Item13199: there was indeed a JS error, but it was caused by the chan…

…ges I made to suport %NONCE%. Fixed (and also eliminated a dangerous JS eval)
foswiki · Jan 12, 2015 · 7b81775 · 7b81775
1 parent 7c49f6e
commit 7b81775
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 9 deletions.
diff --git a/FamFamFamContrib/templates/view.famfamfam.tmpl b/FamFamFamContrib/templates/view.famfamfam.tmpl
@@ -10,9 +10,9 @@
 	</a></span>%TMPL:END%
 
 %TMPL:DEF{"top:toolbarbutton_subscribe"}%<span>
-    %SUBSCRIBE{format="<a href='$url' class='subscribe_link' data-subscribe='$restparams' rel='nofollow' title='%MAKETEXT{"Subscribe to this topic (s)"}%'>
+    %SUBSCRIBE{format="<a href='$url' class='subscribe_link' data-subscribe='{validation_key:"%NONCE%"}' rel='nofollow' title='%MAKETEXT{"Subscribe to this topic (s)"}%'>
         <img alt='%MAKETEXT{"Subscribe to this topic (s)"}%' src='%PUBURL%/%SYSTEMWEB%/DocumentGraphics/notify.png' width='16' height='16' />
-    </a>" formatunsubscribe="<a href='$url' class='subscribe_link' data-subscribe='$restparams' rel='nofollow' title='%MAKETEXT{"Unsubscribe from this topic (s)"}%'>
+    </a>" formatunsubscribe="<a href='$url' class='subscribe_link' data-subscribe='{validation_key:"%NONCE%"}' rel='nofollow' title='%MAKETEXT{"Unsubscribe from this topic (s)"}%'>
         <img alt='%MAKETEXT{"Unsubscribe from this topic (s)"}%' src='%PUBURL%/%SYSTEMWEB%/DocumentGraphics/notify.png' width='16' height='16' />
     </a>"}%</span>%TMPL:END%
 

diff --git a/SubscribePlugin/pub/System/SubscribePlugin/subscribe_plugin.uncompressed.js b/SubscribePlugin/pub/System/SubscribePlugin/subscribe_plugin.uncompressed.js
@@ -53,7 +53,7 @@
         $('.subscribe_link').each(function() {
             var clink = $(this);
             var params = clink.data('subscribe');
-            clink.data('subscribe', eval(params));
+            clink.data('subscribe', params);
         });
     });
 })(jQuery);
diff --git a/SubscribePlugin/templates/subscribe.tmpl b/SubscribePlugin/templates/subscribe.tmpl
@@ -2,13 +2,13 @@
 Link for a "subscribe" request. Note that REST parameters are encoded in
 data-subscribe
 }%%TMPL:DEF{sp:subscribe}%
-<a class="subscribe_link" data-subscribe="$restparams" rel="nofollow" title="%MAKETEXT{"Subscribe to this topic"}%" href="$url">%MAKETEXT{"Subscribe"}%</a>
+<a class="subscribe_link" data-subscribe="{validation_key:'%NONCE%'}" rel="nofollow" title="%MAKETEXT{"Subscribe to this topic"}%" href="$url">%MAKETEXT{"Subscribe"}%</a>
 %TMPL:END%
 %{----------------------------------------
 Link for an "unsubscribe" request. Note that REST parameters are encoded in
 data-subscribe
 }%%TMPL:DEF{sp:unsubscribe}%
-<a class="subscribe_link" data-subscribe="$restparams" rel="nofollow" title="%MAKETEXT{"Unsubscribe from this topic"}%" href="$url">%MAKETEXT{"Unsubscribe"}%</a>
+<a class="subscribe_link" data-subscribe="{validation_key:'%NONCE%'}" rel="nofollow" title="%MAKETEXT{"Unsubscribe from this topic"}%" href="$url">%MAKETEXT{"Unsubscribe"}%</a>
 %TMPL:END%
 %{----------------------------------------
 Error message

diff --git a/core/lib/Foswiki/Macros/NONCE.pm b/core/lib/Foswiki/Macros/NONCE.pm
@@ -11,8 +11,11 @@ sub NONCE {
     my $context =
       $this->{request}->url( -full => 1, -path => 1, -query => 1 ) . time();
     my $cgis = $this->{users}->getCGISession();
-    return '' unless $cgis;
-    return Foswiki::Validation::generateValidationKey( $cgis, $context, 1 );
+    my $nonce =
+      $cgis
+      ? Foswiki::Validation::generateValidationKey( $cgis, $context, 1 )
+      : '';
+    return $nonce;
 }
 
 1;

diff --git a/core/lib/Foswiki/Validation.pm b/core/lib/Foswiki/Validation.pm
@@ -103,7 +103,8 @@ Generate a new validation key. The key will time out after
      page plus the time. This should be unique for each rendered page.
    * =$strikeone= - if set, expect the nonce to be combined with the
      session secret before it is posted back.
-The validation key wcan then be used in a HTML form, or headers for RestPlugin API etc.
+The validation key can then be used in a HTML form, or headers for
+RestPlugin API etc.
 
 =cut
 

diff --git a/core/templates/viewtopicactionbuttons.tmpl b/core/templates/viewtopicactionbuttons.tmpl
@@ -14,7 +14,7 @@
 
 %TMPL:DEF{"attach_link"}%<span class="foswikiRequiresChangePermission"><a href='%SCRIPTURLPATH{"attach"}%/%BASEWEB%/%BASETOPIC%' rel='nofollow' %IF{"context footer_text" then="%MAKETEXT{"title='Attach an image or document to this topic' accesskey='a'>&Attach"}%" else="%MAKETEXT{"title='Attach an image or document to this topic'>Attach"}%" }%</a></span>%TMPL:END%
 
-%TMPL:DEF{"subscribe_link"}%<span>%SUBSCRIBE{format="<a href='$url' class='subscribe_link' data-subscribe='$restparams' rel='nofollow' %MAKETEXT{"title='Subscribe to this topic' accesskey='s'>&Subscribe"}%</a>" formatunsubscribe="<a href='$url' class='subscribe_link' data-subscribe='$restparams' rel='nofollow' %MAKETEXT{"title='Unsubscribe from this topic' accesskey='s'>Un&subscribe"}%</a>"}%</span>%TMPL:END%
+%TMPL:DEF{"subscribe_link"}%<span>%SUBSCRIBE{format="<a href='$url' class='subscribe_link' data-subscribe='{\"validation_key\":\"%NONCE%\"}' rel='nofollow' %MAKETEXT{"title='Subscribe to this topic' accesskey='s'>&Subscribe"}%</a>" formatunsubscribe="<a href='$url' class='subscribe_link' data-subscribe='$restparams' rel='nofollow' %MAKETEXT{"title='Unsubscribe from this topic' accesskey='s'>Un&subscribe"}%</a>"}%</span>%TMPL:END%
 
 %TMPL:DEF{"more_link"}%<span><a href='%SCRIPTURLPATH{"view"}%/%BASEWEB%/%BASETOPIC%?template=more&maxrev=%MAXREV%&currrev=%CURRREV%' rel='nofollow' %MAKETEXT{"title='Delete or rename this topic; set parent topic; view and compare revisions' accesskey='m'>&More topic actions"}%</a></span>%TMPL:END%