Add CSPs to mitigate XSS via inline scripts and styles

All inline scripts and styles have been moved into
external files so policies without 'unsafe-inline'
can be applied.

Author: nanotech

Resources/html/css/GitX.css

@@ -31,3 +31,7 @@ table {
 	font-family: Menlo, Monaco, monospace;
 	text-decoration: none;
 }
+
+.hidden {
+	display: none;
+}

Resources/html/lib/GitX.js

@@ -35,25 +35,26 @@ Array.prototype.indexOf = function(item, i) {
 
 var notify = function(html, state) {
 	var n = $("notification");
-	n.style.display = "";
+	n.classList.remove("hidden");
 	$("notification_message").innerHTML = html;
 
 	// Change color
 	if (!state) { // Busy
-		$("spinner").style.display = "";
-		n.setAttribute("class", "");
+		$("spinner").classList.remove("hidden");
+		n.classList.remove("success");
+		n.classList.remove("fail");
 	}
 	else if (state == 1) { // Success
-		$("spinner").style.display = "none";
-		n.setAttribute("class", "success");
+		$("spinner").classList.add("hidden");
+		n.classList.add("success");
 	} else if (state == -1) {// Fail
-		$("spinner").style.display = "none";
-		n.setAttribute("class", "fail");
+		$("spinner").classList.add("hidden");
+		n.classList.add("fail");
 	}
 }
 
 var hideNotification = function() {
-	$("notification").style.display = "none";
+	$("notification").classList.add("hidden");
 }
 
 var bindCommitSelectionLinks = function(el) {

Resources/html/views/blame/index.html

@@ -1,5 +1,7 @@
 <html>
 	<head>
+		<meta charset="utf-8">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self';">
 		<script src="../../lib/GitX.js" type="text/javascript" charset="utf-8"></script>
 		<script src="../../lib/syntaxhighlighter/scripts/shCore.js" type="text/javascript" charset="utf-8"></script>
 		<script src="../../lib/syntaxhighlighter/scripts/shBrushObjC.js" type="text/javascript" charset="utf-8"></script>
@@ -11,4 +13,4 @@
 	<body>
 		<div id="txt">hola</pre>
 	</body>
-</html>
+</html>

Resources/html/views/commit/commit.js

@@ -112,8 +112,8 @@ var setSelectHandlers = function()
 			if (file.id = "selected")
 				file = file.parentNode;
 			var start = target;
-			var elem_class = start.getAttribute("class");
-			if(!elem_class || !(elem_class == "addline" | elem_class == "delline")) 
+			var elemClasses = start.classList;
+			if (!(elemClasses.contains("addline") || elemClasses.contains("delline")))
 				return false;
 			deselect();
 			var bounds = findsubhunk(start);
@@ -122,11 +122,11 @@ var setSelectHandlers = function()
 		};
 
 		file.onmousedown = function(event) {
-			if (event.which != 1) 
+			if (event.which != 1)
 				return false;
-			var elem_class = event.target.getAttribute("class")
+			var elemClasses = event.target.classList;
 			event.stopPropagation();
-			if (elem_class == "hunkheader" || elem_class == "hunkbutton")
+			if (elemClasses.contains("hunkheader") || elemClasses.contains("hunkbutton"))
 				return false;
 
 			var target = findParentElementByTag(event.target, "div");
@@ -202,11 +202,26 @@ var displayDiff = function(diff, cached)
 
 	for (i = 0; i < hunkHeaders.length; ++i) {
 		var header = hunkHeaders[i];
-		if (cached)
-			header.innerHTML = "<a href='#' class='hunkbutton' onclick='addHunk(this, true); return false'>Unstage</a>" + header.innerHTML;
+		if (cached) {
+			header.innerHTML = "<a href='#' class='hunkbutton unstage-button'>Unstage</a>" + header.innerHTML;
+			header.getElementsByClassName('unstage-button')[0].addEventListener("click", function(e) {
+				e.preventDefault();
+				addHunk(this, true);
+			});
+		}
 		else {
-			header.innerHTML = "<a href='#' class='hunkbutton' onclick='discardHunk(this, event); return false'>Discard</a>" + header.innerHTML;
-			header.innerHTML = "<a href='#' class='hunkbutton' onclick='addHunk(this, false); return false'>Stage</a>" + header.innerHTML;
+			header.innerHTML =
+				"<a href='#' class='hunkbutton add-hunk-button'>Stage</a>" +
+				"<a href='#' class='hunkbutton discard-hunk-button'>Discard</a>" +
+				header.innerHTML;
+			header.getElementsByClassName("add-hunk-button")[0].addEventListener("click", function(e) {
+				e.preventDefault();
+				addHunk(this, false);
+			});
+			header.getElementsByClassName("discard-hunk-button")[0].addEventListener("click", function(e) {
+				e.preventDefault();
+				discardHunk(this, event);
+			});
 		}
 	}
 	setSelectHandlers();
@@ -275,19 +290,19 @@ var discardHunk = function(hunk, event)
 
