i2ptunnel: Replace edit onclick with js file

Remove unsafe CSP
2020-05-11 17:12:12 +00:00
parent 7da2ac9ef3
commit 8631db8769
4 changed files with 33 additions and 4 deletions
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@@ -1,9 +1,11 @@
 <%
    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line

+    String cspNonce = Integer.toHexString(net.i2p.util.RandomSource.getInstance().nextInt());
+
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    // edit pages need script for the delete button 'are you sure'
-    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
+    response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'nonce-" + cspNonce + "'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; media-src 'none'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
    response.setHeader("X-Content-Type-Options", "nosniff");
    response.setHeader("Referrer-Policy", "no-referrer");
@@ -40,10 +42,14 @@ if (tun != null) {
    <link rel="icon" href="<%=editBean.getTheme()%>images/favicon.ico" />
    <link href="<%=editBean.getTheme()%>i2ptunnel.css?<%=net.i2p.CoreVersion.VERSION%>" rel="stylesheet" type="text/css" /> 
 <style type='text/css'>
-input.default { width: 1px; height: 1px; visibility: hidden; }
+  input.default { width: 1px; height: 1px; visibility: hidden; }
 </style>
 <script src="/js/resetScroll.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 <script src="js/tableSlider.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
+<script nonce="<%=cspNonce%>" type="text/javascript">
+  var deleteMessage = "<%=intl._t("Are you sure you want to delete?")%>";
+</script>
+<script src="js/delete.js?<%=net.i2p.CoreVersion.VERSION%>" type="text/javascript"></script>
 </head>
 <body id="tunnelEditPage">
 <%
--- a/apps/i2ptunnel/jsp/editClient.jsi
+++ b/apps/i2ptunnel/jsp/editClient.jsi
@@ -688,7 +688,7 @@
            <td class="buttons" colspan="2">
                    <input type="hidden" value="true" name="removeConfirm" />
                    <button id="controlCancel" class="control" type="submit" name="action" value=""><%=intl._t("Cancel")%></button>
-                    <button id="controlDelete" onclick="if (!confirm('Are you sure you want to delete?')) { return false; }" class="control" type="submit" name="action" value="Delete this proxy" title="<%=intl._t("Delete this Proxy (cannot be undone)")%>"><%=intl._t("Delete")%></button>
+                    <button id="controlDelete" class="control delete" type="submit" name="action" value="Delete this proxy" title="<%=intl._t("Delete this Proxy (cannot be undone)")%>"><%=intl._t("Delete")%></button>
                    <button id="controlSave" class="control" type="submit" name="action" value="Save changes"><%=intl._t("Save")%></button>
            </td>
        </tr>
--- a/apps/i2ptunnel/jsp/editServer.jsi
+++ b/apps/i2ptunnel/jsp/editServer.jsi
@@ -1015,7 +1015,7 @@
            <td class="buttons" colspan="2">
                    <input type="hidden" value="true" name="removeConfirm" />
                    <button id="controlCancel" class="control" type="submit" name="action" value=""><%=intl._t("Cancel")%></button>
-                    <button id="controlDelete" onclick="if (!confirm('Are you sure you want to delete?')) { return false; }" class="control" type="submit" name="action" value="Delete this proxy" title="<%=intl._t("Delete this Proxy (cannot be undone)")%>"><%=intl._t("Delete")%></button>
+                    <button id="controlDelete" class="control delete" type="submit" name="action" value="Delete this proxy" title="<%=intl._t("Delete this Proxy (cannot be undone)")%>"><%=intl._t("Delete")%></button>
                    <button id="controlSave" class="control" type="submit" name="action" value="Save changes"><%=intl._t("Save")%></button>
            </td>
        </tr>
--- a/apps/i2ptunnel/jsp/js/delete.js
+++ b/apps/i2ptunnel/jsp/js/delete.js
@@ -0,0 +1,23 @@
+function init()
+{
+	var buttons = document.getElementsByClassName("delete");
+	for(index = 0; index < buttons.length; index++)
+	{
+		var button = buttons[index];
+		addClickHandler(button);
+	}
+}
+
+function addClickHandler(elem)
+{
+	elem.addEventListener("click", function() {
+              if (!confirm(deleteMessage)) {
+                  event.preventDefault();
+                  return false;
+              }
+        });
+}
+
+document.addEventListener("DOMContentLoaded", function() {
+    init();
+}, true);