CSP: Disable the indexCustomInlineScripts hook
Richard Hansen
John McLear
parent
052fbb944f
commit
a4927095ae
|
|
@ -118,7 +118,6 @@ Available blocks in `pad.html` are:
|
|||
* `indexCustomStyles` - contains the `index.css` `<link>` tag, allows you to add your own or to customize the one provided by the active skin
|
||||
* `indexWrapper` - contains the form for creating new pads
|
||||
* `indexCustomScripts` - contains the `index.js` `<script>` tag, allows you to add your own or to customize the one provided by the active skin
|
||||
* `indexCustomInlineScripts` - contains the inline `<script>` of home page, allows you to customize `go2Name()`, `go2Random()` or `randomPadName()` functions
|
||||
|
||||
## padInitToolbar
|
||||
Called from: src/node/hooks/express/specialpages.js
|
||||
|
|
|
|||
|
|
@ -1,6 +1,13 @@
|
|||
var _ = require("underscore");
|
||||
var defs = require('./plugin_defs');
|
||||
|
||||
const disabledHookReasons = {
|
||||
hooks: {
|
||||
indexCustomInlineScripts: 'The hook makes it impossible to use a Content Security Policy ' +
|
||||
'that prohibits inline code. Permitting inline code makes XSS vulnerabilities more likely',
|
||||
},
|
||||
};
|
||||
|
||||
function loadFn(path, hookName) {
|
||||
var functionName
|
||||
, parts = path.split(":");
|
||||
|
|
@ -31,8 +38,6 @@ function extractHooks(parts, hook_set_name, normalizer) {
|
|||
_.chain(part[hook_set_name] || {})
|
||||
.keys()
|
||||
.each(function (hook_name) {
|
||||
if (hooks[hook_name] === undefined) hooks[hook_name] = [];
|
||||
|
||||
var hook_fn_name = part[hook_set_name][hook_name];
|
||||
|
||||
/* On the server side, you can't just
|
||||
|
|
@ -43,6 +48,15 @@ function extractHooks(parts, hook_set_name, normalizer) {
|
|||
hook_fn_name = normalizer(part, hook_fn_name, hook_name);
|
||||
}
|
||||
|
||||
const disabledReason = (disabledHookReasons[hook_set_name] || {})[hook_name];
|
||||
if (disabledReason) {
|
||||
console.error(`Hook ${hook_set_name}/${hook_name} is disabled. Reason: ${disabledReason}`);
|
||||
console.error(`The hook function ${hook_fn_name} from plugin ${part.name} ` +
|
||||
'will never be called, which may cause the plugin to fail');
|
||||
console.error(`Please update the ${part.name} plugin to not use the ${hook_name} hook`);
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
var hook_fn = loadFn(hook_fn_name, hook_name);
|
||||
if (!hook_fn) {
|
||||
|
|
@ -52,6 +66,7 @@ function extractHooks(parts, hook_set_name, normalizer) {
|
|||
console.error("Failed to load '" + hook_fn_name + "' for '" + part.full_name + "/" + hook_set_name + "/" + hook_name + "': " + exc.toString())
|
||||
}
|
||||
if (hook_fn) {
|
||||
if (hooks[hook_name] == null) hooks[hook_name] = [];
|
||||
hooks[hook_name].push({"hook_name": hook_name, "hook_fn": hook_fn, "hook_fn_name": hook_fn_name, "part": part});
|
||||
}
|
||||
});
|
||||
|
|
|
|||
|
|
@ -184,7 +184,6 @@
|
|||
<% e.end_block(); %>
|
||||
<script>
|
||||
// @license magnet:?xt=urn:btih:8e4f440f4c65981c5bf93c76d35135ba5064d8b7&dn=apache-2.0.txt
|
||||
<% e.begin_block("indexCustomInlineScripts"); %>
|
||||
function go2Name()
|
||||
{
|
||||
var padname = document.getElementById("padname").value;
|
||||
|
|
@ -219,7 +218,6 @@
|
|||
}
|
||||
return randomstring;
|
||||
}
|
||||
<% e.end_block(); %>
|
||||
|
||||
// start the custom js
|
||||
if (typeof customStart == "function") customStart();
|
||||
|
|
|
|||
Loading…
Reference in New Issue