Merge pull request #242 from iftechfoundation/csp

Adopt a Content Security Policy

www/captcha.php

@@ -148,8 +148,8 @@ function captchaMaskEmail($email, $maskMsg)
 
     // generate the reveal link
     $link = "<span id=\"emailMasker$emailNum\">$maskA<a href=\"#\" "
-            . "onclick=\"javascript:showCaptchaForm();return false;\" "
             . "title=\"Click to reveal the full email address\">"
+            . addEventListener('click', "showCaptchaForm(); return false;")
             . "$email</a>$maskB</span>";
 
     // advance the counter
@@ -166,8 +166,8 @@ function captchaMaskEmail($email, $maskMsg)
 function captchaSupportScripts($sessionKey, $okcb = false)
 {
 ?>
-   <script src='https://www.google.com/recaptcha/api.js'></script>
-<script type="text/javascript">
+   <script src='https://www.google.com/recaptcha/api.js' nonce="<?php global $nonce; echo $nonce; ?>"></script>
+<script type="text/javascript" nonce="<?php global $nonce; echo $nonce; ?>">
 <!--
 var RecaptchaOptions = {
     theme: "white"
@@ -279,8 +279,8 @@ function captchaSolved(response)
 function captchaAjaxForm($sessionKey)
 {
     echo "<div id='captchaFormDiv' style='display:none;'>"
-        . "<form name='captchaAjaxForm' "
-        . "onsubmit='javascript:submitCaptchaForm();return false;'>"
+        . "<form name='captchaAjaxForm'>"
+        . addEventListener('submit', 'submitCaptchaForm();return false;')
 //        . getCaptchaSubForm($sessionKey, false, false)
         . "<div id='captchaFormCont'></div>"
         . "<div><span id='captchaStatusMsg'></span></div>"

www/combobox.php

@@ -25,36 +25,35 @@ function makeComboBox($name, $textlen, $curval, $vals, $onSet = "null")
     // write the input field
     $txt = "<input type=\"text\" name=\"$name\" id=\"$name\" "
            . "size=$textlen value=\"" . htmlspecialcharx($curval)
-           . "\" onkeydown=\"javascript:return comboFieldKey("
-           . "event,'$name','${name}CBSel','D');\" "
-           . "onkeypress=\"javascript:return comboFieldKey("
-           . "event,'$name','{$name}CBSel','P');\">";
+           . "\">"
+           . addSiblingEventListeners([
+                ["keydown", "return comboFieldKey(event,'$name','${name}CBSel','D');"],
+                ["keypress", "return comboFieldKey(event,'$name','${name}CBSel','P');"],
+           ]);
 
     // add the drop arrow
-    $txt .= "<a href=\"needjs\" onkeypress=\"javascript:return "
-           . "comboArrowKey(event,'$name',true,'${name}CBSel');\" "
-           . "onkeydown=\"javascript:return comboArrowKey("
-           . "event,'$name',true,'${name}CBSel');\">"
+    $txt .= "<a href=\"needjs\" x-name=\"$name\">"
+           . addEventListener("keypress", "return comboArrowKey(event,'$name',true,'${name}CBSel');")
+           . addEventListener("keydown", "return comboArrowKey(event,'$name',true,'${name}CBSel');")
            . "<img alt=\"Open List\" border=0 "
-           . "src=\"/img/blank.gif\" class=\"combobox-arrow\" "
-           . "onclick=\"javascript:postShowComboMenu("
-           . "'$name',true,'{$name}CBSel');return false;\"></a>";
+           . "src=\"/img/blank.gif\" class=\"combobox-arrow\">"
+           . addSiblingEventListeners([["click", "postShowComboMenu("
+           . "'$name',true,'{$name}CBSel');return false;"]])
+           . "</a>";
 
     // set up the hidden division for the list
     $txt .= "<div id=\"{$name}CBDiv\" "
             . "style=\"position:absolute;display:none;top:0px; "
-            . "left:0px;z-index:20000\" "
-            . "onmouseover=\"javascript:overComboMenu=true;return true;\" "
-            . "onmouseout=\"javascript:overComboMenu=false;return true;\">";
+            . "left:0px;z-index:20000\">"
+            . addEventListener("mouseover", "overComboMenu=true;")
+            . addEventListener("mouseout", "overComboMenu=false;");
 