 /* Find all contiguous add/del lines. A quick way to select "just this
  * chunk". */
-var findsubhunk = function(start) { 
-        var findBound = function(direction) { 
+var findsubhunk = function(start) {
+	var findBound = function(direction) {
 		var element=start;
-                for (var next = element[direction]; next; next = next[direction]) { 
-                        var elem_class = next.getAttribute("class"); 
-                        if (elem_class == "hunkheader" || elem_class == "noopline") 
-                                break; 
+		for (var next = element[direction]; next; next = next[direction]) {
+			var elemClasses = next.classList;
+			if (elemClasses.contains("hunkheader") || elemClasses.contains("noopline"))
+				break;
 			element=next;
 		}
-		return element; 
-        }
-        return [findBound("previousSibling"), findBound("nextSibling")]; 
-} 
+		return element;
+	}
+	return [findBound("previousSibling"), findBound("nextSibling")];
+}
 
 /* Remove existing selection */
 var deselect = function() {
@@ -306,11 +321,10 @@ var stageLines = function(reverse) {
 	if(!selection) return false;
 	currentSelection = false;
 	var hunkHeader = false;
-	var preselect = 0,elem_class;
+	var preselect = 0;
 
 	for(var next = selection.previousSibling; next; next = next.previousSibling) {
-		elem_class = next.getAttribute("class");
-		if(elem_class == "hunkheader") {
+		if (next.classList.contains("hunkheader")) {
 			hunkHeader = next.lastChild.data;
 			break;
 		}
@@ -395,13 +409,13 @@ var computeSelection = function(list, from, to)
 			insel = true;
 		}
 
-		var elem_class = elem.getAttribute("class");
-		if(elem_class) {
-			if(elem_class == "hunkheader") {
+		var elemClasses = elem.classList;
+		if (elem.className) {
+			if (elemClasses.contains("hunkheader")) {
 				elem = last;
 				break; // Stay inside this hunk
 			}
-			if(!good && (elem_class == "addline" || elem_class == "delline"))
+			if (!good && (elemClasses.contains("addline") || elemClasses.contains("delline")))
 				good = true; // A good selection
 		}
 		if (elem == to) break;
@@ -489,10 +503,14 @@ var showSelection = function(file, from, to, trust)
 	buttons_div.appendChild(copy_button);
 
 	if (sel.good) {
-		button.setAttribute('onclick','stageLines('+
-				    (originalCached?'true':'false')+
-				    '); return false;');
-		copy_button.setAttribute('onclick','copy(); return false;');
+		button.addEventListener("click", function(e) {
+			e.preventDefault();
+			stageLines(originalCached);
+		});
+		copy_button.addEventListener("click", function(e) {
+			e.preventDefault();
+			copy();
+		});
 	} else {
 		button.setAttribute("class","disabled");
 		copy_button.setAttribute("class","disabled");

Resources/html/views/commit/index.html

@@ -1,5 +1,7 @@
 <html>
 <head>
+	<meta charset="utf-8">
+	<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self';">
 	<title>Diff for file</title>
 	<link rel="stylesheet" href="../../css/GitX.css" type="text/css" media="screen" title="no title" charset="utf-8">
 	<script src="../../lib/jquery-2.0.2.min.js" type="text/javascript" charset="utf-8"></script>
@@ -21,7 +23,7 @@ <h1 id='title'>
 
 	</h1>
 
-	<div id="notification" style="display:none">
+	<div id="notification" class="hidden">
 		<img src="../../images/spinner.gif" alt="Spinner" id="spinner"></img>
 		<div id="notification_message"></div>
 	</div>

