-
Task
-
Resolution: Unresolved
-
Minor
Note
While testing this plugin, evaluate whether the third-party libraries in src/main/webapp are compatible with CSP in restrictive mode. The plugin may need to be upgraded from jQuery 1.x to 3.x to fully function in CSP restrictive mode.
Problems
== Inline Script Block
Line: 11
----
<script type="text/javascript">
google.charts.load('current', {'packages':['corechart']});
google.charts.setOnLoadCallback(initPage);
var serenityResult = <st:bind value="${it}" />
function initPage() {
initTree();
getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');
}
var packages = new CheckTree('packages');
function initTree() {
for (var i in CheckTree.list) {
CheckTree.list[i].init()
}
}
function getModel(klass, identifier, e) {
serenityResult.getModel(klass, identifier, function(t) {
var model = t.responseObject();
// alert('Model : ' + model);
setTimeout(function() {
// Instantiate and draw our chart, passing in some options.
var chart = new google.visualization.ComboChart(document.getElementById('chart_div'));
var data = new google.visualization.DataTable(model);
// Set chart options - 'width':650,
var options = {
title:'Project metrics',
vAxis: {title: 'Values'},
hAxis: {title: 'Builds'},
seriesType: 'bars',
series: {0: {type: 'line'}},
legend: { position: 'bottom' },
curveType: 'function',
height:310
};
chart.draw(data, options);
}, 100);
});
// Stops the tree from opening the node
if (!e) {
var e = window.event;
if (e !== undefined) {
e.cancelBubble = true;
if (e.stopPropagation) {
e.stopPropagation();
}
}
}
};
function getSource(identifier) {
getModel('com.ikokoon.serenity.model.Class', identifier);
serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) {
var source = t.responseObject();
setTimeout(function() {
var sourceDecoded = base64Decode(source);
var sourceElement = document.getElementById('source');
// alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded);
// sourceElement.innerHTML = 'Some other fucking source!' + identifier;
sourceElement.innerHTML = sourceDecoded;
}, 100);
});
};
</script>
----
== Inline Event Handler
Line: 84
----
<a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');">
----
== Inline Event Handler
Line: 107
----
<a
href="#"
onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')"
style="text-decoration : none;">
----
== Inline Event Handler
Line: 122
----
<a
href="#"
onClick="JavaScript:getSource('${klass.id}');"
style="text-decoration : none;">
----
Solutions
https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks
https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers
[JENKINS-74367] [serenity] Extract inline script block and event handlers in com/ikokoon/serenity/hudson/SerenityResult/index.jelly
Basil Crow
created issue -
Basil Crow
made changes -
| Description |
Original:
h4. Problems {noformat} == Inline Event Handler Line: 84 ---- <a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');"> ---- == Inline Event Handler Line: 107 ---- <a href="#" onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')" style="text-decoration : none;"> ---- == Inline Event Handler Line: 122 ---- <a href="#" onClick="JavaScript:getSource('${klass.id}');" style="text-decoration : none;"> ---- == Inline Script Block Line: 11 ---- <script type="text/javascript"> google.charts.load('current', {'packages':['corechart']}); google.charts.setOnLoadCallback(initPage); var serenityResult = <st:bind value="${it}" /> function initPage() { initTree(); getModel('com.ikokoon.serenity.model.Project', '${it.project.id}'); } var packages = new CheckTree('packages'); function initTree() { for (var i in CheckTree.list) { CheckTree.list[i].init() } } function getModel(klass, identifier, e) { serenityResult.getModel(klass, identifier, function(t) { var model = t.responseObject(); // alert('Model : ' + model); setTimeout(function() { // Instantiate and draw our chart, passing in some options. var chart = new google.visualization.ComboChart(document.getElementById('chart_div')); var data = new google.visualization.DataTable(model); // Set chart options - 'width':650, var options = { title:'Project metrics', vAxis: {title: 'Values'}, hAxis: {title: 'Builds'}, seriesType: 'bars', series: {0: {type: 'line'}}, legend: { position: 'bottom' }, curveType: 'function', height:310 }; chart.draw(data, options); }, 100); }); // Stops the tree from opening the node if (!e) { var e = window.event; if (e !== undefined) { e.cancelBubble = true; if (e.stopPropagation) { e.stopPropagation(); } } } }; function getSource(identifier) { getModel('com.ikokoon.serenity.model.Class', identifier); serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) { var source = t.responseObject(); setTimeout(function() { var sourceDecoded = base64Decode(source); var sourceElement = document.getElementById('source'); // alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded); // sourceElement.innerHTML = 'Some other fucking source!' + identifier; sourceElement.innerHTML = sourceDecoded; }, 100); }); }; </script> ---- == Inline Event Handler Line: 84 ---- <a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');"> ---- == Inline Event Handler Line: 107 ---- <a href="#" onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')" style="text-decoration : none;"> ---- == Inline Event Handler Line: 122 ---- <a href="#" onClick="JavaScript:getSource('${klass.id}');" style="text-decoration : none;"> ---- == Inline Script Block Line: 11 ---- <script type="text/javascript"> google.charts.load('current', {'packages':['corechart']}); google.charts.setOnLoadCallback(initPage); var serenityResult = <st:bind value="${it}" /> function initPage() { initTree(); getModel('com.ikokoon.serenity.model.Project', '${it.project.id}'); } var packages = new CheckTree('packages'); function initTree() { for (var i in CheckTree.list) { CheckTree.list[i].init() } } function getModel(klass, identifier, e) { serenityResult.getModel(klass, identifier, function(t) { var model = t.responseObject(); // alert('Model : ' + model); setTimeout(function() { // Instantiate and draw our chart, passing in some options. var chart = new google.visualization.ComboChart(document.getElementById('chart_div')); var data = new google.visualization.DataTable(model); // Set chart options - 'width':650, var options = { title:'Project metrics', vAxis: {title: 'Values'}, hAxis: {title: 'Builds'}, seriesType: 'bars', series: {0: {type: 'line'}}, legend: { position: 'bottom' }, curveType: 'function', height:310 }; chart.draw(data, options); }, 100); }); // Stops the tree from opening the node if (!e) { var e = window.event; if (e !== undefined) { e.cancelBubble = true; if (e.stopPropagation) { e.stopPropagation(); } } } }; function getSource(identifier) { getModel('com.ikokoon.serenity.model.Class', identifier); serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) { var source = t.responseObject(); setTimeout(function() { var sourceDecoded = base64Decode(source); var sourceElement = document.getElementById('source'); // alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded); // sourceElement.innerHTML = 'Some other fucking source!' + identifier; sourceElement.innerHTML = sourceDecoded; }, 100); }); }; </script> ---- {noformat} h4. Solutions [https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks] [https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers] |
New:
h4. Problems {noformat} == Inline Script Block Line: 11 ---- <script type="text/javascript"> google.charts.load('current', {'packages':['corechart']}); google.charts.setOnLoadCallback(initPage); var serenityResult = <st:bind value="${it}" /> function initPage() { initTree(); getModel('com.ikokoon.serenity.model.Project', '${it.project.id}'); } var packages = new CheckTree('packages'); function initTree() { for (var i in CheckTree.list) { CheckTree.list[i].init() } } function getModel(klass, identifier, e) { serenityResult.getModel(klass, identifier, function(t) { var model = t.responseObject(); // alert('Model : ' + model); setTimeout(function() { // Instantiate and draw our chart, passing in some options. var chart = new google.visualization.ComboChart(document.getElementById('chart_div')); var data = new google.visualization.DataTable(model); // Set chart options - 'width':650, var options = { title:'Project metrics', vAxis: {title: 'Values'}, hAxis: {title: 'Builds'}, seriesType: 'bars', series: {0: {type: 'line'}}, legend: { position: 'bottom' }, curveType: 'function', height:310 }; chart.draw(data, options); }, 100); }); // Stops the tree from opening the node if (!e) { var e = window.event; if (e !== undefined) { e.cancelBubble = true; if (e.stopPropagation) { e.stopPropagation(); } } } }; function getSource(identifier) { getModel('com.ikokoon.serenity.model.Class', identifier); serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) { var source = t.responseObject(); setTimeout(function() { var sourceDecoded = base64Decode(source); var sourceElement = document.getElementById('source'); // alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded); // sourceElement.innerHTML = 'Some other fucking source!' + identifier; sourceElement.innerHTML = sourceDecoded; }, 100); }); }; </script> ---- == Inline Event Handler Line: 84 ---- <a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');"> ---- == Inline Event Handler Line: 107 ---- <a href="#" onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')" style="text-decoration : none;"> ---- == Inline Event Handler Line: 122 ---- <a href="#" onClick="JavaScript:getSource('${klass.id}');" style="text-decoration : none;"> ---- {noformat} h4. Solutions [https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks] [https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers] |
| Summary | Original: [serenity] Extract inline script blocks and event handlers in com/ikokoon/serenity/hudson/SerenityResult/index.jelly | New: [serenity] Extract inline script block and event handlers in com/ikokoon/serenity/hudson/SerenityResult/index.jelly |
Basil Crow
made changes -
| Description |
Original:
h4. Problems {noformat} == Inline Script Block Line: 11 ---- <script type="text/javascript"> google.charts.load('current', {'packages':['corechart']}); google.charts.setOnLoadCallback(initPage); var serenityResult = <st:bind value="${it}" /> function initPage() { initTree(); getModel('com.ikokoon.serenity.model.Project', '${it.project.id}'); } var packages = new CheckTree('packages'); function initTree() { for (var i in CheckTree.list) { CheckTree.list[i].init() } } function getModel(klass, identifier, e) { serenityResult.getModel(klass, identifier, function(t) { var model = t.responseObject(); // alert('Model : ' + model); setTimeout(function() { // Instantiate and draw our chart, passing in some options. var chart = new google.visualization.ComboChart(document.getElementById('chart_div')); var data = new google.visualization.DataTable(model); // Set chart options - 'width':650, var options = { title:'Project metrics', vAxis: {title: 'Values'}, hAxis: {title: 'Builds'}, seriesType: 'bars', series: {0: {type: 'line'}}, legend: { position: 'bottom' }, curveType: 'function', height:310 }; chart.draw(data, options); }, 100); }); // Stops the tree from opening the node if (!e) { var e = window.event; if (e !== undefined) { e.cancelBubble = true; if (e.stopPropagation) { e.stopPropagation(); } } } }; function getSource(identifier) { getModel('com.ikokoon.serenity.model.Class', identifier); serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) { var source = t.responseObject(); setTimeout(function() { var sourceDecoded = base64Decode(source); var sourceElement = document.getElementById('source'); // alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded); // sourceElement.innerHTML = 'Some other fucking source!' + identifier; sourceElement.innerHTML = sourceDecoded; }, 100); }); }; </script> ---- == Inline Event Handler Line: 84 ---- <a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');"> ---- == Inline Event Handler Line: 107 ---- <a href="#" onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')" style="text-decoration : none;"> ---- == Inline Event Handler Line: 122 ---- <a href="#" onClick="JavaScript:getSource('${klass.id}');" style="text-decoration : none;"> ---- {noformat} h4. Solutions [https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks] [https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers] |
New:
h1. Note
*While testing this plugin, evaluate whether the third-party libraries in {{src/main/webapp}} are compatible with CSP in restrictive mode. The plugin may need to be upgraded from jQuery 1.x to 3.x to fully function in CSP restrictive mode.* h4. Problems {noformat} == Inline Script Block Line: 11 ---- <script type="text/javascript"> google.charts.load('current', {'packages':['corechart']}); google.charts.setOnLoadCallback(initPage); var serenityResult = <st:bind value="${it}" /> function initPage() { initTree(); getModel('com.ikokoon.serenity.model.Project', '${it.project.id}'); } var packages = new CheckTree('packages'); function initTree() { for (var i in CheckTree.list) { CheckTree.list[i].init() } } function getModel(klass, identifier, e) { serenityResult.getModel(klass, identifier, function(t) { var model = t.responseObject(); // alert('Model : ' + model); setTimeout(function() { // Instantiate and draw our chart, passing in some options. var chart = new google.visualization.ComboChart(document.getElementById('chart_div')); var data = new google.visualization.DataTable(model); // Set chart options - 'width':650, var options = { title:'Project metrics', vAxis: {title: 'Values'}, hAxis: {title: 'Builds'}, seriesType: 'bars', series: {0: {type: 'line'}}, legend: { position: 'bottom' }, curveType: 'function', height:310 }; chart.draw(data, options); }, 100); }); // Stops the tree from opening the node if (!e) { var e = window.event; if (e !== undefined) { e.cancelBubble = true; if (e.stopPropagation) { e.stopPropagation(); } } } }; function getSource(identifier) { getModel('com.ikokoon.serenity.model.Class', identifier); serenityResult.getSource('com.ikokoon.serenity.model.Class', identifier, function(t) { var source = t.responseObject(); setTimeout(function() { var sourceDecoded = base64Decode(source); var sourceElement = document.getElementById('source'); // alert(sourceElement + ':' + sourceElement.innerHTML + ':' + sourceDecoded); // sourceElement.innerHTML = 'Some other fucking source!' + identifier; sourceElement.innerHTML = sourceDecoded; }, 100); }); }; </script> ---- == Inline Event Handler Line: 84 ---- <a href="#" onclick="JavaScript:getModel('com.ikokoon.serenity.model.Project', '${it.project.id}');"> ---- == Inline Event Handler Line: 107 ---- <a href="#" onClick="JavaScript:getModel('com.ikokoon.serenity.model.Package', '${package.id}')" style="text-decoration : none;"> ---- == Inline Event Handler Line: 122 ---- <a href="#" onClick="JavaScript:getSource('${klass.id}');" style="text-decoration : none;"> ---- {noformat} h4. Solutions [https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks] [https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers] |