From 38504680b7be33e1bd7aea1d3f3931975c99334b Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Mon, 14 Oct 2013 10:42:36 +0000
Subject: [PATCH] setting CSP attributes needed by CKeditor now automatic when
 egw_ckeditor_config::get_ckeditor_config(_array) get called

---
 .../class.etemplate_widget_htmlarea.inc.php   |  3 ---
 .../inc/class.egw_ckeditor_config.inc.php     | 27 ++++++++++++++++++-
 phpgwapi/inc/class.egw_framework.inc.php      | 15 ++++++++---
 phpgwapi/inc/class.html.inc.php               |  3 ---
 4 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/etemplate/inc/class.etemplate_widget_htmlarea.inc.php b/etemplate/inc/class.etemplate_widget_htmlarea.inc.php
index 0909faa98c..1708150650 100644
--- a/etemplate/inc/class.etemplate_widget_htmlarea.inc.php
+++ b/etemplate/inc/class.etemplate_widget_htmlarea.inc.php
@@ -32,9 +32,6 @@ class etemplate_widget_htmlarea extends etemplate_widget
 	{
 		$form_name = self::form_name($cname, $this->id);
 
-		// tell framework CK Editor needs eval and inline javascript :(
-		egw_framework::csp_script_src_attrs(array('unsafe-eval', 'unsafe-inline'));
-
 		$config = egw_ckeditor_config::get_ckeditor_config_array($this->attrs['mode'], $this->attrs['height'],
 			$this->attrs['expand_toolbar'],$this->attrs['base_href']
 		);
diff --git a/phpgwapi/inc/class.egw_ckeditor_config.inc.php b/phpgwapi/inc/class.egw_ckeditor_config.inc.php
index 0329851d5b..b14f7a1645 100644
--- a/phpgwapi/inc/class.egw_ckeditor_config.inc.php
+++ b/phpgwapi/inc/class.egw_ckeditor_config.inc.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * eGroupWare - Class which generates JSON encoded configuration for the ckeditor
+ * EGroupware - Class which generates JSON encoded configuration for the ckeditor
  *
  * @link http://www.egroupware.org
  * @author RalfBecker-AT-outdoor-training.de
@@ -11,6 +11,9 @@
  * @version $Id$
  */
 
+/**
+ * CK-Editor configuration
+ */
 class egw_ckeditor_config
 {
 	private static $lang = null;
@@ -350,6 +353,9 @@ class egw_ckeditor_config
 	 */
 	public static function get_ckeditor_config_array($mode = '', $height = 400, $expanded_toolbar = true, $start_path = '')
 	{
+		// set for CK-Editor necessary CSP script-src attributes
+		self::set_csp_script_src_attrs();
+
 		// If not explicitly set, use preference for toolbar mode
 		if(!$mode || trim($mode) == '') $mode = $GLOBALS['egw_info']['user']['preferences']['common']['rte_features'];
 		$config = array();
@@ -374,4 +380,23 @@ class egw_ckeditor_config
 	{
 		return json_encode(self::get_ckeditor_config_array($mode, $height, $expanded_toolbar, $start_path));
 	}
+
+	/**
+	 * Set for CK-Editor necessary CSP script-src attributes
+	 *
+	 * Get's called automatic from get_ckeditor_config(_array)
+	 */
+	public static function set_csp_script_src_attrs()
+	{
+		$attrs = array('unsafe-eval', 'unsafe-inline');
+
+		// if webspellchecker is enabled in EGroupware config, allow access to it's url
+		if (in_array($GLOBALS['egw_info']['server']['enabled_spellcheck'], array('True', 'YesUseWebSpellCheck')))
+		{
+			$attrs[] = 'http://svc.webspellchecker.net';
+		}
+		//error_log(__METHOD__."() egw_info[server][enabled_spellcheck]='{$GLOBALS['egw_info']['server']['enabled_spellcheck']}' --> attrs=".array2string($attrs));
+		// tell framework CK Editor needs eval and inline javascript :(
+		egw_framework::csp_script_src_attrs($attrs);
+	}
 }
diff --git a/phpgwapi/inc/class.egw_framework.inc.php b/phpgwapi/inc/class.egw_framework.inc.php
index 4366832891..909cae02c5 100644
--- a/phpgwapi/inc/class.egw_framework.inc.php
+++ b/phpgwapi/inc/class.egw_framework.inc.php
@@ -84,11 +84,13 @@ abstract class egw_framework
 	}
 
 	/**
-	 * Additional attributes for CSP script-src 'self'
+	 * Additional attributes or urls for CSP script-src 'self'
+	 *
+	 * 'unsafe-eval' is currently allways added, as it is used in a couple of places.
 	 *
 	 * @var array
 	 */
-	private static $csp_script_src_attrs = array('unsafe-eval');
+	private static $csp_script_src_attrs = array("'unsafe-eval'");
 
 	/**
 	 * Set/get Content-Security-Policy attributes for script-src: 'unsafe-eval' and/or 'unsafe-inline'
@@ -106,13 +108,18 @@ abstract class egw_framework
 	{
 		foreach((array)$set as $attr)
 		{
+			if (in_array($attr, array('none', 'self', 'unsafe-eval', 'unsafe-inline')))
+			{
+				$attr = "'$attr'";	// automatic add quotes
+			}
 			if (!in_array($attr, self::$csp_script_src_attrs))
 			{
 				self::$csp_script_src_attrs[] = $attr;
-				//error_log(__METHOD__."() swiching CSP OFF for script-src '$attr' ".function_backtrace());
+				//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
 			}
 		}
-		return self::$csp_script_src_attrs ? "'".implode("' '", self::$csp_script_src_attrs)."'" : '';
+		//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
+		return implode(' ', self::$csp_script_src_attrs);
 	}
 
 	/**
diff --git a/phpgwapi/inc/class.html.inc.php b/phpgwapi/inc/class.html.inc.php
index cfacb44cab..a028710f9a 100644
--- a/phpgwapi/inc/class.html.inc.php
+++ b/phpgwapi/inc/class.html.inc.php
@@ -531,9 +531,6 @@ class html
 			return self::textarea($_name,$_content,'style="width: '.$_width.'; height: '.$_height.';" id="'.htmlspecialchars($_name).'"');
 		}
 
-		// tell framework CK Editor needs eval and inline javascript :(
-		egw_framework::csp_script_src_attrs(array('unsafe-eval', 'unsafe-inline'));
-
 		//include the ckeditor js file
 		egw_framework::validate_file('ckeditor','ckeditor','phpgwapi');