mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-27 08:19:45 +01:00
first step towards content-security by passing parameters to egw.js script via data-attributes of script tag instead of using inline scripts in page
This commit is contained in:
parent
4ae6094d8d
commit
d16c426fb6
@ -289,9 +289,10 @@ abstract class egw_framework
|
|||||||
/**
|
/**
|
||||||
* Get header as array to eg. set as vars for a template (from idots' head.inc.php)
|
* Get header as array to eg. set as vars for a template (from idots' head.inc.php)
|
||||||
*
|
*
|
||||||
|
* @param array $extra=array() extra attributes passed as data-attribute to egw.js
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
protected function _get_header()
|
protected function _get_header(array $extra=array())
|
||||||
{
|
{
|
||||||
// get used language code (with a little xss check, if someone tries to sneak something in)
|
// get used language code (with a little xss check, if someone tries to sneak something in)
|
||||||
if (preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$GLOBALS['egw_info']['user']['preferences']['common']['lang']))
|
if (preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$GLOBALS['egw_info']['user']['preferences']['common']['lang']))
|
||||||
@ -366,7 +367,7 @@ abstract class egw_framework
|
|||||||
'charset' => translation::charset(),
|
'charset' => translation::charset(),
|
||||||
'website_title' => strip_tags($GLOBALS['egw_info']['server']['site_title']. ($app ? " [$app]" : '')),
|
'website_title' => strip_tags($GLOBALS['egw_info']['server']['site_title']. ($app ? " [$app]" : '')),
|
||||||
'body_tags' => self::_get_body_attribs(),
|
'body_tags' => self::_get_body_attribs(),
|
||||||
'java_script' => self::_get_js(),
|
'java_script' => self::_get_js($extra),
|
||||||
'meta_robots' => $robots,
|
'meta_robots' => $robots,
|
||||||
'dir_code' => lang('language_direction_rtl') != 'rtl' ? '' : ' dir="rtl"',
|
'dir_code' => lang('language_direction_rtl') != 'rtl' ? '' : ' dir="rtl"',
|
||||||
'include_wz_tooltip'=> $include_wz_tooltip,
|
'include_wz_tooltip'=> $include_wz_tooltip,
|
||||||
@ -814,10 +815,10 @@ abstract class egw_framework
|
|||||||
* in eGW. One change then all templates will support it (as long as they
|
* in eGW. One change then all templates will support it (as long as they
|
||||||
* include a call to this method).
|
* include a call to this method).
|
||||||
*
|
*
|
||||||
* @author Dave Hall (*vaguely based* on verdilak? css inclusion code)
|
* @param array $extra=array() extra data to pass to egw.js as data-parameter
|
||||||
* @return string the javascript to be included
|
* @return string the javascript to be included
|
||||||
*/
|
*/
|
||||||
public static function _get_js()
|
public static function _get_js(array $extra=array())
|
||||||
{
|
{
|
||||||
$java_script = '';
|
$java_script = '';
|
||||||
|
|
||||||
@ -840,55 +841,26 @@ abstract class egw_framework
|
|||||||
self::validate_file('/phpgwapi/images.php',array('template' => $GLOBALS['egw_info']['user']['preferences']['common']['template_set']));
|
self::validate_file('/phpgwapi/images.php',array('template' => $GLOBALS['egw_info']['user']['preferences']['common']['template_set']));
|
||||||
}
|
}
|
||||||
|
|
||||||
// set webserver_url for json
|
$extra['url'] = $GLOBALS['egw_info']['server']['webserver_url'];
|
||||||
$java_script .= "<script type=\"text/javascript\">
|
$extra['include'] = array_map(function($str){return substr($str,1);}, self::get_script_links(true), array(1));
|
||||||
var url = '".
|
$extra['app'] = $GLOBALS['egw_info']['flags']['currentapp'];
|
||||||
($GLOBALS['egw_info']['server']['enforce_ssl'] && substr($GLOBALS['egw_info']['server']['webserver_url'],0,8) != 'https://' ? 'https://'.$_SERVER['HTTP_HOST'] : '').
