Skip to content

I
intranet-reporting
Commit e2e9f643 authored by Frank Bergmann's avatar Frank Bergmann
Browse files
Options

- Implemented CSP (Content Security Policy)

parent 65de8218
Hide whitespace changes
Inline Side-by-side
Showing with 52 additions and 14 deletions
lib/create-ts-chart.adp
View file @ e2e9f643
<script>
<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
<if @no_records_found_msg@ eq "">
Ext.require('Ext.chart.*');
......
lib/project-deviation-time-budget.adp
View file @ e2e9f643
......@@ -2,6 +2,14 @@
<%=[im_header]%>
<%=[im_navbar]%>
<!-- Show calendar on start- and end-date -->
<script type="text/javascript" <if @::__csp_nonce@ not nil>nonce="@::__csp_nonce;literal@"</if>>
window.addEventListener('load', function() {
document.getElementById('start_date_calendar').addEventListener('click', function() { showCalendar('start_date', 'y-m-d'); });
document.getElementById('end_date_calendar').addEventListener('click', function() { showCalendar('end_date', 'y-m-d'); });
});
</script>
<form action='project-deviation-time-budget' id='intranet-reporting-project-deviation-time-budget'>
<%=[export_vars -form {opened_projects}]%>
......@@ -13,14 +21,14 @@
<td class=form-label><%=[lang::message::lookup "" intranet-core.Start_Date "Start Date"]%></td>
<td class=form-widget>
<input type="text"field name="start_date" id="start_date" value="@start_date@">
<input type="button" style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');" onclick ="return showCalendar('start_date', 'y-m-d');" >
<input type="button" id=start_date_calendar style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');">
</td>
</tr>
<tr>
<td class=form-label><%=[lang::message::lookup "" intranet-core.End_Date "End Date"]%></td>
<td class=form-widget>
<input type="text"field name="end_date" id="end_date" value="@end_date@">
<input type="button" style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');" onclick ="return showCalendar('end_date', 'y-m-d');" >
<input type="button" id=end_date_calendar style="height:20px; width:20px; background: url('/resources/acs-templating/calendar.gif');">
</td>
</tr>
<tr>
......
tcl/intranet-reporting-procs.tcl
View file @ e2e9f643
......@@ -829,6 +829,30 @@ ad_proc im_report_write_http_headers {
set all_the_headers "HTTP/1.0 200 OK\nConnection: keep-alive\nContent-Type: $content_type\r\n"
}
#
# Add the content security policy. Since this is the blank master, we
# are defensive and check, if the system has already support for it
# via the CSPEnabledP kernel parameter. Otherwise users would be
# blocked out.
#
if {[parameter::get -parameter CSPEnabledP -package_id [ad_acs_kernel_id] -default 0]
&& [info commands ::security::csp::render] ne ""
} {
set csp [::security::csp::render]
if {$csp ne ""} {
set ua [ns_set iget [ns_conn headers] user-agent]
if {[regexp {Trident/.*rv:([0-9]{1,}[\.0-9]{0,})} $ua]} {
set field X-Content-Security-Policy
} else {
set field Content-Security-Policy
}
ns_set put [ns_conn outputheaders] $field $csp
}
}
util_WriteWithExtraOutputHeaders $all_the_headers
# fraber 160224: NaviServer instead of AOLserver...
......
www/timesheet-customer-project-xml-xslt.tcl
View file @ e2e9f643
......@@ -1008,7 +1008,7 @@ append sidebar_html "
</div> <!-- /slave -->
<script type='text/javascript'>
<script type='text/javascript' nonce='[im_csp_nonce]'>
function handleClick(myRadio) \{
if (\"html\" == myRadio.value) \{
......@@ -1351,7 +1351,7 @@ switch $output_format {
html {
ns_write "</table>[im_box_footer]</div></form>"
# Todo: Verify how to include div id "monitor_frame" to make following js obsolete
ns_write "<script language='javascript' type='text/javascript'>document.getElementById('slave_content').style.visibility='visible';"
ns_write "<script language='javascript' type='text/javascript' nonce='[im_csp_nonce]'>document.getElementById('slave_content').style.visibility='visible';"
ns_write "document.getElementById('fullwidth-list').style.visibility='visible'; </script>"
ns_write "[im_footer]\n"
}
......@@ -1419,7 +1419,7 @@ switch $output_format {
}
chart {
# Todo: Verify how to include div id "monitor_frame" to make following js obsolete
ns_write "<script language='javascript' type='text/javascript'>document.getElementById('slave_content').style.visibility='visible';"
ns_write "<script language='javascript' type='text/javascript' nonce='[im_csp_nonce]'>document.getElementById('slave_content').style.visibility='visible';"
ns_write "document.getElementById('fullwidth-list').style.visibility='visible'; </script>"
# These var values we need to wrap into ''
set str_vars_list [list]
......@@ -1465,7 +1465,7 @@ switch $output_format {
ns_write "[im_footer]\n"
# Todo: Verify how to include div id "monitor_frame" to make following js obsolete
ns_write "<script language='javascript' type='text/javascript'>"
ns_write "<script language='javascript' type='text/javascript' nonce='[im_csp_nonce]'>"
ns_write "document.getElementById('slave_content').style.visibility='visible';"
ns_write "document.getElementById('fullwidth-list').style.visibility='visible';"
ns_write "</script>"
......
www/timesheet-incomplete-days.tcl
View file @ e2e9f643
......@@ -343,7 +343,7 @@ switch $output_format {
</td>
</table>
<script>
<script type=\"text/javascript\" nonce=\"[im_csp_nonce]\">
jQuery().ready(function(){
\$(function() {
\$( \"\#start_date\" ).datepicker({ dateFormat: \"yyyy-mm-dd\" });
......@@ -465,7 +465,7 @@ switch $output_format {
html {
ns_write "</table>\n[im_footer]\n"
ns_write "
<script type='text/javascript'>
<script type='text/javascript' nonce='[im_csp_nonce]'>
document.getElementById('total_users_ctr').innerHTML = '$total_users_ctr';
document.getElementById('output_users_ctr').innerHTML = '$output_users_ctr';
</script>
......
www/user-contacts.tcl
View file @ e2e9f643
......@@ -46,9 +46,9 @@ set offset [expr {$page * $limit}]
# Page Title, Bread Crums and Help
#
set page_title [lang::message::lookup "" intranet-reporting_Users_and_Contacts "Users and Contacts"]
set page_title [lang::message::lookup "" intranet-reporting.Users_and_Contacts "Users and Contacts"]
set context_bar [im_context_bar $page_title]
set help_text [lang::message::lookup "" intranet-reporting_Users_and_Contacts_help "
set help_text [lang::message::lookup "" intranet-reporting.Users_and_Contacts_help "
<strong>Users and Contacts:</strong><br>
This report shows all users in the system, together with
their state and their contact details.
......@@ -161,8 +161,8 @@ OFFSET :offset
# Global Header Line
set header0 [list \
"<input type=checkbox name=_dummy onclick=\\\"acs_ListCheckAll('user',this.checked)\\\" checked>" \
[lang::message::lookup "" intranet-reporting.Company_short Comp] \
"<input id=list_check_all type=checkbox name=_dummy checked>" \
[lang::message::lookup "" intranet-reporting.Company_short Comp] \
[lang::message::lookup "" intranet-reporting.Customer_oneletter "C"] \
[lang::message::lookup "" intranet-reporting.Employee_oneletter "E"] \
[lang::message::lookup "" intranet-reporting.Freelancer_oneletter "F"] \
......@@ -270,6 +270,13 @@ switch $output_format {
ns_write "
[im_header]
[im_navbar reporting]
<script type=\"text/javascript\" nonce=\"[im_csp_nonce] \">
window.addEventListener('load', function() {
document.getElementById('list_check_all').addEventListener('click', function() { acs_ListCheckAll('user',this.checked); });
});
</script>
<table cellspacing=0 cellpadding=0 border=0>
<tr valign=top>
<td width='30%'>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment