Add a validateForm event listener and enforce CSP on some views (#2425)

* Add a validateForm event listener and enforce CSP on the controlcap view

* filter.php: Use .validateFormOnSubmit

* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check

* Use .validateFormOnSubmit and enforce CSP on the storage view
This commit is contained in:
Matt N 2019-01-19 06:41:53 -08:00 committed by Isaac Connor
parent 4e6c1d42b1
commit 4e48939660
8 changed files with 17 additions and 9 deletions

View File

@ -39,12 +39,14 @@ function CSPHeaders($view, $nonce) {
switch ($view) {
case 'bandwidth':
case 'blank':
case 'controlcap':
case 'function':
case 'log':
case 'login':
case 'logout':
case 'options':
case 'privacy':
case 'storage':
case 'version': {
// Enforce script-src on pages where inline scripts and event handlers have been fixed.
// 'unsafe-inline' is only for backwards compatibility with browsers which
@ -462,7 +464,7 @@ function makePopupButton( $url, $winName, $winSize, $buttonValue, $condition=1,
} else {
$string .= ' data-window-tag="' . htmlspecialchars($winSize) . '"';
}
if ($condition) {
if (!$condition) {
$string .= ' disabled="disabled"';
}
$string .= ($options ? (' ' . $options) : '') . '/>';

View File

@ -119,6 +119,12 @@ function createPopup( url, name, tag, width, height ) {
}
$j(document).ready(function() {
$j("form.validateFormOnSubmit").submit(function onSubmit(evt) {
if (!validateForm(this)) {
evt.preventDefault();
}
});
$j(".popup-link").click(function onClick(evt) {
var el = this;
var url;

View File

@ -183,7 +183,7 @@ foreach ( $tabs as $name=>$value )
?>
</ul>
<div class="clear"></div>
<form name="contentForm" id="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" onsubmit="return validateForm( this )">
<form name="contentForm" id="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" class="validateFormOnSubmit">
<input type="hidden" name="view" value="<?php echo $view ?>"/>
<input type="hidden" name="tab" value="<?php echo $tab ?>"/>
<input type="hidden" name="action" value="controlcap"/>

View File

@ -180,7 +180,7 @@ if ( (null !== $filter->Concurrent()) and $filter->Concurrent() )
?>
</div>
</form>
<form name="contentForm" id="contentForm" method="post" onsubmit="return validateForm(this);">
<form name="contentForm" id="contentForm" method="post" class="validateFormOnSubmit">
<input type="hidden" name="Id" value="<?php echo $filter->Id() ?>"/>
<input type="hidden" name="action" value=""/>
<input type="hidden" name="object" value="filter"/>

View File

@ -1,5 +1,5 @@
function validateForm( form, newServer ) {
var errors = new Array();
function validateForm(form) {
var errors = [];
if ( !form.elements['newServer[Name]'].value ) {
errors[errors.length] = "You must supply a name";
}

View File

@ -1,5 +1,5 @@
function validateForm( form, newStorage ) {
var errors = new Array();
function validateForm(form) {
var errors = [];
if ( !form.elements['newStorage[Name]'].value ) {
errors[errors.length] = "You must supply a name";
}

View File

@ -39,7 +39,7 @@ xhtmlHeaders(__FILE__, translate('Server').' - '.$Server->Name());
<h2><?php echo translate('Server').' - '.$Server->Name() ?></h2>
</div>
<div id="content">
<form name="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" onsubmit="return validateForm(this, <?php echo empty($Server->Name())?'true':'false' ?>)">
<form name="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" class="validateFormOnSubmit">
<input type="hidden" name="view" value="<?php echo $view ?>"/>
<input type="hidden" name="object" value="server"/>
<input type="hidden" name="id" value="<?php echo validHtmlStr($_REQUEST['id']) ?>"/>

View File

@ -63,7 +63,7 @@ xhtmlHeaders(__FILE__, translate('Storage')." - ".$newStorage['Name'] );
<h2><?php echo translate('Storage')." - ".$newStorage['Name'] ?></h2>
</div>
<div id="content">
<form name="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" onsubmit="return validateForm( this, <?php echo empty($newStorage['Name'])?'true':'false' ?> )">
<form name="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>" class="validateFormOnSubmit">
<input type="hidden" name="view" value="<?php echo $view ?>"/>
<input type="hidden" name="object" value="storage"/>
<input type="hidden" name="id" value="<?php echo validHtmlStr($_REQUEST['id']) ?>"/>