     // add the hidden list
-    $txt .= "<select size=10 id=\"{$name}CBSel\" "
-            . "onclick=\"javascript:setComboText('$name',this.value,$onSet);\" "
-            . "onkeypress=\"javascript:return comboKeyPress("
-            . "event,'$name',this,$onSet);\" "
-            . "onkeydown=\"javascript:return comboKeyPress("
-            . "event,'$name',this,$onSet);\" "
-            . "onblur=\"javascript:checkClosePopup(null, false);\">";
+    $txt .= "<select size=10 id=\"{$name}CBSel\">"
+            . addEventListener("click", "setComboText('$name',this.value,$onSet);")
+            . addEventListener("keypress", "return comboKeyPress(event,'$name',this,$onSet);")
+            . addEventListener("keydown", "return comboKeyPress(event,'$name',this,$onSet);")
+            . addEventListener("blur", "checkClosePopup(null, false);");
 
     // add the options
     for ($j = 0 ; $j < count($vals) ; $j++) {
@@ -80,7 +79,7 @@ function comboSupportFuncs()
 {
 ?>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<?php global $nonce; echo $nonce; ?>">
 <!--
 var activeCombo = false;
 var overComboMenu = false;

www/commentutil.php

@@ -423,23 +423,27 @@ function showComment($db,$commentPage, $itemAuthor, $cidx, $coutlst, $i)
     // if it's plonked, wrap it in a click-through hider
     if ($plonked) {
         echo "<span class=details><i>You've plonked this comment's author</i>"
-            . " - <span><a href=\"needjs\" onclick=\"javascript:"
-            . "revealPlonkedAuthor(this, '$cuserid', '"
-            . str_replace(array('"', '\''),
-                          array("'+String.fromCharCode(34)+'", "\\'"),
-                          $cusername)
-            . "');return false;\">Reveal author</a></span>"
+            . " - <span><a href=\"needjs\">"
+            . addEventListener("click", "revealPlonkedAuthor(this, '$cuserid', '"
+                . str_replace(array('"', '\''),
+                            array("'+String.fromCharCode(34)+'", "\\'"),
+                            $cusername)
+                . "');return false;")
+            . "Reveal author</a></span>"
             . "<span style=\"display:none;\">"
-            . " | <a href=\"needjs\" onclick=\"javascript:"
-            . "revealPlonkedComment(this);return false;\">Reveal comment</a>"
+            . " | <a href=\"needjs\">"
+            . addEventListener(
+                "click", "revealPlonkedComment(this);return false;"
+            )
+            . "Reveal comment</a>"
             . "</span>"
             . "</span>"
             . "<div style=\"display: none;\">";
 
         global $plonkedCommentNum;
         if ($plonkedCommentNum++ == 0) {
             ?>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<?php global $nonce; echo $nonce; ?>">
 function revealPlonkedAuthor(ele, uid, uname)
 {
     ele = ele.parentNode;

www/components/ifdb-recommends.php

@@ -271,7 +271,7 @@
     } else {
       ?>
       <div id="recommendations">Loading...</div>
-      <script>
+      <script nonce="<?php global $nonce; echo $nonce; ?>">
         void function() {
           var element = document.getElementById('recommendations')
           var xhr = new XMLHttpRequest();
@@ -410,18 +410,15 @@ function sortBySortorder($a, $b)
 
     // explain the source
     echo "<p><span class=details><i>";
-    $href = helpWinHRef("help-crossrec");
-//    $href = "href=\"needjs\" "
-//            . "onclick=\"javascript:helpWin('help-crossrec');return false;\"";
     if ($recsrc == 'generic') {
         echo "These are a few randomly-selected games with high
              average member ratings.  If you ";
         if (!$loggedIn)
             echo "<a href=\"login\">log in</a> and ";
         echo "rate a few games yourself, IFDB can offer customized
-              recommendations (<a $href>explain</a>).";
+              recommendations (".helpWinLink("help-crossrec", "explain").").";
     } else {
-        echo "<a $href>Why did IFDB recommend these?</a>";
+        echo helpWinLink("help-crossrec", "Why did IFDB recommend these?");
     }
     echo "</i></span></div>";
 }

www/crossrec

@@ -101,8 +101,8 @@ if ($editMode) {
         . "<input type=text size=80 name=searchfor id=searchfor "
         . "value=\"$searchFor\">"
         . " <input type=submit name=submit value=\"Search\"><br>"
-        . "<span class=microhelp>Enter a game title or <a class=silent "
-        . helpWinHRef("help-tuid") . ">TUID</a></span>"
+        . "<span class=microhelp>Enter a game title or "
+        . helpWinLink("help-tuid", "TUID") . "</span>"
         . "</form>";
 
     $returnLink = "<a href=\"viewgame?id=$gameID\">"

www/csp-nonce.php

@@ -0,0 +1,32 @@
+<?php
+// https://stackoverflow.com/a/34149536/54829
+/**
+ * Generate a random string, using a cryptographically secure 
+ * pseudorandom number generator (random_int)
+ * 
+ * For PHP 7, random_int is a PHP core function
+ * For PHP 5.x, depends on https://github.com/paragonie/random_compat
+ * 
+ * @param int $length      How many characters do we want?
+ * @param string $keyspace A string of all possible characters
+ *                         to select from
+ * @return string
+ */
+function random_str(
+    $length,
+    $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+) {
+    $str = '';
+    $max = 61; // mb_strlen($keyspace, '8bit') - 1;
+    if ($max < 1) {
+        throw new Exception('$keyspace must be at least two characters long');
+    }
+    for ($i = 0; $i < $length; ++$i) {
+        $str .= $keyspace[random_int(0, $max)];
+    }
+    return $str;
+}
+global $nonce;
+$nonce = random_str(8);
+
+header("Content-Security-Policy: default-src 'self' ifdb.org www.google.com 'nonce-$nonce'; style-src 'self' 'unsafe-inline';");

www/delgame

@@ -366,14 +366,11 @@ if ($createFwd)
            <b>Target game for forwarding redirect (TUID):</b><br>
            <input name="fwdid" id="fwdid" type="text" size=50
                  value="<?php echo $fwdid ?>">
-           <a href="needjs"
-              onclick="javascript:openGameSearchPopup(
-                 'fwdid', applyFwd, '<?php
-   echo str_replace(array("'", '"'), array("\\'", "&#34;"), $title)
-                 ?>');return false;"
-              >Find game by title</a>
-
-<script type="text/javascript">
+           <a href="needjs"><?php echo addEventListener("click", "openGameSearchPopup(
+                 'fwdid', applyFwd, '" . str_replace(array("'", '"'), array("\\'", "&#34;"), $title) . "');return false;"); ?>
+              Find game by title</a>
+
+<script type="text/javascript" nonce="<?php global $nonce; echo $nonce; ?>">
 <!--
 function applyFwd(id, title, author)
 {

www/editclub

@@ -412,19 +412,20 @@ formCol("url", $url, "Web site", "input(80)",
         "The club's official Web site URL (http://...)");
 formCol("contacts", $contacts, "Contacts", "input(80)",
         "Contact information for club officials: use the format "
-        . "<b>Bob Smith &lt;bob@ifclub.com&gt; <a class=silent href="
-        . helpWinHRef("help-tuid") . "\">{TUID}</a></b>.  The {TUID} "
+        . "<b>Bob Smith &lt;bob@ifclub.com&gt; "
+        . helpWinLink("help-tuid", "{TUID}") . "</b>.  The {TUID} "
         . "is the IFDB profile link - "
-        . "<a href=\"needjs\" onclick=\"javascript:aplOpen("
-        . "'fld-contacts', 'Contacts');return false;\">Look up a profile</a>. "
+        . "<a href=\"needjs\">"
+        . addEventListener("click", "aplOpen('fld-contacts', 'Contacts');return false;")
+        . "Look up a profile</a>. "
         . "Separate contacts with commas if entering more than one. "
         . "E-mails will only be revealed after an \"enter the code\" "
         . "(CAPTCHA) test to block spam robots.");
 
 $ckbox = "<label><input type=checkbox name=hasPassword value=1 "
-         . "id='ckPassword' " . ($hasPassword ? "checked " : "")
-         . "onclick=\"javascript:showHidePassword(this.checked);"
-         . "return true;\"> <label for='ckPassword'>"
+         . "id='ckPassword' " . ($hasPassword ? "checked " : "") . ">"
+         . addSiblingEventListeners([["click", "showHidePassword(this.checked);"]])
+         . " <label for='ckPassword'>"
          . "Require new members to enter a password to join</label></label><br>"
          . "<span class=details><i>If you check this box, new members "
          . "will only be able to join if they know the password. "
@@ -435,7 +436,7 @@ $ckbox = "<label><input type=checkbox name=hasPassword value=1 "
          . "affecting existing members.</i></span>";
 
 ?>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<?php global $nonce; echo $nonce; ?>">
 <!--
 function showHidePassword(show)
 {