Resources/html/views/commit/test.html

@@ -18,7 +18,7 @@ <h1 id="title">
 
 	</h1>
 
-	<div id="notification" style="display:none">
+	<div id="notification" class="hidden">
 		<img src="../../images/spinner.gif" alt="Spinner" id="spinner">
 		<div id="notification_message"></div>
 	</div>
@@ -93,4 +93,4 @@ <h1 id="title">
 96
 </div><div class="lines"><div index="0" class="hunkheader"><a href="#" class="hunkbutton" onclick="discardHunk(this, event); return false">Discard</a><a href="#" class="hunkbutton" onclick="addHunk(this, false); return false">Stage</a>@@ -12,6 +12,8 @@</div><div index="1" class="noopline"> </div><div index="2" class="noopline"> @implementation PBWebChangesController</div><div index="3" class="noopline"> </div><div index="4" class="addline">+@synthesize fileViewerController;</div><div index="5" class="addline">+</div><div index="6" class="noopline"> - (void) awakeFromNib</div><div index="7" class="noopline"> {</div><div index="8" class="noopline">     selectedFile = nil;</div><div index="9" class="hunkheader"><a href="#" class="hunkbutton" onclick="discardHunk(this, event); return false">Discard</a><a href="#" class="hunkbutton" onclick="addHunk(this, false); return false">Stage</a>@@ -72,8 +74,11 @@ -(IBAction)displayControlChanged:(id)sender{</div><div index="10" class="noopline"> </div><div index="11" class="noopline"> - (void) refresh</div><div index="12" class="noopline"> {</div><div index="13" class="delline">-    if (!finishedLoading)</div><div index="14" class="addline">+    [fileViewerController showFile:[selectedFile path] sha:nil];</div><div index="15" class="addline">+    /*if (!finishedLoading)</div><div index="16" class="noopline">         return;</div><div index="17" class="addline">+<span class="whitespace">    </span></div><div index="18" class="addline">+    [fileViewerController showFile:selectedFile sha:@""];</div><div index="19" class="noopline"> </div><div index="20" class="noopline">     id script = [view windowScriptObject];</div><div index="21" class="noopline">     </div><div index="22" class="hunkheader"><a href="#" class="hunkbutton" onclick="discardHunk(this, event); return false">Discard</a><a href="#" class="hunkbutton" onclick="addHunk(this, false); return false">Stage</a>@@ -85,7 +90,7 @@ - (void) refresh</div><div index="23" class="noopline">         [script callWebScriptMethod:@"showFileBlame"</div><div index="24" class="noopline">                       withArguments:[NSArray arrayWithObjects:selectedFile ?: (id)[NSNull null],</div><div index="25" class="noopline">                                      [NSNumber numberWithBool:selectedFileIsCached], nil]];</div><div index="26" class="delline">-    }</div><div index="27" class="addline">+    }*/</div><div index="28" class="noopline"> }</div><div index="29" class="noopline"> </div><div index="30" class="noopline"> - (void)stageHunk:(NSString *)hunk reverse:(BOOL)reverse</div></div></div></div></div>
 
-</body></html>
+</body></html>

Resources/html/views/diff/diffWindow.js

@@ -1,7 +1,11 @@
 // for diffs shown in the PBDiffWindow
 
+var showDiff = function(diff) {
+	highlightDiff(diff, $("diff"));
+};
+
 var setMessage = function(message) {
-	$("message").style.display = "";
+	$("message").classList.remove("hidden");
 	$("message").textContent = message;
 	$("diff").style.display = "none";
 };

Resources/html/views/diff/index.html

@@ -1,5 +1,7 @@
 <html>
 <head>
+	<meta charset="utf-8">
+	<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self';">
 	<title>Details for commit</title>
 	<link rel="stylesheet" href="../../css/GitX.css" type="text/css" media="screen" title="no title" charset="utf-8">
 	<script src="../../lib/jquery-2.0.2.min.js" type="text/javascript" charset="utf-8"></script>
@@ -10,16 +12,10 @@
 
 	<link rel="stylesheet" href="diffWindow.css" type="text/css" media="screen" title="no title" charset="utf-8">
 	<script src="diffWindow.js" type="text/javascript" charset="utf-8"></script>
-
-	<script type="text/javascript" charset="utf-8">
-		var showDiff = function(diff) {
-			highlightDiff(diff, $("diff"));
-		}
-	</script>
 </head>
 
 <body>
-	<div id="message" style="display:none">
+	<div id="message" class="hidden">
 		There are no differences
 	</div>
 	<div id='diff'></div>

Resources/html/views/fileview/index.html

@@ -1,5 +1,8 @@
+<!DOCTYPE html>
 <html>
 	<head>
+		<meta charset="utf-8">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self';">
 		<script src="../../lib/GitX.js" type="text/javascript" charset="utf-8"></script>
 		<script src="../../lib/syntaxhighlighter/scripts/shCore.js" type="text/javascript" charset="utf-8"></script>
 		<script src="../../lib/syntaxhighlighter/scripts/shAutoloader.js" type="text/javascript" charset="utf-8"></script>
@@ -38,4 +41,4 @@
 	<body>
 		<div id="source"></div>
 	</body>
-</html> 
+</html>

Resources/html/views/fileview/index_test.html

@@ -1,5 +1,8 @@
+<!DOCTYPE html>
 <html>
 	<head>
+		<meta charset="utf-8">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self';">
 		<script src="../../lib/GitX.js" type="text/javascript" charset="utf-8"></script>
 		<script src="../../lib/syntaxhighlighter/scripts/shCore.js" type="text/javascript" charset="utf-8"></script>
 		<script src="../../lib/syntaxhighlighter/scripts/shBrushObjC.js" type="text/javascript" charset="utf-8"></script>
@@ -45,4 +48,4 @@
 
 		</div>
 	</body>
-</html> 
+</html>