-
Task
-
Resolution: Unresolved
-
Minor
Note
While testing this plugin, evaluate whether the third-party libraries in src/main/webapp are compatible with CSP in restrictive mode. The plugin may need to be upgraded from jQuery 1.x to 3.x to fully function in CSP restrictive mode.
Problems
== Inline Script Block
Line: 3
----
<script type="text/javascript">
var http;
function test(id,value){
var path= this.location.href;
path = path.substring(7);
path = path.substring(0,path.indexOf("/")+1);
path = "http://"+path;
var trid=id;
var trvalue=value;
if(window.ActiveXObject){
try {
alert("ie");
http= new ActiveXObject("Msxml2.XMLHTTP") ;
}
catch (e) {
try {
alert("ie2");
http= new ActiveXObject("Microsoft.XMLHTTP") ;
}
catch (e2) {
;
}
}
}
else if(window.XMLHttpRequest){
http= new XMLHttpRequest() ;
}
var url = path+"controller/off?id="+trid+"&name="+trvalue;
url = encodeURI(url);
url = encodeURI(url);
http.open("GET",url,true);
http.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
http.onreadystatechange = callback;
http.send(null);
http.close();
}
function callback(){
if(http.readyState==4){
var responseText = http.responseText;
alert(responseText);
}
}
function Ajax(){
var path= this.location.href;
path = path.substring(7);
path = path.substring(0,path.indexOf("/")+1);
path = "http://"+path;
var xmlHttp;
try{
xmlHttp=new XMLHttpRequest();
}
catch (e){
try{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e){
try{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e){
alert("No AJAX!?");
return false;
}
}
}
xmlHttp.onreadystatechange=function(){
if(xmlHttp.readyState==4){
var responseText= xmlHttp.responseText;
var s = responseText.replace('[','').replace(']','').split(',');
var count=s.length;
var i=1;
var label;
var lbs = document.getElementsByTagName("label");
for(var j=0;j${%lessThan}count-1;j++){
var name= i;
name = name.toString();
document.getElementById(name).value=s[j];
j++;
document.getElementById("ip"+name).innerHTML=s[j];
j++;
document.getElementById("mac"+name).innerHTML=s[j];
i++;
}
setTimeout('Ajax()',1000);
}
}
var url= path+"controller/refresh";
xmlHttp.open("GET",url,true);
xmlHttp.send(null);
}
setTimeout('Ajax()',1000);
</script>
----
== Inline Event Handler
Line: 125
----
<input type="button" value="${it.state[status.count-1]}" id="${status.count}" name="${status.count}" onClick= "test(this.id,this.value)" />
----
Solutions
https://www.jenkins.io/doc/developer/security/csp/#inline-javascript-blocks
https://www.jenkins.io/doc/developer/security/csp/#inline-event-handlers
