View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011826 | mantisbt | security | public | 2010-04-22 04:37 | 2014-12-08 00:33 |
Reporter | dhx | Assigned To | dhx | ||
Priority | high | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0011826: Remove all inline JavaScript from MantisBT (use external scripts instead) | ||||
Description | We should aim to remove all inline JavaScript from the output of MantisBT pages. This includes removal of: onX events in HTML elements. <script>...</script> inline code. javascript:... in URIs (such as <a href="javascript:"...) This change will result in decreased page sizes (JavaScript code can now be cached by clients). More importantly, we can use CSP (see 0011825) with the inline-javascript option disabled. This reduces the impact of XSS bugs in MantisBT as the browser won't execute any inline JavaScript inserted by an attacker in an XSS attack. | ||||
Tags | No tags attached. | ||||
related to | 0011825 | closed | dhx | Support X-Content-Security-Policy (CSP) |
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
parent of | 0009117 | closed | dhx | Please remove projax from mantis |
parent of | 0012631 | closed | dhx | Replace old inline dynamic filter code with jQuery equivalent |
related to | 0012245 | closed | dhx | Remove extended project browser feature |
related to | 0009793 | closed | dhx | ActiveXObject emulation hack should be removed |
related to | 0017944 | closed | vboctor | Regression from 1.2.x: slow performance when editing issues |
writing a plugin without the ability of using inline javascript could impose some difficulties for the plugin a workaround would be the possibility of registering the dynamic javascript, so that mantis can include this by reference to a file returning this content. but i'm not sure inline <script src= etc is an option? (limiting src to mantis domain at least) |
|
The idea would be that plugins register their requirement for loading external JavaScript files upon the EVENT_PLUGIN_INIT event. It's possible to determine which page is being loaded by the plugin so the plugin can selectively enable/disable loading of external JavaScript files depending on the page being loaded. In the future when we get a proper templating system setup this will all become much easier as we will have separated logic from output display functionality. Thus MantisBT processes all data first before outputting a single like of HTML to the client. A dedicated event such as EVENT_PLUGIN_REGISTER_JAVASCRIPT could be fired after data has been processed to let plugins load their own scripts. The MantisBT core would be responsible for preventing the inclusion of the same script multiple times. |
|
This should be straightforward now that a lot of the big JavaScript removal tasks have already taken place. I'll try and continue this work in the hope it can be completed by 1.3.x. |
|
Finally completed the removal of inline JavaScript! I have tightened the Content-Security-Policy policy to disallow inline JavaScript from executing. For Firefox 4 users this means any future XSS vulnerabilities in MantisBT will be of very limited concern as attackers can no longer run JavaScript code as part of that vulnerability. Hopefully other browser vendors can look at supporting CSP too. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 2dc8409e 2010-06-10 01:00 Details Diff |
Remove ToggleDiv call from the html and add jquery listener. Modify to use jquery calls rather than dom calls. Add classes so the listener can be added for all collapsible divs at once. |
Affected Issues 0011826 |
|
mod - javascript/min/common.js | Diff File | ||
mod - javascript/dev/common.js | Diff File | ||
mod - core/collapse_api.php | Diff File | ||
MantisBT: master 0551d94b 2010-06-28 02:57 Details Diff |
Issue 0011826: jQuery-ise stopwatch and add JavaScript translation framework This commit furthers the goal of removing inline JavaScript from within the MantisBT codebase. The time tracking stopwatch has been converted to use jQuery removing the need to insert <script> tags outside the <head> element. A new JavaScript translations framework (javascript_translations.php) has been implemented that allows translation of strings for use in scripts. Scripts can now just use the new translations[] array where the keys match those used in the lang_get() function. For now it's necessary to define which strings need to be translated in javascript_translations.php. This is currently a very simple system as we don't have many strings that need translating. |
Affected Issues 0011826 |
|
rm - javascript/dev/time_tracking_stopwatch.js | Diff | ||
mod - bugnote_add_inc.php | Diff File | ||
rm - javascript/min/time_tracking_stopwatch.js | Diff | ||
mod - javascript/dev/common.js | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - bug_change_status_page.php | Diff File | ||
add - javascript_translations.php | Diff File | ||
MantisBT: master c5329886 2010-06-28 03:34 Details Diff |
Issue 0011826: Convert form field autofocus scripts to jQuery This commit furthers the goal of removing inline JavaScript from within the MantisBT codebase. Instead of using inline JavaScript to toggle automatic focus on form fields we can use jQuery instead. All one needs to do is place a field within a form with the "autofocus" class specified. |
Affected Issues 0011826 |
