core.Project_type_translation "Translation Project"] %>
 		<a href="@po_trans;noquote@" target="_"><img src="/intranet/images/external.png"></a>
@@ -198,7 +210,7 @@
 <if @enabled_p@ eq 1>
 	<tr valign=top>
 	<td>	
-	<input type="radio" name="project_type_id" value="<%= [im_project_type_program] %>" onclick="window.scrollTo(0, document.body.scrollHeight);">
+	<input type="radio" name="project_type_id" value="<%= [im_project_type_program] %>">
 	</td>
 	<td>	<b><%= [lang::message::lookup "" intranet-core.Project_type_program Program] %></b><br>
 		<%= [lang::message::lookup "" intranet-core.Project_type_program_short_blurb "
@@ -212,7 +224,7 @@
 <if @enabled_p@ eq 1>
 	<tr valign=top>
 	<td>	
-	<input type="radio" name="project_type_id" value="<%= [im_project_type_software_release] %>" onclick="window.scrollTo(0, document.body.scrollHeight);">
+	<input type="radio" name="project_type_id" value="<%= [im_project_type_software_release] %>">
 	</td>
 	<td>	<b><%= [lang::message::lookup "" intranet-core.Project_type_release_project "Release Project"] %></b><br>
 		<%= [im_help_collapsible "<br>

--- a/www/projects/project-type-select.tcl
+++ b/www/projects/project-type-select.tcl
@@ -132,7 +132,7 @@ set gantt_project_subtypes_sql "
 db_foreach gantt $gantt_project_subtypes_sql {
    set category_l10n [im_category_from_id -locale $locale $category_id]
    append gantt_project_subtypes_html "<tr valign=top>\n"
-    append gantt_project_subtypes_html "<td><input type=\"radio\" name=\"project_type_id\" value=\"$category_id\" onclick=\"window.scrollTo(0, document.body.scrollHeight);\"></td>\n"
+    append gantt_project_subtypes_html "<td><input type=\"radio\" name=\"project_type_id\" value=\"$category_id\"></td>\n"
    append gantt_project_subtypes_html "<td><div style='margin-left: 20px;'><b>$category_l10n</b><br>\n"
    append gantt_project_subtypes_html $category_description
    append gantt_project_subtypes_html "</div></td>\n"
@@ -164,7 +164,7 @@ set agile_project_subtypes_sql "
 db_foreach agile $agile_project_subtypes_sql {
    set category_l10n [im_category_from_id -locale $locale $category_id]
    append agile_project_subtypes_html "<tr valign=top>\n"
-    append agile_project_subtypes_html "<td><input type=\"radio\" name=\"project_type_id\" value=\"$category_id\" onclick=\"window.scrollTo(0, document.body.scrollHeight);\"></td>\n"
+    append agile_project_subtypes_html "<td><input type=\"radio\" name=\"project_type_id\" value=\"$category_id\"></td>\n"
    append agile_project_subtypes_html "<td><div style='margin-left: 20px;'><b>$category_l10n</b><br>\n"
    append agile_project_subtypes_html $category_description
    append agile_project_subtypes_html "</div></td>\n"
@@ -198,7 +198,7 @@ set trans_project_subtypes_sql "
 db_foreach trans $trans_project_subtypes_sql {
    set category_l10n [im_category_from_id -locale $locale $category_id]
    append trans_project_subtypes_html "<tr valign=top>\n"
-    append trans_project_subtypes_html "<td><input type=\"radio\" name=\"project_type_id\" value=\"$category_id\" onclick=\"window.scrollTo(0, document.body.scrollHeight);\"></td>\n"
+    append trans_project_subtypes_html "<td><input type=\"radio\" name=\"project_type_id\" value=\"$category_id\"></td>\n"
    append trans_project_subtypes_html "<td><div style='margin-left: 20px;'><b>$category_l10n</b><br>\n"
    append trans_project_subtypes_html $category_description
    append trans_project_subtypes_html "</div></td>\n"

--- a/www/related-objects-component.adp
+++ b/www/related-objects-component.adp
 <if @show_master_p@>
 <master src="/packages/intranet-core/www/master">
 </if>
+
+<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
+window.addEventListener('load', function() { 
+     document.getElementById('list_check_all').addEventListener('click', function() { acs_ListCheckAll('rels_list', this.checked) });
+});
+</script>
+
+
 <listtemplate name="rels"></listtemplate>
 @show_more_url;noquote@
--- a/www/related-objects-component.tcl
+++ b/www/related-objects-component.tcl
@@ -89,10 +89,7 @@ list::create \
    -actions $actions \
    -elements {
 	object_chk {
-	    label "<input type=\"checkbox\" 
-                          name=\"_dummy\" 
-                          onclick=\"acs_ListCheckAll('rels_list', this.checked)\" 
-                          title=\"Check/uncheck all rows\">"
+	    label "<input id=list_check_all type=\"checkbox\" name=\"_dummy\" title=\"Check/uncheck all rows\">"
 	    display_template {
 		@rels_multirow.object_chk;noquote@
 	    }

--- a/www/users/upload-users-2.adp
+++ b/www/users/upload-users-2.adp
@@ -3,7 +3,7 @@
 <master src="/packages/intranet-core/www/master">
 <property name="doc(title)">@page_title;literal@</property>

-		<script type="text/javascript" charset="utf-8">
+		<script type="text/javascript" charset="utf-8" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 			function reset_import_and_database_selects() {
 				/* 
 				var i = document.getElementById("import_fields");	
@@ -114,4 +114,4 @@
        	</table>
 	</form>

-@notes_msg;noquote@
\ No newline at end of file
+@notes_msg;noquote@
--- a/www/xowiki-template.adp
+++ b/www/xowiki-template.adp
@@ -31,7 +31,7 @@
 	@header_stuff;noquote@
 	<!-- /header stuff -->

-	<script type="text/javascript">
+	<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 	function get_popular_tags(popular_tags_link, prefix) {
 	  var http = getHttpObject();
 	  http.open('GET', popular_tags_link, true);
@@ -172,7 +172,7 @@
 <input value="@item_id@" name="response_to_question.@item_id_question_id@" type="hidden">
 <input value="@title@" name="response_to_question.@title_question_id@" type="hidden">
 <input value="http://www.project-open.com/en/contact-thanks" name="return_url" type="hidden">
-<script language="javascript" type="text/javascript">
+<script language="javascript" type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
 document.write('<input type="hidden" name="response_to_question.@url_question_id@" value="'+location.href+'" >');
 </script>