View Issue Details

IDProjectCategoryView StatusLast Update
0011826mantisbtsecuritypublic2014-12-08 00:33
ReporterdhxAssigned Todhx 
PriorityhighSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0011826: Remove all inline JavaScript from MantisBT (use external scripts instead)
Description

We should aim to remove all inline JavaScript from the output of MantisBT pages. This includes removal of:

onX events in HTML elements.

<script>...</script> inline code.

javascript:... in URIs (such as <a href="javascript:"...)

This change will result in decreased page sizes (JavaScript code can now be cached by clients). More importantly, we can use CSP (see 0011825) with the inline-javascript option disabled. This reduces the impact of XSS bugs in MantisBT as the browser won't execute any inline JavaScript inserted by an attacker in an XSS attack.

TagsNo tags attached.

Relationships

related to 0011825 closeddhx Support X-Content-Security-Policy (CSP) 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
parent of 0009117 closeddhx Please remove projax from mantis 
parent of 0012631 closeddhx Replace old inline dynamic filter code with jQuery equivalent 
related to 0012245 closeddhx Remove extended project browser feature 
related to 0009793 closeddhx ActiveXObject emulation hack should be removed 
related to 0017944 closedvboctor Regression from 1.2.x: slow performance when editing issues 

Activities

AboeBakr

AboeBakr

2010-06-03 09:01

reporter   ~0025677

writing a plugin without the ability of using inline javascript could impose some difficulties for the plugin
dynamic javascript based on the page contents should be possible imho.

a workaround would be the possibility of registering the dynamic javascript, so that mantis can include this by reference to a file returning this content.

but i'm not sure inline <script src= etc is an option? (limiting src to mantis domain at least)

dhx

dhx

2010-06-23 01:53

reporter   ~0025958

The idea would be that plugins register their requirement for loading external JavaScript files upon the EVENT_PLUGIN_INIT event. It's possible to determine which page is being loaded by the plugin so the plugin can selectively enable/disable loading of external JavaScript files depending on the page being loaded.

In the future when we get a proper templating system setup this will all become much easier as we will have separated logic from output display functionality. Thus MantisBT processes all data first before outputting a single like of HTML to the client. A dedicated event such as EVENT_PLUGIN_REGISTER_JAVASCRIPT could be fired after data has been processed to let plugins load their own scripts. The MantisBT core would be responsible for preventing the inclusion of the same script multiple times.

dhx

dhx

2010-06-23 11:34

reporter   ~0025968

This should be straightforward now that a lot of the big JavaScript removal tasks have already taken place. I'll try and continue this work in the hope it can be completed by 1.3.x.

dhx

dhx

2010-12-26 09:41

reporter   ~0027702

Finally completed the removal of inline JavaScript!

I have tightened the Content-Security-Policy policy to disallow inline JavaScript from executing. For Firefox 4 users this means any future XSS vulnerabilities in MantisBT will be of very limited concern as attackers can no longer run JavaScript code as part of that vulnerability.

Hopefully other browser vendors can look at supporting CSP too.

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036459

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 2dc8409e

2010-06-10 05:00:36

daryn

Details Diff
Remove ToggleDiv call from the html and add jquery listener. Modify to use
jquery calls rather than dom calls. Add classes so the listener can be added
for all collapsible divs at once.
mod - javascript/min/common.js Diff File
mod - javascript/dev/common.js Diff File
mod - core/collapse_api.php Diff File

MantisBT: master 0551d94b

2010-06-28 06:57:21

dhx

Details Diff
Issue 0011826: jQuery-ise stopwatch and add JavaScript translation framework

This commit furthers the goal of removing inline JavaScript from within
the MantisBT codebase.

The time tracking stopwatch has been converted to use jQuery removing
the need to insert <script> tags outside the <head> element.

A new JavaScript translations framework (javascript_translations.php)
has been implemented that allows translation of strings for use in
scripts. Scripts can now just use the new translations[] array where the
keys match those used in the lang_get() function. For now it's necessary
to define which strings need to be translated in
javascript_translations.php. This is currently a very simple system as
we don't have many strings that need translating.
rm - javascript/dev/time_tracking_stopwatch.js Diff File
mod - bugnote_add_inc.php Diff File
rm - javascript/min/time_tracking_stopwatch.js Diff File
mod - javascript/dev/common.js Diff File
mod - core/html_api.php Diff File
mod - bug_change_status_page.php Diff File
add - javascript_translations.php Diff File

MantisBT: master c5329886

2010-06-28 07:34:41

dhx

Details Diff
Issue 0011826: Convert form field autofocus scripts to jQuery

This commit furthers the goal of removing inline JavaScript from within
the MantisBT codebase.

