Bug 1439797 - Enable reporting-only CSP by default

author Dylan William Hardison <dylan@hardison.net>

Wed, 21 Feb 2018 18:59:53 +0000 (13:59 -0500)

committer GitHub <noreply@github.com>

Wed, 21 Feb 2018 18:59:53 +0000 (13:59 -0500)
author Dylan William Hardison <dylan@hardison.net>
Wed, 21 Feb 2018 18:59:53 +0000 (13:59 -0500)
committer GitHub <noreply@github.com>
Wed, 21 Feb 2018 18:59:53 +0000 (13:59 -0500)
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index 35d6dd687fd58b4753eb96bac206bab272dad986..513d8c30211f941db018966ae55d98664c1c890b 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -34,8 +34,9 @@ BEGIN {
  sub DEFAULT_CSP {
      my %policy = (
          default_src => [ 'self' ],
-        script_src  => [ 'self', 'unsafe-inline', 'unsafe-eval', 'https://www.google-analytics.com' ],
-        child_src   => [ 'self', ],
+        script_src  => [ 'self', 'nonce', 'unsafe-inline', 'https://www.google-analytics.com' ],
+        frame_src   => [ 'none', ],
+        worker_src  => [ 'none', ],
          img_src     => [ 'self', 'https://secure.gravatar.com', 'https://www.google-analytics.com' ],
          style_src   => [ 'self', 'unsafe-inline' ],
          object_src  => [ 'none' ],
@@ -45,7 +46,7 @@ sub DEFAULT_CSP {
              'https://www.google.com/search'
          ],
          frame_ancestors => [ 'none' ],
-        disable         => 1,
+        report_only     => 1,
      );
      if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) {
          push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login';
@@ -68,11 +69,8 @@ sub SHOW_BUG_MODAL_CSP {
              # This is from extensions/OrangeFactor/web/js/orange_factor.js
              'https://brasstacks.mozilla.com/orangefactor/api/count',
          ],
-        child_src   => [
-            'self',
-            # This is for the socorro lens addon and is to be removed by Bug 1332016
-            'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm'
-        ],
+        frame_src   => [ 'none', ],
+        worker_src  => [ 'none', ],
      );
      if (use_attachbase() && $bug_id) {
          my $attach_base = Bugzilla->localconfig->{'attachment_base'};
@@ -194,7 +192,7 @@ sub content_security_policy {
          require Bugzilla::CGI::ContentSecurityPolicy;
          if (%add_params || !$self->{Bugzilla_csp}) {
              my %params = DEFAULT_CSP;
-            delete $params{disable} if %add_params && !$add_params{disable};
+            delete $params{report_only} if %add_params && !$add_params{report_only};
              foreach my $key (keys %add_params) {
                  if (defined $add_params{$key}) {
                      $params{$key} = $add_params{$key};
diff --git a/Bugzilla/CGI/ContentSecurityPolicy.pm b/Bugzilla/CGI/ContentSecurityPolicy.pm

index 88f2732bc3f7f8fb1264250378925b27eb518921..50a399cdc1b7827323c5e4d99d780e1271ee8906 100644 (file)
--- a/Bugzilla/CGI/ContentSecurityPolicy.pm
+++ b/Bugzilla/CGI/ContentSecurityPolicy.pm
@@ -34,10 +34,10 @@ my $REFERRER_KEYWORD = enum [qw(
  
  my @ALL_BOOL = qw( sandbox upgrade_insecure_requests );
  my @ALL_SRC = qw(
-    default_src child_src  connect_src
+    default_src worker_src  connect_src
      font_src    img_src    media_src
      object_src  script_src style_src
-    frame_ancestors form_action
+    frame_src frame_ancestors form_action
  );
  
  has \@ALL_SRC     => ( is => 'ro', isa => $SOURCE_LIST, predicate => 1 );
diff --git a/chart.cgi b/chart.cgi

index 26f21c389b283f92a6fce113b6a06fe5ff10c76c..36357cb3c10d9af3ebf8a1d85601cb0027c011d3 100755 (executable)
--- a/chart.cgi
+++ b/chart.cgi
@@ -51,6 +51,7 @@ local our $cgi = Bugzilla->cgi;
  local our $template = Bugzilla->template;
  local our $vars = {};
  my $dbh = Bugzilla->dbh;
+$cgi->content_security_policy(report_only => 0);
  
  my $user = Bugzilla->login(LOGIN_REQUIRED);
  
diff --git a/extensions/BMO/template/en/default/account/create.html.tmpl b/extensions/BMO/template/en/default/account/create.html.tmpl

index d293031049f95b936b82c6ada9e4bf63ed584221..10d5fb5c174c9b394f0eb989d4c461d0b73dbca0 100644 (file)
--- a/extensions/BMO/template/en/default/account/create.html.tmpl
+++ b/extensions/BMO/template/en/default/account/create.html.tmpl
@@ -38,7 +38,7 @@
     style_urls = [ 'extensions/BMO/web/styles/create_account.css' ]
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  function onSubmit() {
    var email = document.getElementById('login').value;
    var agreed = document.getElementById('etiquette').checked;
diff --git a/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl

index a29f1f4f209c8b1d8512daf53052bb528d94cdd3..d1ed4b4b54aa4808811bdaecb5a730fbeeb7a900 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl
@@ -182,7 +182,7 @@ function validateAndSubmit() {
        <span>Calendar</span>
      </button>
      <div id="con_calendar_prototype_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('prototype_date')
      </script>
    </div>
@@ -200,7 +200,7 @@ function validateAndSubmit() {
        <span>Calendar</span>
      </button>
      <div id="con_calendar_production_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('production_date')
      </script>
    </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl

index 13620d1c4fc90f9cde3781b4c08110be2c5a72aa..eac24e53ecc4bd938816210445fb74e9d27ea5ee 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl
@@ -209,7 +209,7 @@ function toggleTypeOther(element) {
      <span>Calendar</span>
    </button>
    <div id="con_calendar_launch_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      createCalendar('launch_date')
    </script>
  </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl

index 942b37afaccbadce5c32565ca25a450f36fc3d56..d97d95b2a636a77678a95c452880fc9d432757b3 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl
@@ -139,7 +139,7 @@ function validateAndSubmit() {
      <span>Calendar</span>
    </button>
    <div id="con_calendar_cf_due_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      createCalendar('cf_due_date')
    </script>
  </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl

index ab03523ae6890ffef3ef45cae2eb9fad7ffa50d9..8414770997c07a9ae07129979dbd68062c236a02 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl
@@ -16,7 +16,7 @@
     style = ".mandatory{color:red;font-size:80%;}"
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
      function trySubmit() {
          var alert_text = "";
diff --git a/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl

index 2d590fcfc14db8c5a009ca9384682870f76b13ba..d2b1c1f08d5f4872ba21317343513188082f73f2 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl
@@ -327,7 +327,7 @@ function validate_form() {
      <span>Calendar</span>
    </button>
    <div id="con_calendar_start_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      createCalendar('start_date')
    </script>
  </div>
@@ -341,7 +341,7 @@ function validate_form() {
      <span>Calendar</span>
    </button>
    <div id="con_calendar_announce_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      createCalendar('announce_date')
    </script>
  </div>
@@ -355,7 +355,7 @@ function validate_form() {
      <span>Calendar</span>
    </button>
    <div id="con_calendar_cf_due_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      createCalendar('cf_due_date')
    </script>
  </div>
diff --git a/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl

index 859d77194c09d4a921a716fec1898de1fa71c141..28b8045f61dfe42035ca43ab82c2738977bc9352 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl
@@ -810,7 +810,7 @@ function showGear() {
    We do this to help protect the personal identifying information in this [% terms.bugs %].
  </p>
  
-<script>
+<script [% script_nonce FILTER none %]>
    initFields();
    onPurposeChange();
    onAddGearChange();
diff --git a/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl b/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl

index 7df6247000760580e0385634399cc0944e4e430a..64af64a6b955a1390bafd7512ed59a2ed74e705b 100644 (file)
--- a/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl
+++ b/extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl
@@ -166,7 +166,7 @@ function toggleGoalOther() {
      <span>Calendar</span>
    </button>
    <div id="con_calendar_timing_date"></div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      createCalendar('timing_date')
    </script>
  </div>
diff --git a/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl b/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl

index 5486684f1b58c18b8b181ae4b752fe51ba0805ff..632ccb1e65eae0794169bbb44fa94184c90a8436 100644 (file)
--- a/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
@@ -30,7 +30,7 @@
      <span id="security_group_warning" style="color:red; display:none;">
        This security group needs to be set to SHOWN/SHOWN
      </span>
-    <script>
+    <script [% script_nonce FILTER none %]>
        var toggleGroupWarning = function() {
          var correct_shown = $('#security_group_id option:selected').data('group-correct-visibility');
          if ($('#security_group_id').val() === '' || correct_shown) {
diff --git a/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl b/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl

index c66a02371985f56e3d9f8f332e3e862c265d75e9..e28a142ae8273f28d6be1e66a023e955ca2f8bf2 100644 (file)
--- a/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl
@@ -35,7 +35,7 @@
      [% attachment_data FILTER html %]
    </pre>
    [% IF user.id %]
-    <script>
+    <script [% script_nonce FILTER none %]>
      <!--
        var patchviewerinstalled = 0;
        document.write('<button type="button" id="editButton" onclick="editAsComment(patchviewerinstalled);">Edit Attachment As Comment<\/button>');
diff --git a/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl

index 3c47ca199c7cc7a7ec138246baa245af57e354a1..d6dec42b98c0222d63541dd410d02e0f54a82206 100644 (file)
--- a/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl
@@ -10,7 +10,7 @@
        && (comment.author.login_name == 'tbplbot@gmail.com' || comment.author.login_name == 'orangefactor@bots.tld')
  %]
    [% has_tbpl_comment = 1 %]
-  <script>
+  <script [% script_nonce FILTER none %]>
      var id = [% count FILTER none %];
      tbpl_comment_ids.push(id);
      collapse_comment(
diff --git a/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl

index 65bf77967cfed80c2b2c74d261a49ace33507ced..aa76de122289b2ec13330a4850b36e685bfd41ac 100644 (file)
--- a/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl
@@ -11,7 +11,7 @@
    [% collapse_caption = 'Collapse TinderboxPushlog Comments' %]
    [% show_caption     = 'Show TinderboxPushlog Comments' %]
    [% hide_caption     = 'Hide TinderboxPushlog Comments' %]
-  <script>
+  <script [% script_nonce FILTER none %]>
      YAHOO.util.Event.onDOMReady(function () {
          var ul = document.getElementsByClassName('bz_collapse_expand_comments');
          if (ul.length == 0)
diff --git a/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl b/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl

index 135e1cd9528d81de2f9848e4e1d1cc5d86bc6b1e..f490ad826b6d8fcbbf4a561a77941e9d5c73c7d7 100644 (file)
--- a/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl
@@ -10,6 +10,6 @@
  
  [%# Needed for collapsing TinderboxPushlog comments %]
  [% has_tbpl_comment = 0 %]
-<script>
+<script [% script_nonce FILTER none %]>
    var tbpl_comment_ids = new Array();
  </script>
diff --git a/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl b/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl

index 6e15e50d31a93e54d1df9db209b6f8fb00c97ddb..1dec71b8dfeccd3be46933fa617368f589068602 100644 (file)
--- a/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl
@@ -7,7 +7,7 @@
    #%]
  
  [%# Display product and component descriptions after their respective fields %]
-<script>
+<script [% script_nonce FILTER none %]>
    var Event = YAHOO.util.Event;
    var Dom = YAHOO.util.Dom;
    Event.onDOMReady(function() {
diff --git a/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl b/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl

index 31669f47fa05282e78fcb529e9d1cac0269bcb2a..87b51c9240a9173e1cfdbd439a36af3f322dbc21 100644 (file)
--- a/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl
+++ b/extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl
@@ -45,7 +45,7 @@
              id = field.name name = field.name minrows = 4 maxrows = 8
              cols = 60 defaultcontent = value %]
        </div>
-      <script>
+      <script [% script_nonce FILTER none %]>
          hideEditableField('[% field.name FILTER js %]_edit_container',
                            '[% field.name FILTER js %]_input',
                            '[% field.name FILTER js %]_edit_action',
diff --git a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl

index a538e934725eaf62ee5e4109aeccdfe1dd92e0e5..faf32aa3686aa3718909e03e9db4d208be84e0dc 100644 (file)
--- a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl
@@ -162,7 +162,7 @@ function validateAndSubmit() {
        <span>Calendar</span>
      </button>
      <div id="con_calendar_reported_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('reported_date')
      </script>
    </div>
@@ -177,7 +177,7 @@ function validateAndSubmit() {
        <span>Calendar</span>
      </button>
      <div id="con_calendar_fixed_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('fixed_date')
      </script>
    </div>
@@ -192,7 +192,7 @@ function validateAndSubmit() {
        <span>Calendar</span>
      </button>
      <div id="con_calendar_awarded_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('awarded_date')
      </script>
    </div>
diff --git a/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl b/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl

index 79587205c10d5877a4ad261462c3871e83e6bbb1..8ee3d0d593e1d111b18c4c1e493d63d7c9e5517d 100644 (file)
--- a/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl
@@ -18,7 +18,7 @@
  <h1>JavaScript is required to use this report.</h1>
  </noscript>
  
-<script>
+<script [% script_nonce FILTER none %]>
  var flags_data = $.parseJSON("[% flags_json FILTER js %]");
  var products_data = $.parseJSON("[% products_json FILTER js %]");
  var fields_data = $.parseJSON("[% fields_json FILTER js %]");
diff --git a/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl b/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl

index 05efefca5dc95283a4261f2c8613881c1d2562bd..13904f61b77b9933b9746eb37125fcd5cd6f5f78 100644 (file)
--- a/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/triage_reports.html.tmpl
@@ -137,7 +137,7 @@ Show UNCONFIRMED [% terms.bugs %] with:
  </table>
  
  </form>
-<script>
+<script [% script_nonce FILTER none %]>
    createCalendar('last_is');
  </script>
  
diff --git a/extensions/BMO/template/en/default/pages/user_activity.html.tmpl b/extensions/BMO/template/en/default/pages/user_activity.html.tmpl

index 33aa27e3d7fed5f493cbb9a8fa6e81db8f60ec5c..075c8edf9161231ed4ae07cc0067bbd0be244ac5 100644 (file)
--- a/extensions/BMO/template/en/default/pages/user_activity.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/user_activity.html.tmpl
@@ -83,7 +83,7 @@
  [% END %]
  </form>
  
-<script>
+<script [% script_nonce FILTER none %]>
    createCalendar('from');
    createCalendar('to');
  </script>
diff --git a/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl b/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl

index 32cb55ea15926ef1da70d2191037520b22c963c4..bb1381c46e91eb95f25ddd6e6396fb89f0efb644 100644 (file)
--- a/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl
+++ b/extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl
@@ -14,7 +14,7 @@
  [% SET selectable_products = user.get_selectable_products %]
  [% SET dont_show_button = 1 %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  var useclassification = false;
  var first_load = true;
  var last_sel = [];
diff --git a/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl b/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl

index b70a46b35de537e4c44ca536421cf8239865ced6..2a2ab6bc5cf2989d1042d1c4c889c0c0aae86c95 100644 (file)
--- a/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl
+++ b/extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl
@@ -23,7 +23,7 @@
  }
  </style>
  
-<script>
+<script [% script_nonce FILTER none %]>
  var Dom = YAHOO.util.Dom;
  var useclassification = false;
  var first_load = true;
@@ -47,7 +47,7 @@ var watch_users = new Array();
  <script src="[% 'js/productform.js' FILTER version FILTER html %]">
  </script>
  
-<script>
+<script [% script_nonce FILTER none %]>
  function onSelectProduct() {
    var component = Dom.get('component');
    selectProduct(Dom.get('product'), component);
diff --git a/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl b/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl

index e6a04f092e7d728ae6893adb49ed188e51af9253..940fc2d115a0974b19de41359b07dbabb42a829e 100644 (file)
--- a/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl
+++ b/extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl
@@ -27,7 +27,7 @@
    </td>
  </tr>
  
-<script>
+<script [% script_nonce FILTER none %]>
  function sanitise_name(name) {
    return name.toLowerCase()
               .replace(/[^a-z0-9_]/g, '-')
diff --git a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl

index 98a8f41842b45c05a3652b2057842786aef2e867..8d8b125053d2d53e63953516665589043cc1067b 100644 (file)
--- a/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
+++ b/extensions/EditTable/template/en/default/pages/edit_table.html.tmpl
@@ -35,7 +35,7 @@
  <input type="submit" value="Commit Changes" id="commit_btn" class="bz_default_hidden">
  </form>
  
-<script>
+<script [% script_nonce FILTER none %]>
    var table_data_str = "[% table_data FILTER js %]";
    var table_data = $.parseJSON(table_data_str);
    var editTable = new EditTable('edit_table', table_data);
diff --git a/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl b/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl

index 08f90b8d45ee7bad2a0ee9dc49fc95251d0137f4..0cb5f2ff16a0f5a8ac521af10af2fad2ab64d95a 100644 (file)
--- a/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl
+++ b/extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl
@@ -7,7 +7,7 @@
    #%]
  
  [% IF flag_default_requestees.keys.size %]
-  <script>
+  <script [% script_nonce FILTER none %]>
    var currently_requested = new Array();
    var default_requestees = new Array();
    [% FOREACH id = flag_currently_requested.keys %]
diff --git a/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl b/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl

index 7cadbdca5db84994743986cf15656b1c99510ef6..88d9d4dd7835decdc2853ba0c95b0c4cf5310b65 100644 (file)
--- a/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl
+++ b/extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl
@@ -21,7 +21,7 @@
    #%]
  
  [% IF ftc_flags.keys.size %]
-  <script>
+  <script [% script_nonce FILTER none %]>
    YAHOO.util.Event.onDOMReady(function() {
      var selects = YAHOO.util.Dom.getElementsByClassName('flag_select');
      for (var i = 0; i < selects.length; i++) {
diff --git a/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl b/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl

index b9cfa6fbf431497ce2ad8e0187a6715526495848..20192841f55b746dacc7ddc647217cfde3b14c21 100644 (file)
--- a/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl
+++ b/extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl
@@ -32,7 +32,7 @@ Please use the <a href="enter_bug.cgi?format=__default__">advanced [% terms.bug
  <div id="loading" class="hidden">
  Please wait...
  </div>
-<script>
+<script [% script_nonce FILTER none %]>
  YAHOO.util.Dom.removeClass('loading', 'hidden');
  </script>
  
@@ -50,7 +50,7 @@ YAHOO.util.Dom.removeClass('loading', 'hidden');
    <a id="advanced_link" href="enter_bug.cgi?format=__default__">Switch to the advanced [% terms.bug %] entry form</a>
  </div>
  
-<script>
+<script [% script_nonce FILTER none %]>
  YAHOO.util.Dom.addClass('loading', 'hidden');
  guided.init({ webdev: [% webdev ? "true" : "false" %] });
  guided.currentUser = '[% user.login FILTER js %]';
diff --git a/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl b/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl

index c224a4e45fdc9afb739d35bb491fc885dd233af8..d0a3abb5b65981bb9eca47c32941d2bc11b580e2 100644 (file)
--- a/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl
+++ b/extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl
@@ -10,7 +10,7 @@
  [%# this div exists to allow bugzilla-tweaks to detect when we're active %]
  <div id="inline-history-ext"></div>
  
-<script>
+<script [% script_nonce FILTER none %]>
    var ih_activity = new Array();
    var ih_activity_flags = new Array();
    var ih_activity_sort_order = '[% user.settings.comment_sort_order.value FILTER js %]';
diff --git a/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl b/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl

index e07edbc83e0a80da4230d794907683ba940df3fd..7956fcfae15a4d73eb6a4c981eec89513f345444 100644 (file)
--- a/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl
+++ b/extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl
@@ -74,7 +74,7 @@
    </div>
  </script>
  
-<script>
+<script [% script_nonce FILTER none %]>
    [% IF Param('splinter_base') %]
      MyDashboard.splinter_base = '[% Bugzilla.splinter_review_base FILTER js %]';
    [% END %]
diff --git a/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl b/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl

index 22ee41af6851e80c333a03b20eb4ffae3874f068..9ed394fbb15b038874b81f0850d764f206929096 100644 (file)
--- a/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl
+++ b/extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl
@@ -9,7 +9,7 @@
  [% PROCESS bug/needinfo.html.tmpl
     bug => attachment.bug
  %]
-<script>
+<script [% script_nonce FILTER none %]>
    document.getElementById('editButton').addEventListener('click', function() {
      document.getElementById('attachment_view_window')
        .appendChild(document.getElementById('needinfo_container'));
diff --git a/extensions/Push/template/en/default/pages/push_config.html.tmpl b/extensions/Push/template/en/default/pages/push_config.html.tmpl

index 3783ecad66f853ecea6804986cd195d9d455d9cf..dd5507bbc42fd314d40449d0289b9374cd9d1d3a 100644 (file)
--- a/extensions/Push/template/en/default/pages/push_config.html.tmpl
+++ b/extensions/Push/template/en/default/pages/push_config.html.tmpl
@@ -12,7 +12,7 @@
    style_urls = [ 'extensions/Push/web/admin.css' ]
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  var push_defaults = new Array();
  [% FOREACH option = push.config.options %]
    [% IF option.name != 'enabled' && option.default != '' %]
@@ -127,7 +127,7 @@ var push_defaults = new Array();
      </tr>
    [% END %]
    [% IF name != 'global' %]
-    <script>
+    <script [% script_nonce FILTER none %]>
        var is_enabled = document.getElementById('[% name FILTER js %]_enabled').value == 'Enabled';
        toggle_options(is_enabled, '[% name FILTER js %]');
      </script>
diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl

index 62f45d56833ad9025abde9c9155d824d0877cf9d..5c19ac7581e96779cef28cc1dba5ae4a9f54c984 100644 (file)
--- a/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl
+++ b/extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl
@@ -23,7 +23,7 @@
  any persons designated in the CC line, and authorized members of the Mozilla
  Rep team.</p>
  
-<script>
+<script [% script_nonce FILTER none %]>
  function trySubmit() {
    var firstname = document.getElementById('firstname').value;
    var lastname = document.getElementById('lastname').value;
@@ -135,7 +135,7 @@ function validateAndSubmit() {
        <span>Calendar</span>
      </button>
      <div id="con_calendar_cf_due_date"></div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('cf_due_date')
      </script>
    </td>
diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl

index 10f65de39861065b8fc42b8f9f0f1dc591cd19ce..af3db60bccf4ba365934204035a3635feabd939c 100644 (file)
--- a/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl
+++ b/extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl
@@ -17,7 +17,7 @@
  [% USE Bugzilla %]
  [% mandatory = '<span class="mandatory" title="Required">*</span>' %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  var Dom = YAHOO.util.Dom;
  
  function mandatory(elements) {
diff --git a/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl b/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl

index bc7c0d146e5ab43ab9b491500e4f253bb7438ae1..18b5a6c3864e207a12bfaa3f72a996fb1e64c516 100644 (file)
--- a/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl
+++ b/extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl
@@ -27,7 +27,7 @@
  <p>These requests will only be visible to the person who submitted the request,
  any persons designated in the CC line, and authorized members of the Mozilla Rep team.</p>
  
-<script>
+<script [% script_nonce FILTER none %]>
  function trySubmit() {
    var eventname = document.getElementById('eventname').value;
    var shortdesc = 'Swag Request - ' + eventname;
diff --git a/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl b/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl

index 4b4f237c25da8b66c8a270e28a768bd1331d5ddc..1e1889089f02f6782ae7abf57e50eb33fe752609 100644 (file)
--- a/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl
+++ b/extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl
@@ -30,7 +30,7 @@
                         'js/field.js' ]
  %]
  
-<script></script>
+<script [% script_nonce FILTER none %]></script>
  
  <h1>Mozilla Reps - Payment Form</h1>
  
diff --git a/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl b/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl

index 22d95d694c33e897b73e5193efd5e4686ff56fef..ed5ae7b36e74614374465d143d2a8c8924da5211 100644 (file)
--- a/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl
+++ b/extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl
@@ -10,7 +10,7 @@
    [% bug = attachment.bug %]
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    $(function() {
      [% IF bug.product_obj.reviewer_required %]
        REVIEW.init_mandatory();
diff --git a/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl b/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl

index be866ae4bbda87c294c153460ff96440e276a250..5e7629eac2c60b18b92d0137a528bfd59b05ea70 100644 (file)
--- a/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl
+++ b/extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl
@@ -7,7 +7,7 @@
    #%]
  
  [% IF attachment.bug.product_obj.reviewer_required %]
-<script>
+<script [% script_nonce FILTER none %]>
  $(function() {
    REVIEW.init_mandatory();
  });
diff --git a/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl b/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl

index c2c574bd94d55bb60af6bbe79570a19f00617a87..04ec1b13b71982d340d4251d9b34399e9c4fe552 100644 (file)
--- a/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl
+++ b/extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl
@@ -6,7 +6,7 @@
    # defined by the Mozilla Public License, v. 2.0.
    #%]
  
-<script>
+<script [% script_nonce FILTER none %]>
    $(function() {
      [% IF product.reviewer_required %]
        REVIEW.init_mandatory();
diff --git a/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl b/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl

index b2f375b888121a4dc2d83f33f8f11b1fd620de56..2392f5f6a3d8165243b73056a8a2d58b4c9761d3 100644 (file)
--- a/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl
+++ b/extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl
@@ -36,7 +36,7 @@
           %]
          <br>
        </div>
-      <script>
+      <script [% script_nonce FILTER none %]>
          hideEditableField('bz_bug_mentors_edit_container',
                            'bz_bug_mentors_input',
                            'bz_bug_mentors_edit_action',
diff --git a/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl b/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl

index 2c06f495014de5f523cebbc6e5bc70a559cebff4..771bc803c3074d41b27335c4b8702fbe744092b2 100644 (file)
--- a/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl
+++ b/extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl
@@ -12,6 +12,6 @@
    &nbsp;&nbsp;<a href="#" id="[% fid FILTER none %]_suggestions_link">suggested reviewers &#9662;</a>
  </span>
  
-<script>
+<script [% script_nonce FILTER none %]>
    REVIEW.init_review_flag('[% fid FILTER none %]', '[% flag_name FILTER none %]');
  </script>
diff --git a/extensions/Review/template/en/default/pages/review_history.html.tmpl b/extensions/Review/template/en/default/pages/review_history.html.tmpl

index d80ed5e0ad3ee63907f746a525614642fe532a82..c8263bc52029af8acb728f79cdb45377f8a66743 100644 (file)
--- a/extensions/Review/template/en/default/pages/review_history.html.tmpl
+++ b/extensions/Review/template/en/default/pages/review_history.html.tmpl
@@ -19,7 +19,7 @@
              'js/field.js' ]
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    $(function () {
      YUI({
        base: 'js/yui3/',
diff --git a/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl b/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl

index 1b65e71a882432b21c64c4ef40daf3eb11f82d48..a90266dae693d8e0209ad6a21fb87e3e42a1e783 100644 (file)
--- a/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl
+++ b/extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl
@@ -31,7 +31,7 @@
    </td>
  </tr>
  
-<script>
+<script [% script_nonce FILTER none %]>
  $(function() {
      'use strict';
      var securemail_groups = [];
diff --git a/extensions/Splinter/template/en/default/pages/splinter.html.tmpl b/extensions/Splinter/template/en/default/pages/splinter.html.tmpl

index 9e59f1520345102cb1957977ff4b3831dc688e58..b5cab5c592c7c8c262771bc69c26907a10d068a6 100644 (file)
--- a/extensions/Splinter/template/en/default/pages/splinter.html.tmpl
+++ b/extensions/Splinter/template/en/default/pages/splinter.html.tmpl
@@ -37,7 +37,7 @@
  
  [% can_edit = 0 %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    Splinter.configBase = '[% Bugzilla.splinter_review_base FILTER js %]';
    Splinter.configBugUrl = '[% urlbase FILTER js %]';
    Splinter.configHaveExtension = true;
@@ -229,7 +229,7 @@
                                               any_flags_requesteeble = any_flags_requesteeble
              %]
            [% END %]
-          <script>
+          <script [% script_nonce FILTER none %]>
              [% FOREACH flag_type = flag_types %]
                [% NEXT UNLESS flag_type.is_active %]
                Event.addListener('flag_type-[% flag_type.id FILTER js %]', 'change',
diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl

index 962271254ad4f45f89114d8ce3fd2111180d5c29..3fbb622de7ccde323e30473f6886fb5e8c98d90b 100644 (file)
--- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
@@ -32,7 +32,7 @@
                [% value.name FILTER html %]</option>
            [% END %]
          </select>
-        <script>
+        <script [% script_nonce FILTER none %]>
            initHidingOptionsForIE('[% flag.name FILTER js %]');
          </script>
          [% IF !new_bug && user.id %]
@@ -47,7 +47,7 @@
    </tr>
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
    TrackingFlags = $.parseJSON(tracking_flags_str);
  </script>
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl

index 4bb9e1eab55b656b8263a0855b04fa6592c4c633..005cc80625e5f8f1718d946bb182523e017af41c 100644 (file)
--- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
@@ -28,7 +28,7 @@
    END;
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    $(function() {
      var tracking_flag_components_str = "[% tracking_flag_components FILTER js %]";
      var tracking_flag_components = $.parseJSON(tracking_flag_components_str);
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl

index 1571fc4f92b7d56a55d904111ada2259372c830b..1fccf69494756068b384619ae5f0944443ef8fae 100644 (file)
--- a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
@@ -40,7 +40,7 @@
    [% END %]
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
    var TrackingFlags = $.parseJSON(tracking_flags_str);
    hide_tracking_flags();
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl

index fb09b0ac1e6448da7dd09308a07a533df33c0ecd..91f89ea734ecb5395ccd80ae0768537e7968c3a8 100644 (file)
--- a/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl
@@ -29,7 +29,7 @@
      </option>
    [% END %]
  </select>
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
    initHidingOptionsForIE('[% field.name FILTER js %]');
    [%+ INCLUDE "bug/field-events.js.tmpl"
diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl

index e381c4f1c7a60670fd1e937557bb8576f7c46841..e1263a308aa13a42c9748eebc0c9b3e478a53258 100644 (file)
--- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
@@ -29,7 +29,7 @@ var selected_components = [
    style_urls = [ 'extensions/TrackingFlags/web/styles/admin.css' ]
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    var groups_str = "[% groups || '[]' FILTER js %]";
    var groups = $.parseJSON(groups_str);
    var flag_values_str = "[% values || '[]' FILTER js %]";
diff --git a/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl b/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl

index c6a16f7d081c1b42300b5a2cd67ef3bec4c5a13d..e063ac9420c095ea4d4fcec6885215412cfa1e16 100644 (file)
--- a/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl
+++ b/extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl
@@ -11,7 +11,7 @@
  [% can_edit_story = bug.check_can_change_field('cf_user_story', 0, 1) %]
  
  <div class="user_story">
-  <script>
+  <script [% script_nonce FILTER none %]>
      function userStoryComment() {
          var commenttext = "(Commenting on User Story)\n";
          var text_elem = document.getElementById('user_story');
@@ -61,7 +61,7 @@
                  cols    = constants.COMMENT_COLS
                  defaultcontent = bug.cf_user_story %]
      </div>
-    <script>
+    <script [% script_nonce FILTER none %]>
        YAHOO.util.Event.addListener('user_story_edit_action', 'click', function() {
          YAHOO.util.Dom.addClass('user_story_edit', 'bz_default_hidden');
          YAHOO.util.Dom.addClass('user_story_readonly', 'bz_default_hidden');
diff --git a/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl b/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl

index 77734408a20b1fe30d3d68ee391eaab7772dcb49..6079ec616a4a572a18af7ca0bb432eed95a8f770 100644 (file)
--- a/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl
+++ b/extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl
@@ -32,7 +32,7 @@
              defaultcontent = user_story_default
          %]
        </div>
-      <script>
+      <script [% script_nonce FILTER none %]>
          var user_story_exclude_components = [];
          [% FOREACH c = default.user_story_visible.1 %]
            user_story_exclude_components.push('[% c FILTER js %]');
diff --git a/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl b/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl

index e5a29ba56544ef38bdd4c06d7c85caf749b1a934..fde6434deb8d746a4913fcb316a257225225dbda 100644 (file)
--- a/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
+++ b/extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl
@@ -50,7 +50,7 @@
             value="[% product.votestoconfirm FILTER html %]">
      <br>(Setting this to 0 disables auto-confirming [% terms.bugs %]
      by vote.)
-    <script>
+    <script [% script_nonce FILTER none %]>
          YAHOO.util.Event.addListener('allows_unconfirmed', 'change',
              function() { bz_toggleClass('votes_to_confirm_container',
                                          'bz_default_hidden'); });
diff --git a/report.cgi b/report.cgi

index b9f398cae4e8b239bb34db021046451e7c88cb20..7ec2bb04f345a82f7d9aa7c3387f6d4bf23acc25 100755 (executable)
--- a/report.cgi
+++ b/report.cgi
@@ -25,6 +25,8 @@ my $cgi = Bugzilla->cgi;
  my $template = Bugzilla->template;
  my $vars = {};
  
+$cgi->content_security_policy(report_only => 0);
+
  # Go straight back to query.cgi if we are adding a boolean chart.
  if (grep(/^cmd-/, $cgi->param())) {
      my $params = $cgi->canonicalise_query("format", "ctype");
diff --git a/static/metricsgraphics/socorro-lens.html b/static/metricsgraphics/socorro-lens.html

index 786394228c35ffcd1af4613fdec037a90f6b0055..9af06132373c7496b8e2cc663697b154e2d64ea5 100644 (file)
--- a/static/metricsgraphics/socorro-lens.html
+++ b/static/metricsgraphics/socorro-lens.html
@@ -37,7 +37,7 @@
      </div>
      <div style="width:300px; height:75px; color:red; text-align:center; visibility:hidden;" id='warn'></div>
      <script src='js/main.js'></script>
-    <script>
+    <script [% script_nonce FILTER none %]>
        document.addEventListener('DOMContentLoaded', function () {
          document.querySelector('select[name="channel"]').onchange = channelEventHandler;
          document.querySelector('select[name="match"]').onchange = matchEventHandler;
diff --git a/template/en/default/account/prefs/email.html.tmpl b/template/en/default/account/prefs/email.html.tmpl

index d09bffc5d16fa13f47e64233e3de99da2e2e796c..014bf4f3d94bf07aac535b9a503599b3ae014065 100644 (file)
--- a/template/en/default/account/prefs/email.html.tmpl
+++ b/template/en/default/account/prefs/email.html.tmpl
@@ -41,7 +41,7 @@
    filter some or all notifications.
  </p>
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
  function SetCheckboxes(setting) {
    for (var count = 0; count < document.userprefsform.elements.length; count++) {
diff --git a/template/en/default/account/prefs/saved-searches.html.tmpl b/template/en/default/account/prefs/saved-searches.html.tmpl

index 58448eb5e796f607460b4b83646ea0457efe63a9..426b593dcaaed73ff376539a56249c5b4bc50f66 100644 (file)
--- a/template/en/default/account/prefs/saved-searches.html.tmpl
+++ b/template/en/default/account/prefs/saved-searches.html.tmpl
@@ -25,7 +25,7 @@
    #%]
  
  [% IF user.can_bless %]
-  <script><!--
+  <script [% script_nonce FILTER none %]><!--
      function update_checkbox(group) {
        var bless_groups = [[% bless_group_ids.join(",") FILTER js %]];
        var checkbox = document.getElementById(group.name.replace(/share_(\d+)/, "force_$1"));
diff --git a/template/en/default/account/prefs/settings.html.tmpl b/template/en/default/account/prefs/settings.html.tmpl

index b09d7a49125ce15ab1091aeefab35cd890d1733c..c7208ff295b9f70280173fe098021e7e1cd5ce94 100644 (file)
--- a/template/en/default/account/prefs/settings.html.tmpl
+++ b/template/en/default/account/prefs/settings.html.tmpl
@@ -80,7 +80,7 @@
    </table>
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  $().ready(function() {
    var id = document.location.hash.substring(1) + '_row';
    $('#' + id).addClass('highlighted');
diff --git a/template/en/default/admin/custom_fields/create.html.tmpl b/template/en/default/admin/custom_fields/create.html.tmpl

index 41852de03103f4b41010af133709019be81f1a6f..2b3f0eadb988ae83e4a59cbc611d3c3be89cb062 100644 (file)
--- a/template/en/default/admin/custom_fields/create.html.tmpl
+++ b/template/en/default/admin/custom_fields/create.html.tmpl
@@ -32,7 +32,7 @@
  %]
  
  [%# set initial editability of fields such as Reverse Relationship Description %]
-<script>
+<script [% script_nonce FILTER none %]>
  YAHOO.util.Event.onDOMReady(function() {onChangeType(document.getElementById('type'))});
  </script>
  
diff --git a/template/en/default/admin/params/common.html.tmpl b/template/en/default/admin/params/common.html.tmpl

index 4941afa38b297c3eefb8d7c2869f50b495aaed66..cd135e1d29ec9b5c0f650b6de8ff49f276e93c09 100644 (file)
--- a/template/en/default/admin/params/common.html.tmpl
+++ b/template/en/default/admin/params/common.html.tmpl
@@ -111,7 +111,7 @@
            </tr>
          </table>
  
-        <script>
+        <script [% script_nonce FILTER none %]>
              bz_toggleClass("input_[% param.name FILTER html %]", "bz_default_hidden");
              bz_toggleClass("table_[% param.name FILTER html %]", "bz_default_hidden");
          </script>
diff --git a/template/en/default/admin/workflow/comment.html.tmpl b/template/en/default/admin/workflow/comment.html.tmpl

index 9b447f777ef84ee3f9b9daf5e6e1a60e79e949bb..8f64c77a623e52cfdde724d2a4544b68980e1b42 100644 (file)
--- a/template/en/default/admin/workflow/comment.html.tmpl
+++ b/template/en/default/admin/workflow/comment.html.tmpl
@@ -21,7 +21,7 @@
     style_urls = ['skins/standard/admin.css']
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
    function toggle_cell(cell) {
      if (cell.checked)
diff --git a/template/en/default/admin/workflow/edit.html.tmpl b/template/en/default/admin/workflow/edit.html.tmpl

index 5646c294d63378d53afcdfafe5b059c0741e86c0..97bbec7960a858fe90f7856f113121af6e4e13c5 100644 (file)
--- a/template/en/default/admin/workflow/edit.html.tmpl
+++ b/template/en/default/admin/workflow/edit.html.tmpl
@@ -21,7 +21,7 @@
     style_urls = ['skins/standard/admin.css']
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
    function toggle_cell(cell) {
      if (cell.checked)
diff --git a/template/en/default/attachment/create.html.tmpl b/template/en/default/attachment/create.html.tmpl

index e058b3defd93c79c59a26d028604d9599cbe3f03..329e0ab4989a6221ba17f80ca8ee8d8ed4270ed8 100644 (file)
--- a/template/en/default/attachment/create.html.tmpl
+++ b/template/en/default/attachment/create.html.tmpl
@@ -39,7 +39,7 @@
    doc_section = "attachments.html"
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
  TUI_hide_default('attachment_text_field');
  -->
diff --git a/template/en/default/attachment/createformcontents.html.tmpl b/template/en/default/attachment/createformcontents.html.tmpl

index dc861b7a69f1b557d64c5905dbf72a18e8802ef9..41a02a913c32a367eb86452e8beba9feed931610 100644 (file)
--- a/template/en/default/attachment/createformcontents.html.tmpl
+++ b/template/en/default/attachment/createformcontents.html.tmpl
@@ -21,13 +21,22 @@
    #                 Marc Schumann <wurblzap@gmail.com>
    #%]
  
+<script [% script_nonce FILTER none %]>
+  document.addEventListener("DOMContentLoaded", function (event) {
+    document.querySelector("#attachment_data_controller").addEventListener(
+      "click", function (event) {
+        TUI_toggle_class('attachment_text_field');
+        TUI_toggle_class('attachment_data');
+      });
+  });
+</script>
+
  <tr class="attachment_data">
    <th><label for="data">File</label>:</th>
    <td>
      <em>Enter the path to the file on your computer</em> (or
-    <a id="attachment_data_controller" href="javascript:TUI_toggle_class('attachment_text_field');
-                                             javascript:TUI_toggle_class('attachment_data')"
-    >paste text as attachment</a>).<br>
+    <a id="attachment_data_controller">
+    paste text as attachment</a>).<br>
      <input type="file" id="data" name="data" size="50">
    </td>
  </tr>
@@ -58,7 +67,7 @@
      <input type="checkbox" id="ispatch" name="ispatch" value="1">
      <label for="ispatch">patch</label><br><br>
      [%# Reset this whenever the page loads so that the JS state is up to date %]
-    <script [% csp_nonce FILTER none %]>
+    <script [% script_nonce FILTER none %]>
        $(function() {
          $("#file").on("change", function() {
            DataFieldHandler();
diff --git a/template/en/default/attachment/diff-file.html.tmpl b/template/en/default/attachment/diff-file.html.tmpl

index 70fbf554cad94cc2f08d603fbec9aa6eedacf2a5..d510b5a5ea280176eee43acab856175933ed7be3 100644 (file)
--- a/template/en/default/attachment/diff-file.html.tmpl
+++ b/template/en/default/attachment/diff-file.html.tmpl
@@ -45,7 +45,7 @@
      [% END %]
    [% END %]
  </td></tr></thead><tbody class="[% collapsed ? 'file_collapse' : 'file' %]">
-<script>
+<script [% script_nonce FILTER none %]>
  incremental_restore()
  </script>
  
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl

index 43bf4c83cd318ddcab45eb308cedc3c9ff474f33..d06d4ad5635adc3c66d322c8b98efd1e8aa42905 100644 (file)
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -219,7 +219,7 @@
                    <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
                  </iframe>
                [% END %]
-              <script>
+              <script [% script_nonce FILTER none %]>
                  <!--
                  var patchviewerinstalled = 0;
                  var attachment_id = [% attachment.id %];
@@ -328,7 +328,7 @@
    [% END %]
  </div>
  [% IF can_edit %]
-  <script>
+  <script [% script_nonce FILTER none %]>
      <!--
        YAHOO.util.Dom.removeClass( document.body, "no_javascript" );
        toggle_attachment_details_visibility( );
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl

index 50800dd8e537b5d053c554ce77899dd4ea6d56e8..16e94586c9af5301ff668948abea2e1557535253 100644 (file)
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -19,7 +19,7 @@
    #                 Frédéric Buclin <LpSolit@gmail.com>
    #%]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
  function toggle_display(link) {
      var table = document.getElementById("attachment_table");
diff --git a/template/en/default/bug/comments.html.tmpl b/template/en/default/bug/comments.html.tmpl

index 2346983b29b757ab1c0766772623d2d468c75d63..7af08efdefd3aae2be89f5ed08b6dbfa8c41df1d 100644 (file)
--- a/template/en/default/bug/comments.html.tmpl
+++ b/template/en/default/bug/comments.html.tmpl
@@ -25,7 +25,7 @@
  <script src="[% 'js/comments.js' FILTER version %]">
  </script>
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
    /* Adds the reply text to the 'comment' textarea */
    function replyToComment(id, real_id, name) {
@@ -191,13 +191,13 @@
              [% IF comment.collapsed %]
                </span>
              [% END %]
-            <script>
+            <script [% script_nonce FILTER none %]>
                addCollapseLink([% comment.count %], [% comment.collapsed FILTER js %], 'Toggle comment display');
              </script>
            </span>
          [% ELSIF comment.collapsed %]
            <span class="bz_comment_actions">
-            <script>
+            <script [% script_nonce FILTER none %]>
                addCollapseLink([% comment.count %], [% comment.collapsed FILTER js %], 'Toggle comment display');
              </script>
            </span>
@@ -270,7 +270,7 @@
                     [% " bz_default_hidden" UNLESS comment.tags.size %]">
            <span id="ct_[% comment.count %]">
              [% IF comment.tags.size %]
-              <script>
+              <script [% script_nonce FILTER none %]>
                  YAHOO.bugzilla.commentTagging.showTags([% comment.id FILTER none %],
                    [% comment.count FILTER none %], [
                  [% FOREACH tag = comment.tags %]
diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl

index 9420f133039b3618f310884a776ce70e62557bd6..a1c2c2e08eb90001b97b866207e35383fc8e94a6 100644 (file)
--- a/template/en/default/bug/create/create-guided.html.tmpl
+++ b/template/en/default/bug/create/create-guided.html.tmpl
@@ -41,7 +41,7 @@
  [% tablecolour = "#FFFFCC" %]
  
  [%# This script displays the descriptions for selected components. %]
-<script>
+<script [% script_nonce FILTER none %]>
  var descriptions = [
  [% FOREACH c = product.components %]
    '[% c.description FILTER js %]',
@@ -181,7 +181,7 @@ function PutDescription() {
            <td valign="top" width="100%">
                <div id="description" style="color: green; margin-left: 10px;
                                             height: 5em; overflow: auto;">
-                <script>
+                <script [% script_nonce FILTER none %]>
                    if ((document.getElementById) && (document.body.innerHTML)) {
                      document.write("\
                      Select a component to see its description here.");
diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl

index 567c58d581c56ff1e6f835bd247a0b2aa58cca9b..3185374e59d66875b0a1327ed435d968561fa65d 100644 (file)
--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -40,7 +40,7 @@
    onload = "init();"
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
  
  function init() {
@@ -217,7 +217,7 @@ TUI_hide_default('attachment_text_field');
        <input type="button" id="expert_fields_controller"
               value="Hide Advanced Fields" onClick="toggleAdvancedFields()">
        [%# Show the link if the browser supports JS %]
-      <script>
+      <script [% script_nonce FILTER none %]>
          YAHOO.util.Dom.removeClass('expert_fields_controller',
                                     'bz_default_hidden');
        </script>
@@ -276,7 +276,7 @@ TUI_hide_default('attachment_text_field');
          [%- END %]
        </select>
  
-      <script>
+      <script [% script_nonce FILTER none %]>
         <!--
           [%+ INCLUDE "bug/field-events.js.tmpl"
                       field = bug_fields.component, product = product %]
@@ -492,7 +492,7 @@ TUI_hide_default('attachment_text_field');
        <th>Possible<br>Duplicates:</th>
        <td colspan="3">
          <div id="possible_duplicates"></div>
-        <script>
+        <script [% script_nonce FILTER none %]>
            var dt_columns = [
                { key: "id", label: "[% field_descs.bug_id FILTER js %]",
                  formatter: YAHOO.bugzilla.dupTable.formatBugLink },
diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl

index 84a20b97eb249d57ce8603378013a484e95d35aa..b424d55426c6cc11a5164d253f78f05daf3cb7de 100644 (file)
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -49,7 +49,7 @@
      </div>
    [% END %]
    [% IF user.id %]
-    <script>
+    <script [% script_nonce FILTER none %]>
        YAHOO.bugzilla.commentTagging.init([% user.can_tag_comments ? 'true' : 'false' %]);
        YAHOO.bugzilla.commentTagging.min_len = [% constants.MIN_COMMENT_TAG_LENGTH FILTER js %];
        YAHOO.bugzilla.commentTagging.max_len = [% constants.MAX_COMMENT_TAG_LENGTH FILTER js %];
@@ -64,7 +64,7 @@
    [% END %]
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
  [% IF user.is_timetracker %]
    var fRemainingTime = [% bug.remaining_time %]; // holds the original value
@@ -300,7 +300,7 @@
        </table>
      </div>
    </div>
-  <script>
+  <script [% script_nonce FILTER none %]>
      hideAliasAndSummary('[% bug.short_desc FILTER js %]', '[% bug.alias FILTER js %]');
    </script>
  [% END %]
@@ -591,7 +591,7 @@
      [%# BMO - hook for adding mentors %]
      [% Hook.process("after_people", "bug/edit.html.tmpl") %]
  
-    <script>
+    <script [% script_nonce FILTER none %]>
        assignToDefaultOnChange(['product', 'component'],
          '[% bug.component_obj.default_assignee.login FILTER js %]',
          '[% bug.component_obj.default_qa_contact.login FILTER js %]');
@@ -998,7 +998,7 @@
              [% IF !bug_flags_set %]<em>None yet set</em>[% END %]
              (<a href="#" id="bz_flags_more_action">[% IF !bug_flags_set %]set[% ELSE %]more[% END %] flags</a>)
            </span>
-          <script>
+          <script [% script_nonce FILTER none %]>
              YAHOO.util.Dom.removeClass('bz_flags_more_container', 'bz_default_hidden');
              var table = YAHOO.util.Dom.get("flags");
              var rows = YAHOO.util.Dom.getElementsByClassName('bz_flag_type', 'tbody', table);
@@ -1248,7 +1248,7 @@
  
  [% BLOCK summon_comment_box %]
  <div id="comment_top_hat">
-  <script>
+  <script [% script_nonce FILTER none %]>
      function summonCommentBox() {
          var commentbox = document.getElementById('add_comment');
          document.getElementById('comment_top_hat').appendChild(commentbox);
diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl

index b9bee6de3574a0c17e7e0f58b9cef1f1bebadf5d..1d6048cdd02a7570d39a1a4055ab3b6e6d3ff008 100644 (file)
--- a/template/en/default/bug/field.html.tmpl
+++ b/template/en/default/bug/field.html.tmpl
@@ -74,7 +74,7 @@
  
        <div id="con_calendar_[% field.name FILTER html %]"></div>
  
-      <script>
+      <script [% script_nonce FILTER none %]>
          createCalendar('[% field.name FILTER js %]')
        </script>
      [% CASE constants.FIELD_TYPE_BUG_ID %]
@@ -91,7 +91,7 @@
          <span id="[% field.name FILTER html %]_edit_container" class="edit_me bz_default_hidden">
            (<a href="#" id="[% field.name FILTER html %]_edit_action">edit</a>)
          </span>
-        <script>
+        <script [% script_nonce FILTER none %]>
          hideEditableField('[% field.name FILTER js %]_edit_container',
                            '[% field.name FILTER js %]_input_area',
                            '[% field.name FILTER js %]_edit_action',
@@ -175,7 +175,7 @@
            <input type="hidden" name="defined_[% field.name FILTER html %]">
          [% END %]
  
-        <script>
+        <script [% script_nonce FILTER none %]>
          <!--
            initHidingOptionsForIE('[% field.name FILTER js %]');
            [%+ INCLUDE "bug/field-events.js.tmpl"
@@ -197,7 +197,7 @@
              id = field.name name = field.name minrows = 4 maxrows = 8
              cols = 60 defaultcontent = value mandatory = field.is_mandatory %]
         </div>
-       <script>
+       <script [% script_nonce FILTER none %]>
           hideEditableField('[% field.name FILTER js %]_edit_container',
                             '[% field.name FILTER js %]_input',
                             '[% field.name FILTER js %]_edit_action',
@@ -230,7 +230,7 @@
                    [% IF !bug.id %]value="[% value FILTER html %]"[% END %]>
           </div>
           [% IF bug.id %]
-           <script>
+           <script [% script_nonce FILTER none %]>
               setupEditLink('[% field.name FILTER js %]');
             </script>
           [% END %]
@@ -241,7 +241,7 @@
                name="[% field.name FILTER html %]"
                data-values="[% field.name FILTER html %]"
                value="[% value FILTER html %]">
-       <script>
+       <script [% script_nonce FILTER none %]>
            if (typeof BUGZILLA.autocomplete_values === 'undefined')
              BUGZILLA.autocomplete_values = [];
            BUGZILLA.autocomplete_values['[% field.name FILTER js %]'] = [
diff --git a/template/en/default/bug/knob.html.tmpl b/template/en/default/bug/knob.html.tmpl

index a0a5dc647b0a2dfdaa1e5b1972db2c6489522e35..16aa160f6ed7267e77e2d1b6b42a2f50b3ac09e3 100644 (file)
--- a/template/en/default/bug/knob.html.tmpl
+++ b/template/en/default/bug/knob.html.tmpl
@@ -70,7 +70,7 @@
    [% END %]
  </div>
  
-<script>
+<script [% script_nonce FILTER none %]>
    var close_status_array = [
      [% FOREACH status = bug.choices.bug_status %]
        [% NEXT IF status.is_open %]
diff --git a/template/en/default/bug/summarize-time.html.tmpl b/template/en/default/bug/summarize-time.html.tmpl

index 120bd74ad097ac3fac84dab3f28d3e69485558b6..9f2742694ac9172e3a12f74f9460a88028c0ad14 100644 (file)
--- a/template/en/default/bug/summarize-time.html.tmpl
+++ b/template/en/default/bug/summarize-time.html.tmpl
@@ -341,7 +341,7 @@
  </tr></table>
  
  </form>
-<script>
+<script [% script_nonce FILTER none %]>
  <!--
    createCalendar('start_date');
    createCalendar('end_date');
diff --git a/template/en/default/list/edit-multiple.html.tmpl b/template/en/default/list/edit-multiple.html.tmpl

index 427acba37617c15d11e40f645212fb89dbde8b5a..eb989d15cc6d455e9f18791797687ad32dffd0bc 100644 (file)
--- a/template/en/default/list/edit-multiple.html.tmpl
+++ b/template/en/default/list/edit-multiple.html.tmpl
@@ -28,7 +28,7 @@
  <input type="hidden" name="dontchange" value="[% dontchange FILTER html %]">
  <input type="hidden" name="token" value="[% token FILTER html %]">
  
-<script>
+<script [% script_nonce FILTER none %]>
    function SetCheckboxes(value) {
        var elements = document.forms.changeform.getElementsByTagName('input'),
            numelements = elements.length,
@@ -328,7 +328,7 @@
  
  [% IF groups.size > 0 %]
  
-  <script>
+  <script [% script_nonce FILTER none %]>
      function turn_off(myself, id) {
          var other_checkbox = document.getElementById(id);
          if (myself.checked && other_checkbox) {
@@ -443,7 +443,7 @@
    </select>
    </span>
  
-  <script>
+  <script [% script_nonce FILTER none %]>
    var close_status_array = new Array("[% closed_status_array.join('", "') FILTER none %]");
      YAHOO.util.Event.addListener('bug_status', "change", showHideStatusItems, '[% "is_duplicate" IF bug.dup_id %]');
      YAHOO.util.Event.onDOMReady( showHideStatusItems );
diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl

index 671722c8502d327bd0f31657d68ff342b126032c..8714fec7d8c0058f436777914db8fa009211722f 100644 (file)
--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -140,7 +140,7 @@
          [% END %]
          </tbody>
        </table>
-      <script><!--
+      <script [% script_nonce FILTER none %]><!--
          var numelements = document.forms.editform.elements.length;
          function SetCheckboxes(value) {
            var item;
diff --git a/template/en/default/mfa/duo/verify.html.tmpl b/template/en/default/mfa/duo/verify.html.tmpl

index 799efba7b7ab3bedcf987ee6e74a5755d067d1f1..f3f49657a45f2c43ea46218427e160b198a53e38 100644 (file)
--- a/template/en/default/mfa/duo/verify.html.tmpl
+++ b/template/en/default/mfa/duo/verify.html.tmpl
@@ -84,7 +84,7 @@ $(function() {
    [% END %]
  </form>
  
-<script>
+<script [% script_nonce FILTER none %]>
    Duo.init({
      'host': '[% Param('duo_host') FILTER js %]',
      'sig_request': '[% sig_request FILTER js %]',
diff --git a/template/en/default/reports/create-chart.html.tmpl b/template/en/default/reports/create-chart.html.tmpl

index 1e6945ebc64614413d2e823826cf86d545f2a7e7..e20d8522f0ffb9c896fdf98b2a35d179766ef2d8 100644 (file)
--- a/template/en/default/reports/create-chart.html.tmpl
+++ b/template/en/default/reports/create-chart.html.tmpl
@@ -33,7 +33,7 @@
    donames = 1 
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  [%# This function takes necessary action on selection of a subcategory %]
  function subcatSelected() {
    var cat = document.chartform.category.value;
@@ -55,6 +55,15 @@ function subcatSelected() {
    
    checkNewState();
  }
+document.addEventListener("DOMContentLoaded", function(event) {
+  document.chartform.category.addEventListener("change", function (event) {
+    catSelected();
+    return subcatSelected();
+  });
+  document.chartform.subcategory.addEventListener("change", function (event) {
+    return subcatSelected();
+  });
+});
  </script>
    
  [% gttext = "Grand Total" %]
@@ -79,23 +88,20 @@ function subcatSelected() {
          </th>
        </tr>
        <tr>
-      
-        [% PROCESS series_select sel = { name => 'category', 
-                                         size => 5,
-                                         onchange = "catSelected();
-                                                     subcatSelected();" } %]
-                                   
+
+        [% PROCESS series_select sel = { name => 'category',
+                                         size => 5 } %]
+
          <td>
            <noscript>
              <input type="submit" name="action-assemble" value="Update --&gt;"
                     id="action-assemble">
            </noscript>
          </td>
-        
-        [% PROCESS series_select sel = { name => 'subcategory', 
-                                         size => 5,
-                                         onchange = "subcatSelected()" } %]
-                                   
+
+        [% PROCESS series_select sel = { name => 'subcategory',
+                                         size => 5 } %]
+
          <td>
            <noscript>
              <input type="submit" name="action-assemble" value="Update --&gt;"
diff --git a/template/en/default/reports/keywords.html.tmpl b/template/en/default/reports/keywords.html.tmpl

index 97a2d44d2ffa15b63f49c0d6d99afeeb25b29093..491bac78e6527e3e91641089f3775662ba7c19db 100644 (file)
--- a/template/en/default/reports/keywords.html.tmpl
+++ b/template/en/default/reports/keywords.html.tmpl
@@ -34,7 +34,7 @@
    title = "$terms.Bugzilla Keyword Descriptions"
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
   $(document).ready(function () {
       var show_inactive_keywords = [% show_inactive_keywords ? "true" : "false" FILTER none %],
           link = $("#keywords_show_hide"),
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl

index e8f926f64af34d15cf56dd3524fade5c508803fe..096eb171abb6236861bff126f4b2dfb841a17006 100644 (file)
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -46,7 +46,7 @@
    [% urlbase = BLOCK %][% urlbase %]&amp;[% tbl_field FILTER uri %]=[% tbl FILTER uri %][% END %]
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  function bz_encode (str, decode) {
    // First decode HTML entities, if requested.
    if (decode)
diff --git a/template/en/default/reports/series-common.html.tmpl b/template/en/default/reports/series-common.html.tmpl

index 469eb79c51a1be186c62d454993422f0af9f7b14..b8032255d116dd82e614f8c077a02fd661b35177 100644 (file)
--- a/template/en/default/reports/series-common.html.tmpl
+++ b/template/en/default/reports/series-common.html.tmpl
@@ -29,7 +29,7 @@
  [% subcategory = category.${default.category} %]
  [% name = subcategory.${default.subcategory} %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  [%# This structure holds details of the series the user can select from. %]
  var series = {
  [% FOREACH c = category.keys.sort %]
diff --git a/template/en/default/reports/series.html.tmpl b/template/en/default/reports/series.html.tmpl

index 3cf939003951e5d16d6b6920f6395200305847c0..164c3035518ddca41390eeac861944452282569a 100644 (file)
--- a/template/en/default/reports/series.html.tmpl
+++ b/template/en/default/reports/series.html.tmpl
@@ -29,7 +29,16 @@
  [% PROCESS "reports/series-common.html.tmpl"
     newtext = "New (name below)" 
   %]
-  
+
+<script [% script_nonce FILTER none %]>
+  document.addEventListener("DOMContentLoaded", function (event) {
+    if (document.chartform) {
+      document.chartform.category.addEventListener("change", (event) => catSelected());
+      document.chartform.subcategory.addEventListener("change", (event) => checkNewState());
+    }
+  });
+</script>
+
  <table cellpadding="2" cellspacing="2" border="0"
         style="text-align: left; margin-left: 20px">
    <tbody>
@@ -42,19 +51,17 @@
      </tr>
      <tr>
        [% PROCESS series_select sel = { name => 'category',
-                                       size => 5,
-                                       onchange => "catSelected()" } %]
+                                       size => 5 } %]
          <td>
            <noscript>
              <input type="submit" name="action-edit" value="Update --&gt;"
                     id="action-edit">
            </noscript>
          </td>
-        
-      [% PROCESS series_select sel = { name => 'subcategory', 
-                                       size => 5,
-                                       onchange => "checkNewState()" } %]
-        
+
+      [% PROCESS series_select sel = { name => 'subcategory',
+                                       size => 5 } %]
+
        <td valign="top" name="name">
          <input type="text" name="name" maxlength="64" 
                 value="[% default.name.0 FILTER html %]" size="25">
diff --git a/template/en/default/request/queue.html.tmpl b/template/en/default/request/queue.html.tmpl

index d40281f5068ec829d13508b2946b8fcd91a4d208..c4b48b024b1f99ef0c5286054e6f40c70a46ff1b 100644 (file)
--- a/template/en/default/request/queue.html.tmpl
+++ b/template/en/default/request/queue.html.tmpl
@@ -31,7 +31,7 @@
    style_urls = ['skins/standard/buglist.css']
  %]
  
-<script>
+<script [% script_nonce FILTER none %]>
    var useclassification = false; // No classification level in use
    var first_load = true; // Is this the first time we load the page?
    var last_sel = []; // Caches last selection
diff --git a/template/en/default/search/boolean-charts.html.tmpl b/template/en/default/search/boolean-charts.html.tmpl

index 455cb48b86cb61c20250eea035ad14b27f933d8d..767ea756348ab3b6c23510228ee5a86c0554cee8 100644 (file)
--- a/template/en/default/search/boolean-charts.html.tmpl
+++ b/template/en/default/search/boolean-charts.html.tmpl
@@ -70,7 +70,7 @@
      with_buttons = 1
      condition = { f => 'noop' }
      cond_num = cond_num + 1 %]
-  <script>
+  <script [% script_nonce FILTER none %]>
      TUI_alternates['custom_search_query'] = '&#9658;';
      TUI_hide_default('custom_search_query');
      TUI_alternates['custom_search_advanced'] = "Show Advanced Features";
@@ -78,7 +78,7 @@
    </script>
    <script src="[% 'js/custom-search.js' FILTER version %]"></script>
    <script src="[% 'js/history.js/native.history.js' FILTER version %]"></script>
-  <script>
+  <script [% script_nonce FILTER none %]>
      redirect_html4_browsers();
      [%# These are alternative labels for the AND and OR options in and_all_select %]
      var cs_and_label = 'Match ALL of the following:';
diff --git a/template/en/default/search/field.html.tmpl b/template/en/default/search/field.html.tmpl

index 0d10d4f6ba4dd0b402bd70805ecedb5263934b42..456cf088a0878519eae0a123433c2ba55253d2a9 100644 (file)
--- a/template/en/default/search/field.html.tmpl
+++ b/template/en/default/search/field.html.tmpl
@@ -63,7 +63,7 @@
             [% IF onchange %] onchange="[% onchange FILTER html %]"[% END %]
             value="[% value FILTER html %]"
             data-values="[% field.name FILTER html %]">
-    <script>
+    <script [% script_nonce FILTER none %]>
        if (typeof BUGZILLA.autocomplete_values === 'undefined')
          BUGZILLA.autocomplete_values = [];
        BUGZILLA.autocomplete_values['[% field.name FILTER js %]'] = [
@@ -100,7 +100,7 @@
      <small>(YYYY-MM-DD or relative dates)</small>
      
      <span id="con_calendar_[% field.name FILTER html %]to"></span>
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('[% field.name FILTER js %]');
        createCalendar('[% field.name FILTER js %]to');
      </script>
diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl

index 49c31180661028bd16d8b27099de36b91353cb02..4d78a53da5bd94188a07daf66fa73fc05988a870 100644 (file)
--- a/template/en/default/search/form.html.tmpl
+++ b/template/en/default/search/form.html.tmpl
@@ -23,7 +23,7 @@
  
  [% PROCESS "global/field-descs.none.tmpl" %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  
  var first_load = true;         [%# is this the first time we load the page? %]
  var last_sel = new Array();    [%# caches last selection %]
@@ -394,7 +394,7 @@ TUI_hide_default('information_query');
                           onclick="showCalendar('chfieldto')"><span>Calendar</span></button>
            <div id="con_calendar_chfieldto"></div>
      (YYYY-MM-DD or relative dates)
-    <script>
+    <script [% script_nonce FILTER none %]>
        createCalendar('chfieldfrom');
        createCalendar('chfieldto');
      </script>
diff --git a/template/en/default/search/search-create-series.html.tmpl b/template/en/default/search/search-create-series.html.tmpl

index 335448de9e719df8ca85c46dafcb3af227f6beb7..e0b7ff5623242c3606249ffc184c5b260a50c5fd 100644 (file)
--- a/template/en/default/search/search-create-series.html.tmpl
+++ b/template/en/default/search/search-create-series.html.tmpl
@@ -56,7 +56,7 @@
    <input type="hidden" name="action" value="create">
    <input type="hidden" name="token" value="[% issue_hash_token(['create-series']) FILTER html %]">
  
-<script>
+<script [% script_nonce FILTER none %]>
    document.chartform.category[0].selected = true;
    catSelected();
    checkNewState();
diff --git a/template/en/default/search/search-instant.html.tmpl b/template/en/default/search/search-instant.html.tmpl

index 01af804fc96c63fc48a6cb3187e09c28eb420f3b..d0cf078e7e15b453e3ebcb7e506f6b4bc3a4f624 100644 (file)
--- a/template/en/default/search/search-instant.html.tmpl
+++ b/template/en/default/search/search-instant.html.tmpl
@@ -19,7 +19,7 @@
    [% default.product = [ 'Firefox' ] %]
  [% END %]
  
-<script>
+<script [% script_nonce FILTER none %]>
  YAHOO.bugzilla.instantSearch.setLabels( {
    id: "[% field_descs.bug_id FILTER js %]",
    summary: "[% field_descs.short_desc FILTER js %]",
diff --git a/template/en/default/search/search-report-graph.html.tmpl b/template/en/default/search/search-report-graph.html.tmpl

index df9c9e8ade0cce53fed6e4a0b3f5a248167c3407..57ca8a8e9950ffcf45a28278072bfd667d224542 100644 (file)
--- a/template/en/default/search/search-report-graph.html.tmpl
+++ b/template/en/default/search/search-report-graph.html.tmpl
@@ -46,7 +46,7 @@ var queryform = "reportform"
    [% terms.bugs %] using the rest of the form.
  </p>
  
-<script><!--
+<script [% script_nonce FILTER none %]><!--
    [%# The Y-axis fields are not used for pie charts %]
    function chartTypeChanged() {
      // format[2] is the pie chart radio button
author	Dylan William Hardison <dylan@hardison.net>
	Wed, 21 Feb 2018 18:59:53 +0000 (13:59 -0500)
committer	GitHub <noreply@github.com>
	Wed, 21 Feb 2018 18:59:53 +0000 (13:59 -0500)
Bugzilla/CGI.pm		patch \| blob \| blame \| history
Bugzilla/CGI/ContentSecurityPolicy.pm		patch \| blob \| blame \| history
chart.cgi		patch \| blob \| blame \| history
extensions/BMO/template/en/default/account/create.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-automative.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-creative.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-fsa-budget.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-mozlist.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-mozpr.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-swag.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/bug/create/create-user-engagement.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/admin/products/edit-common-rows.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/attachment/edit-view.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/bug/comments-a_comment-end.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/bug/comments-aftercomments.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/bug/comments-comment_banner.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/bug/edit-after_importance.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/hook/bug/edit-custom_field.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/pages/release_tracking_report.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/pages/triage_reports.html.tmpl		patch \| blob \| blame \| history
extensions/BMO/template/en/default/pages/user_activity.html.tmpl		patch \| blob \| blame \| history
extensions/BugmailFilter/template/en/default/account/prefs/bugmail_filter.html.tmpl		patch \| blob \| blame \| history
extensions/ComponentWatching/template/en/default/account/prefs/component_watch.html.tmpl		patch \| blob \| blame \| history
extensions/ComponentWatching/template/en/default/hook/admin/components/edit-common-rows.html.tmpl		patch \| blob \| blame \| history
extensions/EditTable/template/en/default/pages/edit_table.html.tmpl		patch \| blob \| blame \| history
extensions/FlagDefaultRequestee/template/en/default/flag/default_requestees.html.tmpl		patch \| blob \| blame \| history
extensions/FlagTypeComment/template/en/default/flag/type_comment.html.tmpl		patch \| blob \| blame \| history
extensions/GuidedBugEntry/template/en/default/guided/guided.html.tmpl		patch \| blob \| blame \| history
extensions/InlineHistory/template/en/default/hook/bug/comments-aftercomments.html.tmpl		patch \| blob \| blame \| history
extensions/MyDashboard/template/en/default/pages/mydashboard.html.tmpl		patch \| blob \| blame \| history
extensions/Needinfo/template/en/default/hook/attachment/edit-after_comment_textarea.html.tmpl		patch \| blob \| blame \| history
extensions/Push/template/en/default/pages/push_config.html.tmpl		patch \| blob \| blame \| history
extensions/REMO/template/en/default/bug/create/create-remo-budget.html.tmpl		patch \| blob \| blame \| history
extensions/REMO/template/en/default/bug/create/create-remo-it.html.tmpl		patch \| blob \| blame \| history
extensions/REMO/template/en/default/bug/create/create-remo-swag.html.tmpl		patch \| blob \| blame \| history
extensions/REMO/template/en/default/pages/remo-form-payment.html.tmpl		patch \| blob \| blame \| history
extensions/Review/template/en/default/hook/attachment/create-end.html.tmpl		patch \| blob \| blame \| history
extensions/Review/template/en/default/hook/attachment/edit-end.html.tmpl		patch \| blob \| blame \| history
extensions/Review/template/en/default/hook/bug/create/create-end.html.tmpl		patch \| blob \| blame \| history
extensions/Review/template/en/default/hook/bug/edit-after_people.html.tmpl		patch \| blob \| blame \| history
extensions/Review/template/en/default/hook/flag/list-requestee.html.tmpl		patch \| blob \| blame \| history
extensions/Review/template/en/default/pages/review_history.html.tmpl		patch \| blob \| blame \| history
extensions/SecureMail/template/en/default/hook/admin/users/userdata-end.html.tmpl		patch \| blob \| blame \| history
extensions/Splinter/template/en/default/pages/splinter.html.tmpl		patch \| blob \| blame \| history
extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl		patch \| blob \| blame \| history
extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl		patch \| blob \| blame \| history
extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl		patch \| blob \| blame \| history
extensions/TrackingFlags/template/en/default/hook/bug/field-editable.html.tmpl		patch \| blob \| blame \| history
extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl		patch \| blob \| blame \| history
extensions/UserStory/template/en/default/hook/bug/comments-comment_banner.html.tmpl		patch \| blob \| blame \| history
extensions/UserStory/template/en/default/hook/bug/create/create-after_custom_fields.html.tmpl		patch \| blob \| blame \| history
extensions/Voting/template/en/default/hook/admin/products/edit-common-rows.html.tmpl		patch \| blob \| blame \| history
report.cgi		patch \| blob \| blame \| history
static/metricsgraphics/socorro-lens.html		patch \| blob \| blame \| history
template/en/default/account/prefs/email.html.tmpl		patch \| blob \| blame \| history
template/en/default/account/prefs/saved-searches.html.tmpl		patch \| blob \| blame \| history
template/en/default/account/prefs/settings.html.tmpl		patch \| blob \| blame \| history
template/en/default/admin/custom_fields/create.html.tmpl		patch \| blob \| blame \| history
template/en/default/admin/params/common.html.tmpl		patch \| blob \| blame \| history
template/en/default/admin/workflow/comment.html.tmpl		patch \| blob \| blame \| history
template/en/default/admin/workflow/edit.html.tmpl		patch \| blob \| blame \| history
template/en/default/attachment/create.html.tmpl		patch \| blob \| blame \| history
template/en/default/attachment/createformcontents.html.tmpl		patch \| blob \| blame \| history
template/en/default/attachment/diff-file.html.tmpl		patch \| blob \| blame \| history
template/en/default/attachment/edit.html.tmpl		patch \| blob \| blame \| history
template/en/default/attachment/list.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/comments.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/create/create-guided.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/create/create.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/edit.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/field.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/knob.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/summarize-time.html.tmpl		patch \| blob \| blame \| history
template/en/default/list/edit-multiple.html.tmpl		patch \| blob \| blame \| history
template/en/default/list/quips.html.tmpl		patch \| blob \| blame \| history
template/en/default/mfa/duo/verify.html.tmpl		patch \| blob \| blame \| history
template/en/default/reports/create-chart.html.tmpl		patch \| blob \| blame \| history
template/en/default/reports/keywords.html.tmpl		patch \| blob \| blame \| history
template/en/default/reports/report-table.html.tmpl		patch \| blob \| blame \| history
template/en/default/reports/series-common.html.tmpl		patch \| blob \| blame \| history
template/en/default/reports/series.html.tmpl		patch \| blob \| blame \| history
template/en/default/request/queue.html.tmpl		patch \| blob \| blame \| history
template/en/default/search/boolean-charts.html.tmpl		patch \| blob \| blame \| history
template/en/default/search/field.html.tmpl		patch \| blob \| blame \| history
template/en/default/search/form.html.tmpl		patch \| blob \| blame \| history
template/en/default/search/search-create-series.html.tmpl		patch \| blob \| blame \| history
template/en/default/search/search-instant.html.tmpl		patch \| blob \| blame \| history
template/en/default/search/search-report-graph.html.tmpl		patch \| blob \| blame \| history