Commit Graph

10 Commits

Author SHA1 Message Date
Matthew Noorenberghe 99f1e23c5b Replace usage of PHP_SELF in views/. Fixes #2450 2019-02-09 21:39:19 -08:00
Matthew Noorenberghe 61f6a92cc0 view=download: Validate the eid parameter to avoid XSS. Fixes #2442 2019-02-09 01:37:32 -08:00
Matthew Noorenberghe 0b38e72f88 view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441 2019-02-09 01:16:32 -08:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
Isaac d8a62e0ede Show total size for non-montage review downloads as well 2018-05-18 15:51:42 +02:00
Isaac Connor 9fe7ba25e2 improve the download ui 2017-12-11 14:33:17 -08:00
Isaac Connor 72a50910e6
Merge pull request #56 from digital-gnome/storageareas-fixMontageReviewFilter
Montagereview filter respect groups setting
2017-12-04 17:08:51 -05:00
digital-gnome 3f62d1e24d Montagereview filter respect groups setting 2017-12-04 14:35:33 -05:00
Isaac Connor 1ccd344bf5 implement Storage Area move 2017-12-04 11:05:50 -05:00
digital-gnome 3e7c573da5 Add download video option to events view
Creates a new popup window for downloading event video files with no directory structure in the archive
2017-12-03 14:42:07 -05:00