Instead of using inline JavaScript to toggle automatic focus on form
fields we can use jQuery instead. All one needs to do is place a field
within a form with the "autofocus" class specified.
mod - lost_pwd_page.php Diff File
mod - login_page.php Diff File
mod - signup_page.php Diff File
mod - javascript/dev/common.js Diff File
mod - bug_report_page.php Diff File
mod - core/authentication_api.php Diff File

MantisBT: master bba266b1

2010-08-07 05:54:27

dhx

Details Diff
Issue 0011826: Add dynamic JavaScript configuration script

This script is loaded prior to any other scripts and will allow all
scripts to read selected MantisBT configuration values.
add - javascript_config.php Diff File

MantisBT: master 1dbe709e

2010-08-07 05:58:16

dhx

Details Diff
Issue 0011826: Implement new loading functions for CSS and JS

Two new functions have been added so that MantisBT pages can inform the
MantisBT core (html_api.php in particular) which JavaScript files and
stylesheets to load during the output HTML rendering.

These functions must be used PRIOR to html_top() being executed as after
that point of time it'll be too late to load new scripts or stylesheets.

This functionality will prevent multiple inclusions of the same
JavaScript file and will also prevent the need for downloading a new
stylesheet or script half way through the rendering of the page within
the user's browser.
mod - core/html_api.php Diff File

MantisBT: master 8c18b0ee

2010-08-07 06:03:16

dhx

Details Diff
Issue 0011826: Replace inline JavaScript datetime picker

The JavaScript date/time picker control was being loaded inline within
the body of the HTML output. An upgraded MantisBT core can now handle
loading or scripts and stylesheets more gracefully using new require_js
and require_css functions. This allows us to remove a bunch of inline
JavaScript thus progressing towards full implementation of
X-Content-Security-Policy.

jQuery is used to search the document on load for any text input fields
with the class "datetime". For each field found, a datetime picker
icon/button is created next to the input box. Users can click this icon
(as they could before) to show the jsCalendar widget (which remains
unchanged).
mod - bug_change_status_page.php Diff File
mod - bug_update_advanced_page.php Diff File
mod - javascript/dev/common.js Diff File
mod - manage_proj_ver_edit_page.php Diff File
mod - bug_report_page.php Diff File
mod - core/date_api.php Diff File

MantisBT: master df22831e

2010-08-19 11:39:51

dhx

Details Diff
Issue 0011826: Remove inline JavaScript for loading dynamic filters

Use the new require_js() function to include the dynamic JavaScript
filter scripts instead of pulling them within <body>.
mod - view_all_bug_page.php Diff File
mod - view_all_inc.php Diff File
mod - javascript/dev/dynamic_filters.js Diff File

MantisBT: master 111d9b76

2010-08-19 13:07:03

dhx

Details Diff
Issue 0011826: Use jQuery to handle "select all" checkbox

The "select all" checkbox on view_all_bug_page currently uses inline
JavaScript via the onclick event to select all the checkboxes on the
page.

This patch removes the inline JavaScript and instead replaces it with
equivalent (but more portable/reusable) jQuery code.

To implement any "select all" checkbox in the future, all one has to do
is:

1) Ensure the "Select all" checkbox is within the same form as the
checkboxes to check.

2) Ensure that the "Select all" checkbox includes the class "check_all".

3) Name the target checkboxes as "{field_name}[]" e.g., name="bugs[]" or
name="users[]".

4) Name the "Select all" checkbox as "{field_name}_all" e.g.,
name="bugs_all" or name="users_all".
mod - javascript/dev/common.js Diff File
mod - view_all_inc.php Diff File

MantisBT: master 735ddedd

2010-08-20 11:19:51

dhx

Details Diff
Issue 0011826: Remove ajax_api

ajax_api was used in two places (bug_update_page and tag_update_page)
for the purpose of hiding user selection comboboxes until clicked upon.
This approach relied upon inline JavaScript which is being removed in
1.3.x. It was easier to remove this feature than to reimplement it using
jQuery. It's disputable as to whether anything has been lost (some would
say that the AJAX click-to-edit added more clicks and more delay to
updating forms).
rm - javascript/ajax.js Diff File
mod - core/xmlhttprequest_api.php Diff File
rm - core/ajax_api.php Diff File
mod - bug_update_advanced_page.php Diff File
mod - core/html_api.php Diff File
mod - tag_update_page.php Diff File

MantisBT: master e597fac2

2010-08-20 23:25:56

grangeway

Details Diff
Issue 0011826: Remove ajax_api
rm - javascript/dev/ajax.js Diff File

MantisBT: master e087425c

2010-08-25 05:10:42

daryn

Details Diff
Bug 0011826 - Remove inline javascript for bug-jump field and put it in common.js. Add
css styles for bug-jump.
mod - css/default.css Diff File
mod - core/html_api.php Diff File
mod - javascript/dev/common.js Diff File
mod - javascript/common.js Diff File

MantisBT: master 6b5e037c

2010-08-25 05:31:45

daryn

Details Diff
Bug 0011826, Bug 0011995, Fix invalid html in the view all bug filter. Add divs, classes and id's
where necessary to facilitate moving style elements into css and inline
javascript into javascript files.
mod - css/default.css Diff File
mod - core/filter_api.php Diff File
mod - javascript/dev/common.js Diff File
mod - javascript/common.js Diff File

MantisBT: master 7ec1d497

2010-08-27 17:00:51

daryn

Details Diff
Issue 0011826 - Remove all inline JavaScript from MantisBT (use external scripts instead)
Issue 0011995 - Add CSS IDs to html elements for styling and javascript access.
mod - css/default.css Diff File
mod - core/html_api.php Diff File
mod - javascript/dev/common.js Diff File
mod - javascript/common.js Diff File

MantisBT: master 0d602be5

2010-12-25 13:09:09

dhx

Details Diff
Issue 0012545: Rewrite attachment listing and previewing

The output printing of bug attachment listings used to use inline custom
JavaScript code. This commit rewrites the printing of attachment lists
to use collapse_api. collapse_api doesn't use inline JavaScript for
collapsing/expanding content on the page.
mod - core/print_api.php Diff File
mod - css/default.css Diff File
mod - core/collapse_api.php Diff File

MantisBT: master 7790835c

2010-12-26 02:26:39

dhx

Details Diff
Issue 0012631: Replace old dynamic filter JavaScript code with jQuery

MantisBT was using a very old and messy method for handling dynamic
filters with client side JavaScript. This involved a lot of inline
JavaScript throughout the HTML output which is blocking our progress
towards bug 0011826 - completely removing all inline JavaScript from the
HTML output.

This patch removes the old dynamic filter JavaScript approach and
replaces it with a smaller, faster, more reliable and easier to maintain
jQuery equivalent.
rm - javascript/dev/addLoadEvent.js Diff File
mod - core/helper_api.php Diff File
mod - javascript/common.js Diff File
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff File
rm - javascript/dynamic_filters.js Diff File
mod - core/filter_api.php Diff File
mod - view_all_bug_page.php Diff File
mod - core/obsolete.php Diff File
rm - javascript/dev/dynamic_filters.js Diff File
mod - core/print_api.php Diff File
mod - return_dynamic_filters.php Diff File
mod - lang/strings_english.txt Diff File
mod - admin/check/check_display_inc.php Diff File
rm - javascript/dev/xmlhttprequest.js Diff File
rm - javascript/xmlhttprequest.js Diff File
rm - javascript/addLoadEvent.js Diff File
mod - view_filters_page.php Diff File
mod - config_defaults_inc.php Diff File

MantisBT: master 7a6fba7c

2010-12-26 10:18:55

dhx

Details Diff
Issue 0012545: Remove inline onclick attribute from bugnote submit button

We still have CSRF in place to prevent duplicate form submission.
mod - bugnote_add_inc.php Diff File

MantisBT: master adf2338a

2010-12-26 12:48:04

dhx

Details Diff
Issue 0012545: Remove inline JavaScript handlers from MantisGraph

Period.php from the core MantisGraph plugin was generating date range
pickers that used inline JavaScript. This has now been factored out to
use a jQuery approach instead.
mod - core/print_api.php Diff File
mod - css/default.css Diff File
mod - plugins/MantisGraph/core/Period.php Diff File
mod - javascript/common.js Diff File

MantisBT: master 4b0e0d5d

2010-12-26 14:04:52

dhx

Details Diff
Issue 0011826: Remove inline JavaScript for tag filter + date filter

This patch removes inline JavaScript for the tag filter and replaces it
with a pure jQuery equivalent.