|
|
||||||
$GLOBALS['egw_info']['server']['webserver_url']."';
|
|
||||||
|
|
||||||
// legacy code
|
|
||||||
egw_webserverUrl = url;
|
|
||||||
|
|
||||||
// reference the egw object from the parent window or set the
|
|
||||||
// webserver url
|
|
||||||
if (window.opener && typeof window.opener.egw != 'undefined')
|
|
||||||
{
|
|
||||||
window['egw'] = window.opener.egw;
|
|
||||||
}
|
|
||||||
else if (window.top && typeof window.top.egw != 'undefined')
|
|
||||||
{
|
|
||||||
window['egw'] = window.top.egw;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
// Create a \"preferences only\" egw object
|
|
||||||
window['egw'] = {
|
|
||||||
'prefsOnly': true,
|
|
||||||
'webserverUrl': url
|
|
||||||
};
|
|
||||||
}
|
|
||||||
</script>";
|
|
||||||
|
|
||||||
$to_include = self::get_script_links(true);
|
|
||||||
|
|
||||||
// Use LABjs to execute this stuff after all the script links are loaded
|
|
||||||
$after = 'window.egw_appName = "'.$GLOBALS['egw_info']['flags']['currentapp'].'";'."\n";
|
|
||||||
|
|
||||||
// add link registry to non-popup windows, if explicit requested (idots_framework::navbar() loads it, if not explicit specified!)
|
// add link registry to non-popup windows, if explicit requested (idots_framework::navbar() loads it, if not explicit specified!)
|
||||||
if ($GLOBALS['egw_info']['flags']['js_link_registry'])
|
if ($GLOBALS['egw_info']['flags']['js_link_registry'])
|
||||||
{
|
{
|
||||||
$after .= 'egw.set_preferences('.json_encode($GLOBALS['egw_info']['user']['preferences']['common']).', "common");'."\n";
|
$extra['preferences'] = array('common' => $GLOBALS['egw_info']['user']['preferences']['common']);
|
||||||
$after .= 'egw.set_user('.$GLOBALS['egw']->accounts->json($GLOBALS['egw_info']['user']['account_id']).');'."\n";
|
$extra['user'] = $GLOBALS['egw']->accounts->json($GLOBALS['egw_info']['user']['account_id']);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load LABjs ONCE here
|
// Load LABjs ONCE here
|
||||||
$java_script .= '<script type="text/javascript" src="'. $GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/labjs/LAB.src.js"'." ></script>\n".
|
$java_script .= '<script type="text/javascript" src="'. $GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/labjs/LAB.src.js"'." ></script>\n".
|
||||||
'<script type="text/javascript">
|
'<script type="text/javascript" src="'. $GLOBALS['egw_info']['server']['webserver_url'].'/phpgwapi/js/jsapi/egw.js" id="egw_script_id"';
|
||||||
// Loads files in parallel, executes serially
|
foreach($extra as $name => $value)
|
||||||
window.egw_LAB = $LAB.setOptions({AlwaysPreserveOrder:true,BasePath:"'.$GLOBALS['egw_info']['server']['webserver_url'].'/"});
|
{
|
||||||
window.egw_LAB.script(
|
if (is_array($value)) $value = json_encode($value);
|
||||||
'.json_encode(array_map(function($str){return substr($str,1);}, $to_include, array(1))).').wait(function() {'."\n".$after.'});
|
$java_script .= ' data-'.$name."='".str_replace("'", '\\\'', $value)."'";
|
||||||
</script>';
|
}
|
||||||
|
$java_script .= "></script>\n";
|
||||||
|
|
||||||
if(@isset($_GET['menuaction']))
|
if(@isset($_GET['menuaction']))
|
||||||
{
|
{
|
||||||
@ -909,7 +881,6 @@ window.egw_LAB.script(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
return $java_script;
|
return $java_script;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -35,3 +35,85 @@
|
|||||||
app_base;
|
app_base;
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
(function(){
|
||||||
|
var debug = false;
|
||||||
|
var egw_script = document.getElementById('egw_script_id');
|
||||||
|
window.egw_webserverUrl = egw_script.getAttribute('data-url');
|
||||||
|
window.egw_appName = egw_script.getAttribute('data-app');
|
||||||
|
|
||||||
|
// check if egw object was injected by window open
|
||||||
|
if (typeof window.egw == 'undefined')
|
||||||
|
{
|
||||||
|
// try finding it in top or opener's top
|
||||||
|
if (window.opener && typeof window.opener.top.egw != 'undefined')
|
||||||
|
{
|
||||||
|
window.egw = window.opener.top.egw;
|
||||||
|
if (typeof window.opener.top.framework != 'undefined') window.framework = window.opener.top.framework;
|
||||||
|
if (debug) console.log('found egw object in opener');
|
||||||
|
}
|
||||||
|
else if (window.top && typeof window.top.egw != 'undefined')
|
||||||
|
{
|
||||||
|
window.egw = window.top.egw;
|
||||||
|
if (typeof window.top.framework != 'undefined') window.framework = window.top.framework;
|
||||||
|
if (debug) console.log('found egw object in top');
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
window.egw = {
|
||||||
|
prefsOnly: true,
|
||||||
|
webserverUrl: egw_webserverUrl
|
||||||
|
};
|
||||||
|
if (debug) console.log('creating new egw object');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else console.log('found injected egw object');
|
||||||
|
|
||||||
|
// check for a framework object
|
||||||
|
if (typeof window.framework == 'undefined')
|
||||||
|
{
|
||||||
|
// try finding it in top or opener's top
|
||||||
|
if (window.opener && typeof window.opener.top.framework != 'undefined')
|
||||||
|
{
|
||||||
|
window.framework = window.opener.top.framework;
|
||||||
|
if (debug) console.log('found framework object in opener top');
|
||||||
|
}
|
||||||
|
else if (window.top && typeof window.top.framework != 'undefined')
|
||||||
|
{
|
||||||
|
window.framework = window.top.framework;
|
||||||
|
if (debug) console.log('found framework object in top');
|
||||||
|
}
|
||||||
|
// if framework not found, but requested to check for it, redirect to cd=yes to create it
|
||||||
|
else if (egw_script.getAttribute('data-check-framework'))
|
||||||
|
{
|
||||||
|
window.location.search += window.location.search ? "&cd=yes" : "?cd=yes";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
window.egw_LAB = $LAB.setOptions({AlwaysPreserveOrder:true,BasePath:window.egw_webserverUrl+'/'});
|
||||||
|
var include = JSON.parse(egw_script.getAttribute('data-include'));
|
||||||
|
|
||||||
|
// remove this script from include, until server-side no longer requires it
|
||||||
|
for(var i=0; i < include.length; ++i)
|
||||||
|
{
|
||||||
|
if (include[i].match(/^phpgwapi\/js\/jsapi\/egw\.js/))
|
||||||
|
{
|
||||||
|
include.splice(i, 1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
window.egw_LAB.script(include).wait(function(){
|
||||||
|
var data = egw_script.getAttribute('data-preferences');
|
||||||
|
if (data)
|
||||||
|
{
|
||||||
|
data = JSON.parse(data) || {};
|
||||||
|
for(var app in data)
|
||||||
|
{
|
||||||
|
window.egw.set_preferences(data[app], app);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (data = egw_script.getAttribute('data-user'))
|
||||||
|
{
|
||||||
|
window.egw.set_user(JSON.parse(data));
|
||||||
|
}
|
||||||
|
});
|
||||||
|
})();
|
||||||
|
@ -11,16 +11,6 @@
|
|||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
|
|
||||||
// Loading of the egw object, if it already is loaded in an upper window
|
|
||||||
if (window.opener && typeof window.opener.egw !== 'undefined')
|
|
||||||
{
|
|
||||||
window['egw'] = window.opener.egw;
|
|
||||||
}
|
|
||||||
else if (window.top && typeof window.top.egw !== 'undefined')
|
|
||||||
{
|
|
||||||
window['egw'] = window.top.egw;
|
|
||||||
}
|
|
||||||
|
|
||||||
/***********************************************\
|
/***********************************************\
|
||||||
* INITIALIZATION *
|
* INITIALIZATION *
|
||||||
\***********************************************/
|
\***********************************************/
|
||||||
@ -43,7 +33,7 @@ else if (document.getElementById)
|
|||||||
else if (document.layers)
|
else if (document.layers)
|
||||||
{
|
{
|
||||||
is_ie = false;
|
is_ie = false;
|
||||||
is_ie5 = false
|
is_ie5 = false;
|
||||||
is_moz1_6 = false;
|
is_moz1_6 = false;
|
||||||
is_mozilla = false;
|
is_mozilla = false;
|
||||||
is_ns4 = true;
|
is_ns4 = true;
|
||||||
@ -405,6 +395,9 @@ function egw_openWindowCentered2(_url, _windowName, _width, _height, _status, _a
|
|||||||
",screenX=" + positionLeft + ",left=" + positionLeft + ",screenY=" + positionTop + ",top=" + positionTop +
|
",screenX=" + positionLeft + ",left=" + positionLeft + ",screenY=" + positionTop + ",top=" + positionTop +
|
||||||
",location=no,menubar=no,directories=no,toolbar=no,scrollbars=yes,resizable=yes,status="+_status);
|
",location=no,menubar=no,directories=no,toolbar=no,scrollbars=yes,resizable=yes,status="+_status);
|
||||||
|
|
||||||
|
// inject egw object
|
||||||
|
windowID.egw = window.egw;
|
||||||
|
|
||||||
// returning something, replaces whole window in FF, if used in link as "javascript:egw_openWindowCentered2()"
|
// returning something, replaces whole window in FF, if used in link as "javascript:egw_openWindowCentered2()"
|
||||||
if (_returnID === false)
|
if (_returnID === false)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user