Merge pull request #101 from bkraul/develop-1.3.x

bkraul · web-flow · commit e15b536632c7 · 2020-07-08T17:38:09.000-05:00
Corrections to csp issues with preview button. Corrections to image p…
diff --git a/BBCodePlus/BBCodePlus.php b/BBCodePlus/BBCodePlus.php
@@ -11,6 +11,7 @@ class BBCodePlusPlugin extends MantisFormattingPlugin {
       private $t_MantisCoreFormatting_process_urls = OFF;
       private $t_bbCode = null;
       private $t_HTML = null;
+      private $t_nonceToken = null;
       //-------------------------------------------------------------------
       /**
        *  A method that populates the plugin information and minimum requirements.
@@ -21,7 +22,7 @@ function register() {
          $this->name        = plugin_lang_get( 'title' );
          $this->description = plugin_lang_get( 'description' );
          $this->page        = 'config';
-         $this->version     = '1.3.17';
+         $this->version     = '1.3.18';
 
          $this->requires['MantisCore'] = '1.3.0';
          # this plugin can coexist with MantisCoreFormatting.
@@ -68,6 +69,8 @@ function init() {
             $this->t_MantisCoreFormatting_process_text = $this->t_MantisCoreFormatting && config_get( 'plugin_MantisCoreFormatting_process_text' );
             $this->t_MantisCoreFormatting_process_urls = $this->t_MantisCoreFormatting && config_get( 'plugin_MantisCoreFormatting_process_urls' );
          }
+         # create the random nonce token for allowing unsafe-eval on csp
+         $this->t_nonceToken = base64_encode(substr(md5(mt_rand()), 0, 12));
       }
       //-------------------------------------------------------------------
       /**
@@ -107,6 +110,7 @@ function csp_headers() {
          if ( (ON == plugin_config_get( 'process_markitup' )) && function_exists( 'http_csp_add' ) ) {
             http_csp_add( 'img-src', "*" );
             http_csp_add( 'frame-ancestors', "'self'" );
+            http_csp_add( 'script-src', "'nonce-$this->t_nonceToken'");
          }
       }
       //-------------------------------------------------------------------
@@ -118,23 +122,23 @@ function csp_headers() {
       function resources( $p_event ) {
          # includes.
          $resources = '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'bbcodeplus.css' ) . '" />';
-         $resources .= '<script type="text/javascript" src="' . plugin_file( 'bbcodeplus-init.js' ) . '"></script>';
+         $resources .= '<script type="text/javascript" src="' . plugin_file( 'bbcodeplus-init.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
 
          if ( ON == plugin_config_get( 'process_markitup' ) ) {
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'markitup/skins/' . plugin_config_get( 'markitup_skin' ) . '/style.css' ) . '" />';
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'markitup/sets/mantis/style.css' ) . '" />';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/jquery_markitup.js' ) . '"></script>';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/sets/mantis/set.js' ) . '"></script>';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup-init.js' ) . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/jquery_markitup.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/sets/mantis/set.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup-init.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
          }
 
          if ( ON == plugin_config_get( 'process_highlight' ) ) {
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'prism/styles/' . plugin_config_get( 'highlight_css' ) . '.css' ) . '" />';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism.js' ) . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
 
             # load additional languages.
             if ( ON == plugin_config_get( 'highlight_extralangs' ) ) {
-               $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism_additional_languages.js' ) . '"></script>';
+               $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism_additional_languages.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
             }
          }
 
diff --git a/BBCodePlus/files/markitup/jquery_markitup.js b/BBCodePlus/files/markitup/jquery_markitup.js
@@ -220,9 +220,7 @@
 						}).bind("focusin.markItUp", function(){
                             $$.focus();
 						}).bind('mouseup', function(e) {
-							if (button.call) {
-								eval(button.call)(e); // Pass the mouseup event to custom delegate
-							}
+							if (button.call == 'preview') { preview(); }
 							setTimeout(function() { markup(button) },1);
 							return false;
 						}).bind('mouseenter.markItUp', function() {
diff --git a/BBCodePlus/files/markitup/sets/mantis/set.js b/BBCodePlus/files/markitup/sets/mantis/set.js
@@ -194,12 +194,12 @@ mySettings = {
                     // create a new list of images.
                     body.append("<ul></ul>")
                     var list = body.children('ul');
+
                     // append thumbnail classes.
                     list.attr("class", "bbcodeplus image-picker");
 
                     $(".bug-attachment-preview-image a img").each(function(index, value) {
-                        var imgUrl = this.src;
-                        
+                        var imgUrl = $(this).parent().prop('href');
                         var img = $("<li><a href=\"#\"><img src=\"" + imgUrl + "\"></a></li>");
                         var link = img.children('a');
                         link.click(function() {
