0011826: Remove all inline JavaScript from MantisBT (use external scripts instead)

Issue History
Date Modified	Username	Field	Change
2010-04-22 04:37	dhx	New Issue
2010-04-22 04:37	dhx	Relationship added	related to 0011825
2010-06-03 09:01	AboeBakr	Note Added: 0025677
2010-06-10 02:09	daryn	Changeset attached	=> MantisBT master 2dc8409e
2010-06-23 01:53	dhx	Note Added: 0025958
2010-06-23 11:34	dhx	Note Added: 0025968
2010-06-23 11:34	dhx	Assigned To	=> dhx
2010-06-23 11:34	dhx	Status	new => assigned
2010-06-23 11:34	dhx	Relationship added	parent of 0009117
2010-06-28 03:16	dhx	Changeset attached	=> MantisBT master 0551d94b
2010-06-28 03:37	dhx	Changeset attached	=> MantisBT master c5329886
2010-08-07 02:10	dhx	Changeset attached	=> MantisBT master 8c18b0ee
2010-08-07 02:10	dhx	Changeset attached	=> MantisBT master 1dbe709e
2010-08-07 02:10	dhx	Changeset attached	=> MantisBT master bba266b1
2010-08-07 02:54	dhx	Relationship added	related to 0012245
2010-08-19 07:46	dhx	Changeset attached	=> MantisBT master df22831e
2010-08-19 09:14	dhx	Changeset attached	=> MantisBT master 111d9b76
2010-08-20 07:32	dhx	Changeset attached	=> MantisBT master 735ddedd
2010-08-25 02:05	daryn	Changeset attached	=> MantisBT master 6b5e037c
2010-08-25 02:05	daryn	Changeset attached	=> MantisBT master e087425c
2010-08-27 13:02	daryn	Changeset attached	=> MantisBT master 7ec1d497
2010-09-19 03:20	dhx	Relationship added	related to 0009793
2010-10-01 17:49	grangeway	Changeset attached	=> MantisBT master e597fac2
2010-12-25 09:25	dhx	Changeset attached	=> MantisBT master 0d602be5
2010-12-25 21:36	dhx	Relationship added	parent of 0012631
2010-12-25 21:44	dhx	Changeset attached	=> MantisBT master 7790835c
2010-12-26 07:55	dhx	Changeset attached	=> MantisBT master 7a6fba7c
2010-12-26 07:55	dhx	Changeset attached	=> MantisBT master adf2338a
2010-12-26 09:12	dhx	Changeset attached	=> MantisBT master 4b0e0d5d
2010-12-26 09:33	dhx	Changeset attached	=> MantisBT master 2a1eed9d
2010-12-26 09:33	dhx	Resolution	open => fixed
2010-12-26 09:33	dhx	Fixed in Version	=> 1.3.x
2010-12-26 09:41	dhx	Note Added: 0027702
2010-12-26 09:41	dhx	Status	assigned => resolved
2011-07-15 09:52	dhx	Changeset attached	=> MantisBT master 10af3a5d
2013-04-05 17:57	grangeway	Status	resolved => acknowledged
2013-04-05 17:57	grangeway	Note Added: 0036459
2013-04-05 18:08	grangeway	Relationship added	related to 0015721
2013-04-06 03:44	dregad	Status	acknowledged => resolved
2013-04-06 07:20	grangeway	Status	resolved => acknowledged
2013-04-06 09:26	dregad	Tag Attached: 2.0.x check
2013-04-06 09:26	dregad	Status	acknowledged => resolved

Notes
(0025677) AboeBakr (reporter) 2010-06-03 09:01	writing a plugin without the ability of using inline javascript could impose some difficulties for the plugin dynamic javascript based on the page contents should be possible imho. a workaround would be the possibility of registering the dynamic javascript, so that mantis can include this by reference to a file returning this content. but i'm not sure inline <script src= etc is an option? (limiting src to mantis domain at least)

(0025958) dhx (developer) 2010-06-23 01:53	The idea would be that plugins register their requirement for loading external JavaScript files upon the EVENT_PLUGIN_INIT event. It's possible to determine which page is being loaded by the plugin so the plugin can selectively enable/disable loading of external JavaScript files depending on the page being loaded. In the future when we get a proper templating system setup this will all become much easier as we will have separated logic from output display functionality. Thus MantisBT processes all data first before outputting a single like of HTML to the client. A dedicated event such as EVENT_PLUGIN_REGISTER_JAVASCRIPT could be fired after data has been processed to let plugins load their own scripts. The MantisBT core would be responsible for preventing the inclusion of the same script multiple times.

(0025968) dhx (developer) 2010-06-23 11:34	This should be straightforward now that a lot of the big JavaScript removal tasks have already taken place. I'll try and continue this work in the hope it can be completed by 1.3.x.

(0027702) dhx (developer) 2010-12-26 09:41	Finally completed the removal of inline JavaScript! I have tightened the Content-Security-Policy policy to disallow inline JavaScript from executing. For Firefox 4 users this means any future XSS vulnerabilities in MantisBT will be of very limited concern as attackers can no longer run JavaScript code as part of that vulnerability. Hopefully other browser vendors can look at supporting CSP too.

(0036459) grangeway (developer) 2013-04-05 17:57	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets
MantisBT: master 2dc8409e Timestamp: 2010-06-10 05:00:36 Author: daryn [ Details ] [ Diff ]	Remove ToggleDiv call from the html and add jquery listener. Modify to use jquery calls rather than dom calls. Add classes so the listener can be added for all collapsible divs at once.
	mod - javascript/min/common.js	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - core/collapse_api.php	[ Diff ] [ File ]

MantisBT: master 0551d94b Timestamp: 2010-06-28 06:57:21 Author: dhx [ Details ] [ Diff ]	Issue 0011826: jQuery-ise stopwatch and add JavaScript translation framework This commit furthers the goal of removing inline JavaScript from within the MantisBT codebase. The time tracking stopwatch has been converted to use jQuery removing the need to insert <script> tags outside the <head> element. A new JavaScript translations framework (javascript_translations.php) has been implemented that allows translation of strings for use in scripts. Scripts can now just use the new translations[] array where the keys match those used in the lang_get() function. For now it's necessary to define which strings need to be translated in javascript_translations.php. This is currently a very simple system as we don't have many strings that need translating.
	rm - javascript/dev/time_tracking_stopwatch.js	[ Diff ] [ File ]
	mod - bugnote_add_inc.php	[ Diff ] [ File ]
	rm - javascript/min/time_tracking_stopwatch.js	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - core/html_api.php	[ Diff ] [ File ]
	mod - bug_change_status_page.php	[ Diff ] [ File ]
	add - javascript_translations.php	[ Diff ] [ File ]

MantisBT: master c5329886 Timestamp: 2010-06-28 07:34:41 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Convert form field autofocus scripts to jQuery This commit furthers the goal of removing inline JavaScript from within the MantisBT codebase. Instead of using inline JavaScript to toggle automatic focus on form fields we can use jQuery instead. All one needs to do is place a field within a form with the "autofocus" class specified.
	mod - lost_pwd_page.php	[ Diff ] [ File ]
	mod - login_page.php	[ Diff ] [ File ]
	mod - signup_page.php	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - bug_report_page.php	[ Diff ] [ File ]
	mod - core/authentication_api.php	[ Diff ] [ File ]

MantisBT: master bba266b1 Timestamp: 2010-08-07 05:54:27 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Add dynamic JavaScript configuration script This script is loaded prior to any other scripts and will allow all scripts to read selected MantisBT configuration values.
	add - javascript_config.php	[ Diff ] [ File ]

MantisBT: master 1dbe709e Timestamp: 2010-08-07 05:58:16 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Implement new loading functions for CSS and JS Two new functions have been added so that MantisBT pages can inform the MantisBT core (html_api.php in particular) which JavaScript files and stylesheets to load during the output HTML rendering. These functions must be used PRIOR to html_top() being executed as after that point of time it'll be too late to load new scripts or stylesheets. This functionality will prevent multiple inclusions of the same JavaScript file and will also prevent the need for downloading a new stylesheet or script half way through the rendering of the page within the user's browser.
	mod - core/html_api.php	[ Diff ] [ File ]

MantisBT: master 8c18b0ee Timestamp: 2010-08-07 06:03:16 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Replace inline JavaScript datetime picker The JavaScript date/time picker control was being loaded inline within the body of the HTML output. An upgraded MantisBT core can now handle loading or scripts and stylesheets more gracefully using new require_js and require_css functions. This allows us to remove a bunch of inline JavaScript thus progressing towards full implementation of X-Content-Security-Policy. jQuery is used to search the document on load for any text input fields with the class "datetime". For each field found, a datetime picker icon/button is created next to the input box. Users can click this icon (as they could before) to show the jsCalendar widget (which remains unchanged).
	mod - bug_change_status_page.php	[ Diff ] [ File ]
	mod - bug_update_advanced_page.php	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - manage_proj_ver_edit_page.php	[ Diff ] [ File ]
	mod - bug_report_page.php	[ Diff ] [ File ]
	mod - core/date_api.php	[ Diff ] [ File ]

MantisBT: master df22831e Timestamp: 2010-08-19 11:39:51 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Remove inline JavaScript for loading dynamic filters Use the new require_js() function to include the dynamic JavaScript filter scripts instead of pulling them within <body>.
	mod - view_all_bug_page.php	[ Diff ] [ File ]
	mod - view_all_inc.php	[ Diff ] [ File ]
	mod - javascript/dev/dynamic_filters.js	[ Diff ] [ File ]

MantisBT: master 111d9b76 Timestamp: 2010-08-19 13:07:03 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Use jQuery to handle "select all" checkbox The "select all" checkbox on view_all_bug_page currently uses inline JavaScript via the onclick event to select all the checkboxes on the page. This patch removes the inline JavaScript and instead replaces it with equivalent (but more portable/reusable) jQuery code. To implement any "select all" checkbox in the future, all one has to do is: 1) Ensure the "Select all" checkbox is within the same form as the checkboxes to check. 2) Ensure that the "Select all" checkbox includes the class "check_all". 3) Name the target checkboxes as "{field_name}[]" e.g., name="bugs[]" or name="users[]". 4) Name the "Select all" checkbox as "{field_name}_all" e.g., name="bugs_all" or name="users_all".
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - view_all_inc.php	[ Diff ] [ File ]

MantisBT: master 735ddedd Timestamp: 2010-08-20 11:19:51 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Remove ajax_api ajax_api was used in two places (bug_update_page and tag_update_page) for the purpose of hiding user selection comboboxes until clicked upon. This approach relied upon inline JavaScript which is being removed in 1.3.x. It was easier to remove this feature than to reimplement it using jQuery. It's disputable as to whether anything has been lost (some would say that the AJAX click-to-edit added more clicks and more delay to updating forms).
	rm - javascript/ajax.js	[ Diff ] [ File ]
	mod - core/xmlhttprequest_api.php	[ Diff ] [ File ]
	rm - core/ajax_api.php	[ Diff ] [ File ]
	mod - bug_update_advanced_page.php	[ Diff ] [ File ]
	mod - core/html_api.php	[ Diff ] [ File ]
	mod - tag_update_page.php	[ Diff ] [ File ]

MantisBT: master e597fac2 Timestamp: 2010-08-20 23:25:56 Author: grangeway [ Details ] [ Diff ]	Issue 0011826: Remove ajax_api
	rm - javascript/dev/ajax.js	[ Diff ] [ File ]

MantisBT: master e087425c Timestamp: 2010-08-25 05:10:42 Author: daryn [ Details ] [ Diff ]	Bug 0011826 - Remove inline javascript for bug-jump field and put it in common.js. Add css styles for bug-jump.
	mod - css/default.css	[ Diff ] [ File ]
	mod - core/html_api.php	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]

MantisBT: master 6b5e037c Timestamp: 2010-08-25 05:31:45 Author: daryn [ Details ] [ Diff ]	Bug 0011826, Bug 0011995, Fix invalid html in the view all bug filter. Add divs, classes and id's where necessary to facilitate moving style elements into css and inline javascript into javascript files.
	mod - css/default.css	[ Diff ] [ File ]
	mod - core/filter_api.php	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]

MantisBT: master 7ec1d497 Timestamp: 2010-08-27 17:00:51 Author: daryn [ Details ] [ Diff ]	Issue 0011826 - Remove all inline JavaScript from MantisBT (use external scripts instead) Issue 0011995 - Add CSS IDs to html elements for styling and javascript access.
	mod - css/default.css	[ Diff ] [ File ]
	mod - core/html_api.php	[ Diff ] [ File ]
	mod - javascript/dev/common.js	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]

MantisBT: master 0d602be5 Timestamp: 2010-12-25 13:09:09 Author: dhx [ Details ] [ Diff ]	Issue 0012545: Rewrite attachment listing and previewing The output printing of bug attachment listings used to use inline custom JavaScript code. This commit rewrites the printing of attachment lists to use collapse_api. collapse_api doesn't use inline JavaScript for collapsing/expanding content on the page.
	mod - core/print_api.php	[ Diff ] [ File ]
	mod - css/default.css	[ Diff ] [ File ]
	mod - core/collapse_api.php	[ Diff ] [ File ]

