fix: no inline scripts

sstrigler · sstrigler · commit d6eb7f707237 · 2026-03-01T16:27:33.000+01:00
diff --git a/priv/mod_invites/base.html b/priv/mod_invites/base.html
@@ -24,7 +24,7 @@ <h1 class="modal-title h5">{% trans "Scan invite code" %}</h1>
             <p>{% trans "You can transfer this invite to your mobile device by scanning a code with your camera." %}</p>
             <div id="qr-info-url" class="tab-pane show active">
               <p>{% trans "Use a <em>QR code</em> scanner on your mobile device to scan the code below:" %}</p>
-              <div id="qr-invite-page" style="width: 256px;" class="bg-light mx-auto"></div>
+              <div id="qr-invite-page" class="bg-light mx-auto"></div>
             </div>
           </div>
           <div class="modal-footer">
@@ -38,5 +38,4 @@ <h1 class="modal-title h5">{% trans "Scan invite code" %}</h1>
 {% block extra_scripts %}
     <script src="{{ static }}/qrcode.min.js" integrity="sha384-XfbBihCQqSDyejklP5yun2CbVxqR+2eNfx0Fhx5pQAfN5ypWGhSBjXaXr5g6X4DE"></script>
     <script src="{{ static }}/platform.min.js" integrity="sha384-nziKWRrD67nso9WErLVLhgT7AobHh6aYfNgqgINmJrtZ92V9aNTaOpvDFkcneToL"></script>
-    <script src="{{ static }}/invite.js" integrity="sha384-Gbay/kHKBWDl+ujPP2IvgkW1k0EEtCABOs5sZbovcjLyHZm0lumFMOIdTsWRxBLy"></script>
 {% endblock %}
diff --git a/priv/mod_invites/base_min.html b/priv/mod_invites/base_min.html
@@ -13,28 +13,7 @@
     <!-- <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5"> -->
     <meta name="msapplication-TileColor" content="#fbd308">
     <meta name="theme-color" content="#fbd308">
-    <style>
-        #other-software a {
-            text-decoration: underline;
-            color: #0072ed;
-        }
-        a#show-all-clients-button {
-            text-decoration: underline;
-        }
-        .btn-primary {
-            background-color: #0072ed;
-        }
-        .badge-success {
-            background-color: #0a8927;
-        }
-        .alert-info, .alert-info a, .btn-info {
-            background-color: #008297;
-            color: white;
-        }
-        .border-info {
-            border-color: #008297 !important;
-        }
-    </style>
+    <link rel="stylesheet" href="{{ static }}/invite.css" integrity="sha384-hN1sIlm8uxqtq9Q4lhN1KW+O4HHk7Iwu+8ZT5QOZ4NU65xAXc99wTMJQ729MgOBJ">
   </head>
   <body>
     <div id="background" class="fixed-top overflow-hidden"></div>
@@ -51,5 +30,6 @@ <h1 class="card-header">{%block h1 %}{% blocktrans %}Invite to {{ site_name }}{%
     {% block extra_scripts %}{% endblock %}
     <script src="{{ static }}/jquery/jquery.min.js" integrity="sha384-fgGyf7Mo7DURSOMnOy7ed+dkq5Job205Gnzu6QIg0BOHKaqt4D76Dt8VlDCzcMHV"></script>
     <script src="{{ static }}/bootstrap/js/bootstrap.min.js" integrity="sha384-G/EV+4j2dNv+tEPo3++6LCgdCROaejBqfUeNjuKAiuXbjrxilcCdDz6ZAVfHWe1Y"></script>
+    <script src="{{ static }}/invite.js" integrity="sha384-9bnOkvcVOIB80uiyxcvD716620R5Ry6+Xw48IrjCIXL6dMhbHv5v35tawQ4YfV+6"></script>
   </body>
 </html>
diff --git a/priv/mod_invites/client.html b/priv/mod_invites/client.html
@@ -28,15 +28,15 @@ <h3 class="card-title text-nowrap mb-1 h5">{{ app.name }}</h3>
             </div>
         </div>
 
-        <h2 style="clear:both" class="h3">{% blocktrans with app_name=app.name %}Step 1: Install {{ app_name }}{% endblocktrans %}</h2>
+        <h2 class="h3 clear-both">{% blocktrans with app_name=app.name %}Step 1: Install {{ app_name }}{% endblocktrans %}</h2>
 
         <p>{% if app.download.text %}{{ app.download.text }}{% else %}{% blocktrans with app_name=app.name %}Download and install {{ app_name }} below:{% endblocktrans %}{% endif %}</p>
 
         <div class="ms-5">
             {% for button in app.download.buttons %}
             {% if button.image %}
             <a href="{% if button.magic_link %}{{ button.magic_link }}{% else %}{{ button.url }}{% endif %}" {% if button.target %}target="{{ button.target }}"{% endif %} rel="noopener">
-                <img src="{{ button.image }}" {% if button.alttext %}alt="{{ button.alttext }}"{% endif %} style="max-width: 160px;">
+                <img src="{{ button.image }}" {% if button.alttext %}alt="{{ button.alttext }}"{% endif %} class="invite-download-button">
             </a>
             {% endif %}
             {% if button.text %}
@@ -68,9 +68,3 @@ <h2 class="h3">{% trans "Step 2: Activate your account" %}</h2>
         </nav>
 
 {% endblock %}
-
-{% block extra_scripts %}
-<script src="{{ static }}/qrcode.min.js"></script>
-<script src="{{ static }}/platform.min.js"></script>
-<script src="{{ static }}/invite.js"></script>
-{% endblock %}
diff --git a/priv/mod_invites/invite.html b/priv/mod_invites/invite.html
@@ -6,7 +6,7 @@
         {% else %}
             {% blocktrans %}You have been invited to chat on <strong>{{ site_name }}</strong>, part of the XMPP secure and decentralized messaging network.{% endblocktrans %}
         {% endif %}</p>
-        <h2 class="card-title h5" style="clear:both">{% trans "Get started" %}</h2>
+        <h2 class="card-title h5 clear-both">{% trans "Get started" %}</h2>
         <p>{% trans "To get started, you need to install an app for your platform:" %}</p>
 
 {% include "apps.html" %}
diff --git a/priv/mod_invites/register.html b/priv/mod_invites/register.html
@@ -71,24 +71,3 @@ <h2 class="card-title h5">{% trans "Create an account" %}</h2>
             </ul>
         </nav>
 {% endblock %}
-{% block extra_scripts %}
-    <script>
-        (function() {
-            'use strict';
-            window.addEventListener('load', function() {
-                // Fetch all the forms we want to apply custom Bootstrap validation styles to
-                var forms = document.getElementsByClassName('needs-validation');
-                // Loop over them and prevent submission
-                var validation = Array.prototype.filter.call(forms, function(form) {
-                    form.addEventListener('submit', function(event) {
-                        if (form.checkValidity() === false) {
-                            event.preventDefault();
-                            event.stopPropagation();
-                        }
-                        form.classList.add('was-validated');
-                    }, false);
-                });
-            }, false);
-        })();
-    </script>
-{% endblock %}
diff --git a/priv/mod_invites/register_success.html b/priv/mod_invites/register_success.html
@@ -2,24 +2,6 @@
 {% block form_class %}container col-md-8 col-md-offset-2 col-sm-8 cold-sm-offset-2 col-lg-6 col-lg-offset-3 mt-2 mt-md-5{% endblock %}
 {% block title %}{{site_name}}{% endblock %}
 {% block h1 %}{{site_name}}{% endblock %}
-{% block extra_scripts %}
-    <script>
-    function toggle_password(e) {
-      var button = e.target;
-      var input = button.parentNode.parentNode.querySelector("input");
-      switch(input.attributes.type.value) {
-        case "password":
-          input.attributes.type.value = "text";
-          button.innerText = "{% trans "Hide" %}";
-          break;
-        case "text":
-          input.attributes.type.value = "password";
-          button.innerText = "{% trans "Show" %}";
-          break;
-      }
-    }
-    </script>
-{% endblock %}
 {% block content %}
         <h2 class="card-title h5">{% trans "Congratulations!" %}</h2>
 
