Mercurial > hg
changeset 37829:2ead51dcde71 stable
paper: don't register click handlers with inline javascript (issue5812)
The use of inline href="javascript:" undermines CSP policies that
don't allow inline javascript.
This commit changes the registering of the diffstat and line wrapping
toggle handlers to the the global DOMContentLoaded handler, thus
eliminating all inline javascript from the paper template.
Differential Revision: https://phab.mercurial-scm.org/D3437
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Wed, 02 May 2018 19:16:01 -0700 |
| parents | 3e3acf5d6a07 |
| children | 82ae4f471254 |
| files | mercurial/templates/paper/changeset.tmpl mercurial/templates/paper/filediff.tmpl mercurial/templates/paper/filerevision.tmpl mercurial/templates/static/mercurial.js tests/test-hgweb-commands.t tests/test-hgweb-diffs.t tests/test-hgweb-removed.t tests/test-highlight.t |
| diffstat | 8 files changed, 45 insertions(+), 23 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/templates/paper/changeset.tmpl Mon Apr 30 17:28:59 2018 -0700 +++ b/mercurial/templates/paper/changeset.tmpl Wed May 02 19:16:01 2018 -0700 @@ -73,9 +73,9 @@ <th class="diffstat">diffstat</th> <td class="diffstat"> {diffsummary} - <a id="diffstatexpand" href="javascript:toggleDiffstat()">[<tt>+</tt>]</a> + <a id="diffstatexpand" class="diffstattoggle">[<tt>+</tt>]</a> <div id="diffstatdetails" style="display:none;"> - <a href="javascript:toggleDiffstat()">[<tt>-</tt>]</a> + <a class="diffstattoggle">[<tt>-</tt>]</a> <table class="diffstat-table stripes2">{diffstat}</table> </div> </td> @@ -83,7 +83,7 @@ </table> <div class="overflow"> -<div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> +<div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> {diff}
--- a/mercurial/templates/paper/filediff.tmpl Mon Apr 30 17:28:59 2018 -0700 +++ b/mercurial/templates/paper/filediff.tmpl Wed May 02 19:16:01 2018 -0700 @@ -65,7 +65,7 @@ </table> <div class="overflow"> -<div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> +<div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> {diff}
--- a/mercurial/templates/paper/filerevision.tmpl Mon Apr 30 17:28:59 2018 -0700 +++ b/mercurial/templates/paper/filerevision.tmpl Wed May 02 19:16:01 2018 -0700 @@ -65,7 +65,7 @@ </table> <div class="overflow"> -<div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> +<div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line source</div> <pre class="sourcelines stripes4 wrap bottomline" data-logurl="{url|urlescape}log/{symrev}/{file|urlescape}"
--- a/mercurial/templates/static/mercurial.js Mon Apr 30 17:28:59 2018 -0700 +++ b/mercurial/templates/static/mercurial.js Wed May 02 19:16:01 2018 -0700 @@ -551,6 +551,28 @@ form.style.display = 'block'; } +function addDiffStatToggle() { + var els = document.getElementsByClassName("diffstattoggle"); + + for (var i = 0; i < els.length; i++) { + els[i].addEventListener("click", toggleDiffstat, false); + } +} + +function addLineWrapToggle() { + var els = document.getElementsByClassName("linewraptoggle"); + + for (var i = 0; i < els.length; i++) { + var nodes = els[i].getElementsByClassName("linewraplink"); + + for (var j = 0; j < nodes.length; j++) { + nodes[j].addEventListener("click", toggleLinewrap, false); + } + } +} + document.addEventListener('DOMContentLoaded', function() { process_dates(); + addDiffStatToggle(); + addLineWrapToggle(); }, false);
--- a/tests/test-hgweb-commands.t Mon Apr 30 17:28:59 2018 -0700 +++ b/tests/test-hgweb-commands.t Wed May 02 19:16:01 2018 -0700 @@ -916,9 +916,9 @@ <td class="diffstat"> 2 files changed, 2 insertions(+), 0 deletions(-) - <a id="diffstatexpand" href="javascript:toggleDiffstat()">[<tt>+</tt>]</a> + <a id="diffstatexpand" class="diffstattoggle">[<tt>+</tt>]</a> <div id="diffstatdetails" style="display:none;"> - <a href="javascript:toggleDiffstat()">[<tt>-</tt>]</a> + <a class="diffstattoggle">[<tt>-</tt>]</a> <table class="diffstat-table stripes2"> <tr> <td class="diffstat-file"><a href="#l1.1">da/foo</a></td> <td class="diffstat-total" align="right">1</td> @@ -942,7 +942,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap"> @@ -1342,7 +1342,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line source</div> <pre class="sourcelines stripes4 wrap bottomline" data-logurl="/log/1/foo" @@ -1476,7 +1476,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line source</div> <pre class="sourcelines stripes4 wrap bottomline" data-logurl="/log/2/foo"
--- a/tests/test-hgweb-diffs.t Mon Apr 30 17:28:59 2018 -0700 +++ b/tests/test-hgweb-diffs.t Wed May 02 19:16:01 2018 -0700 @@ -122,9 +122,9 @@ <td class="diffstat"> 2 files changed, 2 insertions(+), 0 deletions(-) - <a id="diffstatexpand" href="javascript:toggleDiffstat()">[<tt>+</tt>]</a> + <a id="diffstatexpand" class="diffstattoggle">[<tt>+</tt>]</a> <div id="diffstatdetails" style="display:none;"> - <a href="javascript:toggleDiffstat()">[<tt>-</tt>]</a> + <a class="diffstattoggle">[<tt>-</tt>]</a> <table class="diffstat-table stripes2"> <tr> <td class="diffstat-file"><a href="#l1.1">a</a></td> <td class="diffstat-total" align="right">1</td> @@ -148,7 +148,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap"> @@ -289,7 +289,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap"> @@ -419,9 +419,9 @@ <td class="diffstat"> 2 files changed, 2 insertions(+), 0 deletions(-) - <a id="diffstatexpand" href="javascript:toggleDiffstat()">[<tt>+</tt>]</a> + <a id="diffstatexpand" class="diffstattoggle">[<tt>+</tt>]</a> <div id="diffstatdetails" style="display:none;"> - <a href="javascript:toggleDiffstat()">[<tt>-</tt>]</a> + <a class="diffstattoggle">[<tt>-</tt>]</a> <table class="diffstat-table stripes2"> <tr> <td class="diffstat-file"><a href="#l1.1">a</a></td> <td class="diffstat-total" align="right">1</td> @@ -445,7 +445,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap"> @@ -590,7 +590,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap">
--- a/tests/test-hgweb-removed.t Mon Apr 30 17:28:59 2018 -0700 +++ b/tests/test-hgweb-removed.t Wed May 02 19:16:01 2018 -0700 @@ -103,9 +103,9 @@ <td class="diffstat"> 1 files changed, 0 insertions(+), 1 deletions(-) - <a id="diffstatexpand" href="javascript:toggleDiffstat()">[<tt>+</tt>]</a> + <a id="diffstatexpand" class="diffstattoggle">[<tt>+</tt>]</a> <div id="diffstatdetails" style="display:none;"> - <a href="javascript:toggleDiffstat()">[<tt>-</tt>]</a> + <a class="diffstattoggle">[<tt>-</tt>]</a> <table class="diffstat-table stripes2"> <tr> <td class="diffstat-file"><a href="#l1.1">a</a></td> <td class="diffstat-total" align="right">1</td> @@ -121,7 +121,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap"> @@ -225,7 +225,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line diff</div> <div class="stripes2 diffblocks"> <div class="bottomline inc-lineno"><pre class="sourcelines wrap">
--- a/tests/test-highlight.t Mon Apr 30 17:28:59 2018 -0700 +++ b/tests/test-highlight.t Wed May 02 19:16:01 2018 -0700 @@ -146,7 +146,7 @@ </table> <div class="overflow"> - <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink" href="javascript:toggleLinewrap()">on</a></div> + <div class="sourcefirst linewraptoggle">line wrap: <a class="linewraplink">on</a></div> <div class="sourcefirst"> line source</div> <pre class="sourcelines stripes4 wrap bottomline" data-logurl="/log/tip/primes.py"