MantisBT: master 7790835c Timestamp: 2010-12-26 02:26:39 Author: dhx [ Details ] [ Diff ]	Issue 0012631: Replace old dynamic filter JavaScript code with jQuery MantisBT was using a very old and messy method for handling dynamic filters with client side JavaScript. This involved a lot of inline JavaScript throughout the HTML output which is blocking our progress towards bug 0011826 - completely removing all inline JavaScript from the HTML output. This patch removes the old dynamic filter JavaScript approach and replaces it with a smaller, faster, more reliable and easier to maintain jQuery equivalent.
	rm - javascript/dev/addLoadEvent.js	[ Diff ] [ File ]
	mod - core/helper_api.php	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]
	mod - docbook/Admin_Guide/en-US/Configuration.xml	[ Diff ] [ File ]
	rm - javascript/dynamic_filters.js	[ Diff ] [ File ]
	mod - core/filter_api.php	[ Diff ] [ File ]
	mod - view_all_bug_page.php	[ Diff ] [ File ]
	mod - core/obsolete.php	[ Diff ] [ File ]
	rm - javascript/dev/dynamic_filters.js	[ Diff ] [ File ]
	mod - core/print_api.php	[ Diff ] [ File ]
	mod - return_dynamic_filters.php	[ Diff ] [ File ]
	mod - lang/strings_english.txt	[ Diff ] [ File ]
	mod - admin/check/check_display_inc.php	[ Diff ] [ File ]
	rm - javascript/dev/xmlhttprequest.js	[ Diff ] [ File ]
	rm - javascript/xmlhttprequest.js	[ Diff ] [ File ]
	rm - javascript/addLoadEvent.js	[ Diff ] [ File ]
	mod - view_filters_page.php	[ Diff ] [ File ]
	mod - config_defaults_inc.php	[ Diff ] [ File ]

MantisBT: master 7a6fba7c Timestamp: 2010-12-26 10:18:55 Author: dhx [ Details ] [ Diff ]	Issue 0012545: Remove inline onclick attribute from bugnote submit button We still have CSRF in place to prevent duplicate form submission.
	mod - bugnote_add_inc.php	[ Diff ] [ File ]

MantisBT: master adf2338a Timestamp: 2010-12-26 12:48:04 Author: dhx [ Details ] [ Diff ]	Issue 0012545: Remove inline JavaScript handlers from MantisGraph Period.php from the core MantisGraph plugin was generating date range pickers that used inline JavaScript. This has now been factored out to use a jQuery approach instead.
	mod - core/print_api.php	[ Diff ] [ File ]
	mod - css/default.css	[ Diff ] [ File ]
	mod - plugins/MantisGraph/core/Period.php	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]

MantisBT: master 4b0e0d5d Timestamp: 2010-12-26 14:04:52 Author: dhx [ Details ] [ Diff ]	Issue 0011826: Remove inline JavaScript for tag filter + date filter This patch removes inline JavaScript for the tag filter and replaces it with a pure jQuery equivalent. Some improvements were also made to the date filter JavaScript code to reduce possible errors and remove some unnecessary code duplication.
	mod - core/filter_api.php	[ Diff ] [ File ]
	mod - view_filters_page.php	[ Diff ] [ File ]
	mod - core/print_api.php	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]

MantisBT: master 2a1eed9d Timestamp: 2010-12-26 14:24:10 Author: dhx [ Details ] [ Diff ]	Fix 0011826: All inline JavaScript now removed The MantisBT code base is now free of inline JavaScript code. We can therefore tighten Content-Security-Policy settings to disallow execution of any inline JavaScript. This is a major security milestone for browsers supporting Content-Security-Policy (currently Firefox 4). In the event of a XSS bug anywhere within MantisBT, JavaScript code can no longer be executed as part of an XSS exploit. Firefox 4 users are therefore exposed to much less risk - so much so that any future MantisBT XSS vulnerabilities will likely be a non-issue.
	mod - core/http_api.php	[ Diff ] [ File ]

MantisBT: master 10af3a5d Timestamp: 2011-07-15 06:48:45 Author: dhx [ Details ] [ Diff ]	Use placeholder attribute for stopwatch input fields As part of issue 0011826 to remove all inline JavaScript, the time tracking stopwatch feature was rewritten using jQuery. A default value of "hh:mm" was being placed in the time tracking input field which is invalid if submitted. We should be using the newer 'placeholder' HTML attribute instead of mangling the actual value stored in the text input field.
	mod - bug_change_status_page.php	[ Diff ] [ File ]
	mod - bugnote_add_inc.php	[ Diff ] [ File ]
	mod - javascript/common.js	[ Diff ] [ File ]