|
mod - lost_pwd_page.php | Diff File | ||
mod - login_page.php | Diff File | ||
mod - signup_page.php | Diff File | ||
mod - javascript/dev/common.js | Diff File | ||
mod - bug_report_page.php | Diff File | ||
mod - core/authentication_api.php | Diff File | ||
MantisBT: master bba266b1 2010-08-07 01:54 Details Diff |
Issue 0011826: Add dynamic JavaScript configuration script This script is loaded prior to any other scripts and will allow all scripts to read selected MantisBT configuration values. |
Affected Issues 0011826 |
|
add - javascript_config.php | Diff File | ||
MantisBT: master 1dbe709e 2010-08-07 01:58 Details Diff |
Issue 0011826: Implement new loading functions for CSS and JS Two new functions have been added so that MantisBT pages can inform the MantisBT core (html_api.php in particular) which JavaScript files and stylesheets to load during the output HTML rendering. These functions must be used PRIOR to html_top() being executed as after that point of time it'll be too late to load new scripts or stylesheets. This functionality will prevent multiple inclusions of the same JavaScript file and will also prevent the need for downloading a new stylesheet or script half way through the rendering of the page within the user's browser. |
Affected Issues 0011826 |
|
mod - core/html_api.php | Diff File | ||
MantisBT: master 8c18b0ee 2010-08-07 02:03 Details Diff |
Issue 0011826: Replace inline JavaScript datetime picker The JavaScript date/time picker control was being loaded inline within the body of the HTML output. An upgraded MantisBT core can now handle loading or scripts and stylesheets more gracefully using new require_js and require_css functions. This allows us to remove a bunch of inline JavaScript thus progressing towards full implementation of X-Content-Security-Policy. jQuery is used to search the document on load for any text input fields with the class "datetime". For each field found, a datetime picker icon/button is created next to the input box. Users can click this icon (as they could before) to show the jsCalendar widget (which remains unchanged). |
Affected Issues 0011826 |
|
mod - bug_change_status_page.php | Diff File | ||
mod - bug_update_advanced_page.php | Diff File | ||
mod - javascript/dev/common.js | Diff File | ||
mod - manage_proj_ver_edit_page.php | Diff File | ||
mod - bug_report_page.php | Diff File | ||
mod - core/date_api.php | Diff File | ||
MantisBT: master df22831e 2010-08-19 07:39 Details Diff |
Issue 0011826: Remove inline JavaScript for loading dynamic filters Use the new require_js() function to include the dynamic JavaScript filter scripts instead of pulling them within <body>. |
Affected Issues 0011826 |
|
mod - view_all_bug_page.php | Diff File | ||
mod - view_all_inc.php | Diff File | ||
mod - javascript/dev/dynamic_filters.js | Diff File | ||
MantisBT: master 111d9b76 2010-08-19 09:07 Details Diff |
Issue 0011826: Use jQuery to handle "select all" checkbox The "select all" checkbox on view_all_bug_page currently uses inline JavaScript via the onclick event to select all the checkboxes on the page. This patch removes the inline JavaScript and instead replaces it with equivalent (but more portable/reusable) jQuery code. To implement any "select all" checkbox in the future, all one has to do is: 1) Ensure the "Select all" checkbox is within the same form as the checkboxes to check. 2) Ensure that the "Select all" checkbox includes the class "check_all". 3) Name the target checkboxes as "{field_name}[]" e.g., name="bugs[]" or name="users[]". 4) Name the "Select all" checkbox as "{field_name}_all" e.g., name="bugs_all" or name="users_all". |
Affected Issues 0011826 |
|
mod - javascript/dev/common.js | Diff File | ||
mod - view_all_inc.php | Diff File | ||
MantisBT: master 735ddedd 2010-08-20 07:19 Details Diff |
Issue 0011826: Remove ajax_api ajax_api was used in two places (bug_update_page and tag_update_page) for the purpose of hiding user selection comboboxes until clicked upon. This approach relied upon inline JavaScript which is being removed in 1.3.x. It was easier to remove this feature than to reimplement it using jQuery. It's disputable as to whether anything has been lost (some would say that the AJAX click-to-edit added more clicks and more delay to updating forms). |
Affected Issues 0011826 |
|
rm - javascript/ajax.js | Diff | ||
mod - core/xmlhttprequest_api.php | Diff File | ||
rm - core/ajax_api.php | Diff | ||
mod - bug_update_advanced_page.php | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - tag_update_page.php | Diff File | ||
MantisBT: master e597fac2 2010-08-20 19:25 Details Diff |
Issue 0011826: Remove ajax_api |
Affected Issues 0011826 |
|
rm - javascript/dev/ajax.js | Diff | ||
MantisBT: master e087425c 2010-08-25 01:10 Details Diff |
Bug 0011826 - Remove inline javascript for bug-jump field and put it in common.js. Add css styles for bug-jump. |
Affected Issues 0011826 |
|
mod - css/default.css | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - javascript/dev/common.js | Diff File | ||
mod - javascript/common.js | Diff File | ||
MantisBT: master 6b5e037c 2010-08-25 01:31 Details Diff |
Bug 0011826, Bug 0011995, Fix invalid html in the view all bug filter. Add divs, classes and id's where necessary to facilitate moving style elements into css and inline javascript into javascript files. |
Affected Issues 0011826, 0011995 |
|
mod - css/default.css | Diff File | ||
mod - core/filter_api.php | Diff File | ||
mod - javascript/dev/common.js | Diff File | ||
mod - javascript/common.js | Diff File | ||
MantisBT: master 7ec1d497 2010-08-27 13:00 Details Diff |
Issue 0011826 - Remove all inline JavaScript from MantisBT (use external scripts instead) Issue 0011995 - Add CSS IDs to html elements for styling and javascript access. |
Affected Issues 0011826, 0011995 |
|
mod - css/default.css | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - javascript/dev/common.js | Diff File | ||
mod - javascript/common.js | Diff File | ||
MantisBT: master 0d602be5 2010-12-25 08:09 Details Diff |
Issue 0012545: Rewrite attachment listing and previewing The output printing of bug attachment listings used to use inline custom JavaScript code. This commit rewrites the printing of attachment lists to use collapse_api. collapse_api doesn't use inline JavaScript for collapsing/expanding content on the page. |
Affected Issues 0011826, 0012545 |
|
mod - core/print_api.php | Diff File | ||
mod - css/default.css | Diff File | ||
mod - core/collapse_api.php | Diff File | ||
MantisBT: master 7790835c 2010-12-25 21:26 Details Diff |
Issue 0012631: Replace old dynamic filter JavaScript code with jQuery MantisBT was using a very old and messy method for handling dynamic filters with client side JavaScript. This involved a lot of inline JavaScript throughout the HTML output which is blocking our progress towards bug 0011826 - completely removing all inline JavaScript from the HTML output. This patch removes the old dynamic filter JavaScript approach and replaces it with a smaller, faster, more reliable and easier to maintain jQuery equivalent. |
Affected Issues 0011826, 0012631 |
|
rm - javascript/dev/addLoadEvent.js | Diff | ||
mod - core/helper_api.php | Diff File | ||
mod - javascript/common.js | Diff File | ||
mod - docbook/Admin_Guide/en-US/Configuration.xml | Diff File | ||
rm - javascript/dynamic_filters.js | Diff | ||
mod - core/filter_api.php | Diff File | ||
mod - view_all_bug_page.php | Diff File | ||
mod - core/obsolete.php | Diff File | ||
rm - javascript/dev/dynamic_filters.js | Diff | ||
mod - core/print_api.php | Diff File | ||
mod - return_dynamic_filters.php | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
mod - admin/check/check_display_inc.php | Diff File | ||
rm - javascript/dev/xmlhttprequest.js | Diff | ||
rm - javascript/xmlhttprequest.js | Diff | ||
rm - javascript/addLoadEvent.js | Diff | ||
mod - view_filters_page.php | Diff File | ||
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master 7a6fba7c 2010-12-26 05:18 Details Diff |
Issue 0012545: Remove inline onclick attribute from bugnote submit button We still have CSRF in place to prevent duplicate form submission. |
Affected Issues 0011826 |
|
mod - bugnote_add_inc.php | Diff File | ||
MantisBT: master adf2338a 2010-12-26 07:48 Details Diff |
Issue 0012545: Remove inline JavaScript handlers from MantisGraph Period.php from the core MantisGraph plugin was generating date range pickers that used inline JavaScript. This has now been factored out to use a jQuery approach instead. |
Affected Issues 0011826 |
|
mod - core/print_api.php | Diff File | ||
mod - css/default.css | Diff File | ||
mod - plugins/MantisGraph/core/Period.php | Diff File | ||
mod - javascript/common.js | Diff File | ||
MantisBT: master 4b0e0d5d 2010-12-26 09:04 Details Diff |
Issue 0011826: Remove inline JavaScript for tag filter + date filter This patch removes inline JavaScript for the tag filter and replaces it with a pure jQuery equivalent. Some improvements were also made to the date filter JavaScript code to reduce possible errors and remove some unnecessary code duplication. |
Affected Issues 0011826 |
|
mod - core/filter_api.php | Diff File | ||
mod - view_filters_page.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
mod - javascript/common.js | Diff File | ||
MantisBT: master 2a1eed9d 2010-12-26 09:24 Details Diff |
Fix 0011826: All inline JavaScript now removed The MantisBT code base is now free of inline JavaScript code. We can therefore tighten Content-Security-Policy settings to disallow execution of any inline JavaScript. This is a major security milestone for browsers supporting Content-Security-Policy (currently Firefox 4). In the event of a XSS bug anywhere within MantisBT, JavaScript code can no longer be executed as part of an XSS exploit. Firefox 4 users are therefore exposed to much less risk - so much so that any future MantisBT XSS vulnerabilities will likely be a non-issue. |
Affected Issues 0011826 |
|
mod - core/http_api.php | Diff File | ||
MantisBT: master 10af3a5d 2011-07-15 02:48 Details Diff |
Use placeholder attribute for stopwatch input fields As part of issue 0011826 to remove all inline JavaScript, the time tracking stopwatch feature was rewritten using jQuery. A default value of "hh:mm" was being placed in the time tracking input field which is invalid if submitted. We should be using the newer 'placeholder' HTML attribute instead of mangling the actual value stored in the text input field. |
Affected Issues 0011826 |
|
mod - bug_change_status_page.php | Diff File | ||
mod - bugnote_add_inc.php | Diff File | ||
mod - javascript/common.js | Diff File |