Some improvements were also made to the date filter JavaScript code to
reduce possible errors and remove some unnecessary code duplication.
mod - core/filter_api.php Diff File
mod - view_filters_page.php Diff File
mod - core/print_api.php Diff File
mod - javascript/common.js Diff File

MantisBT: master 2a1eed9d

2010-12-26 14:24:10

dhx

Details Diff
Fix 0011826: All inline JavaScript now removed

The MantisBT code base is now free of inline JavaScript code. We can
therefore tighten Content-Security-Policy settings to disallow execution
of any inline JavaScript.

This is a major security milestone for browsers supporting
Content-Security-Policy (currently Firefox 4). In the event of a XSS bug
anywhere within MantisBT, JavaScript code can no longer be executed as
part of an XSS exploit. Firefox 4 users are therefore exposed to much
less risk - so much so that any future MantisBT XSS vulnerabilities will
likely be a non-issue.
mod - core/http_api.php Diff File

MantisBT: master 10af3a5d

2011-07-15 06:48:45

dhx

Details Diff
Use placeholder attribute for stopwatch input fields

As part of issue 0011826 to remove all inline JavaScript, the time
tracking stopwatch feature was rewritten using jQuery. A default value
of "hh:mm" was being placed in the time tracking input field which is
invalid if submitted.

We should be using the newer 'placeholder' HTML attribute instead of
mangling the actual value stored in the text input field.
mod - bug_change_status_page.php Diff File
mod - bugnote_add_inc.php Diff File
mod - javascript/common.js Diff File

Issue History

Date Modified Username Field Change
2010-04-22 04:37 dhx New Issue
2010-04-22 04:37 dhx Relationship added related to 0011825
2010-06-03 09:01 AboeBakr Note Added: 0025677
2010-06-10 02:09 daryn Changeset attached => MantisBT master 2dc8409e
2010-06-23 01:53 dhx Note Added: 0025958
2010-06-23 11:34 dhx Note Added: 0025968
2010-06-23 11:34 dhx Assigned To => dhx
2010-06-23 11:34 dhx Status new => assigned
2010-06-23 11:34 dhx Relationship added parent of 0009117
2010-06-28 03:16 dhx Changeset attached => MantisBT master 0551d94b
2010-06-28 03:37 dhx Changeset attached => MantisBT master c5329886
2010-08-07 02:10 dhx Changeset attached => MantisBT master 8c18b0ee
2010-08-07 02:10 dhx Changeset attached => MantisBT master 1dbe709e
2010-08-07 02:10 dhx Changeset attached => MantisBT master bba266b1
2010-08-07 02:54 dhx Relationship added related to 0012245
2010-08-19 07:46 dhx Changeset attached => MantisBT master df22831e
2010-08-19 09:14 dhx Changeset attached => MantisBT master 111d9b76
2010-08-20 07:32 dhx Changeset attached => MantisBT master 735ddedd
2010-08-25 02:05 daryn Changeset attached => MantisBT master 6b5e037c
2010-08-25 02:05 daryn Changeset attached => MantisBT master e087425c
2010-08-27 13:02 daryn Changeset attached => MantisBT master 7ec1d497
2010-09-19 03:20 dhx Relationship added related to 0009793
2010-10-01 17:49 grangeway Changeset attached => MantisBT master e597fac2
2010-12-25 09:25 dhx Changeset attached => MantisBT master 0d602be5
2010-12-25 21:36 dhx Relationship added parent of 0012631
2010-12-25 21:44 dhx Changeset attached => MantisBT master 7790835c
2010-12-26 07:55 dhx Changeset attached => MantisBT master 7a6fba7c
2010-12-26 07:55 dhx Changeset attached => MantisBT master adf2338a
2010-12-26 09:12 dhx Changeset attached => MantisBT master 4b0e0d5d
2010-12-26 09:33 dhx Changeset attached => MantisBT master 2a1eed9d
2010-12-26 09:33 dhx Resolution open => fixed
2010-12-26 09:33 dhx Fixed in Version => 1.3.0-beta.1
2010-12-26 09:41 dhx Note Added: 0027702
2010-12-26 09:41 dhx Status assigned => resolved
2011-07-15 09:52 dhx Changeset attached => MantisBT master 10af3a5d
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036459
2013-04-05 18:08 grangeway Relationship added related to 0015721
2013-04-06 03:44 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
2014-12-04 07:21 dregad Relationship added related to 0017944
2014-12-08 00:33 vboctor Status resolved => closed