@@ -87,7 +69,8 @@ <h2 class="h5">{% blocktrans with app_name=app.name %}Step 2: Connect {{ app_nam
                     <div class="input-group">
                         <input type="password" readonly disabled aria-label="{% trans "Password" %}" class="form-control" value="{{ password }}">
                         <div class="input-group-append">
-                            <button class="btn btn-outline-secondary rounded-start-0" type="button" onclick="toggle_password(event)">{% trans "Show" %}</button>
+                            <button id="toggle-pw-button" class="btn btn-outline-secondary rounded-start-0" type="button"
+                                data-text-show="{% trans "Show" %}" data-text-hide="{% trans "Hide" %}">{% trans "Show" %}</button>
                         </div>
                     </div>
                 </div>
diff --git a/priv/mod_invites/roster.html b/priv/mod_invites/roster.html
@@ -10,7 +10,7 @@
                 <a href="{{ invite.uri }}" class="btn btn-primary my-3 mb-3">{% blocktrans with inviter=invite.inviter|user %}Add {{ inviter }} to your contact list{% endblocktrans %}</a><br/>
             </div>
         </div>
-        <h2 class="h6">{% trans "If you don't have an XMPP client installed yet, here's a list of suitable clients for your platform." %}</h2>
+        <h2 class="h6 clear-both">{% trans "If you don't have an XMPP client installed yet, here's a list of suitable clients for your platform." %}</h2>
 
 {% include "apps.html" %}
 
diff --git a/priv/mod_invites/static/invite.js b/priv/mod_invites/static/invite.js
@@ -78,14 +78,53 @@
 				}
 			}
 			const show_all_clients_button_container = document.getElementById('show-all-clients-button-container');
-			show_all_clients_button_container.querySelector('.platform-name').innerHTML = platform_friendly;
-			show_all_clients_button_container.classList.remove("d-none");
-			document.getElementById('show-all-clients-button').addEventListener('click', function (e) {
-				for (let card of client_cards)
-					card.hidden = false;
-				show_all_clients_button_container.hidden = true;
-				e.preventDefault();
-			});
+			if (show_all_clients_button_container) {
+				show_all_clients_button_container.querySelector('.platform-name').innerHTML = platform_friendly;
+				show_all_clients_button_container.classList.remove("d-none");
+				document.getElementById('show-all-clients-button').addEventListener('click', function (e) {
+					for (let card of client_cards)
+						card.hidden = false;
+					show_all_clients_button_container.hidden = true;
+					e.preventDefault();
+				});
+			}
 		}
 	}
+	const toggle_pw_button = document.getElementById('toggle-pw-button');
+	if (toggle_pw_button)
+		toggle_pw_button.addEventListener('click', toggle_password);
+
+})();
+
+function toggle_password(e) {
+	var button = e.target;
+	var input = button.parentNode.parentNode.querySelector("input");
+	switch(input.attributes.type.value) {
+	case "password":
+		input.attributes.type.value = "text";
+		button.innerText = button.getAttribute('data-text-hide');
+		break;
+	case "text":
+		input.attributes.type.value = "password";
+		button.innerText = button.getAttribute('data-text-show');
+		break;
+	}
+}
+
+(function() {
+	'use strict';
+	window.addEventListener('load', function() {
+		// Fetch all the forms we want to apply custom Bootstrap validation styles to
+		var forms = document.getElementsByClassName('needs-validation');
+		// Loop over them and prevent submission
+		var validation = Array.prototype.filter.call(forms, function(form) {
+			form.addEventListener('submit', function(event) {
+				if (form.checkValidity() === false) {
+					event.preventDefault();
+					event.stopPropagation();
+				}
+				form.classList.add('was-validated');
+			}, false);
+		});
+	}, false);
 })();
diff --git a/src/mod_invites_http.erl b/src/mod_invites_http.erl
@@ -483,6 +483,6 @@ binary_join(List, Sep) ->
 
 security_headers() ->
     [{<<"Content-Security-Policy">>,
-      <<"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'">>},
+      <<"default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; frame-ancestors 'none'">>},
      {<<"X-Content-Type-Options">>, <<"nosniff">>},
      {<<"Referrer-Policy">>, <<"no-referrer">>}].
