-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Minor
-
Component/s: serenity-plugin
Note
While testing this plugin, evaluate whether the third-party libraries in src/main/webapp are compatible with CSP in restrictive mode. The plugin may need to be upgraded from jQuery 1.x to 3.x to fully function in CSP restrictive mode.
Problems
== Inline Script Block
Line: 11
----
<script type="text/javascript">
google.charts.load('current', {'packages':['corechart']});
google.charts.setOnLoadCallback(initPage);
var serenityResult = <st:bind value="${it}" />
function initPage() {
initTree();
getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');
}
var packages = new CheckTree('packages');
function initTree() {
for (var i in CheckTree.list) {
CheckTree.list[i].init()
}
}
function getModel(klass, identifier, e) {
serenityResult.getModel(klass, identifier, function(t) {
var model = t.responseObject();
// alert('Model : ' + model);
setTimeout(function() {
// Instantiate and draw our chart, passing in some options.
var chart = new google.visualization.ComboChart(document.getElementById('chart_div'));
var data = new google.visualization.DataTable(model);
// Set chart options - 'width':650,
var options = {
title:'Project metrics',
vAxis: {title: 'Values'},
hAxis: {title: 'Builds'},
seriesType: 'bars',
series: {0: {type: 'line'}},
legend: { position: 'bottom' },
curveType: 'function',
height:310
};
chart.draw(data, options);
}, 100);
});
// Stops the tree from opening the node
if (!e) {
var e = window.event;
if (e !== undefined) {
e.cancelBubble = true;
if (e.stopPropagation) {
e.stopPropagation();
}
}
}
};
function getSource(identifier) {
getModel('com.ikokoon.serenity.model.Class', identifier);
serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) {
var source = t.responseObject();
setTimeout(function() {
var sourceDecoded = base64Decode(source);
var sourceElement = document.getElementById('source');
// alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded);
// sourceElement.innerHTML = 'Some other fucking source!' + identifier;
sourceElement.innerHTML = sourceDecoded;
}, 100);
});
};
</script>
----
== Inline Event Handler
Line: 84
----
<a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');">
----
== Inline Event Handler
Line: 107
----
<a
href="#"
onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')"
style="text-decoration : none;">
----
== Inline Event Handler
Line: 122
----
<a
href="#"
onClick="JavaScript:getSource('${klass.id}');"
style="text-decoration : none;">
----
Solutions
https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks
https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers
