• last updated 9 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
- fix test condition

- fix brace

- fix braces

- don't add a bodyscript for every day

- clean dirty editor buffer

- replace onclick handler by eventlistener (for more strict CSPs)

- turn onclick handler into event listener and a body script (for strict CSPs)

- fix css statements

- add preventDefault() to all event handlers listening to click events

- prevent jumping in event listeners

- added sample template oacs-view3-bootstrap3.adp as used on openacs.org

- updated sample templates

file oacs-view3-bootstrap3.adp was initially added on branch oacs-5-9.

- add CSP directives

- use addEventListener instead of onclick markup for wiki-search,

edit-tags and popular-tags

- fix popular tags link

- regenerated template files

- added scp directives for yui

- bump version number to 5.9.1d12

    • -3
    • +3
    /openacs-4/packages/xowiki/xowiki.info
    • -1
    • +1
    /openacs-4/packages/xowiki/lib/view.tcl
- use always template::head procs

- bump version number to 0.150

- add required CSP directives; turn "body_handler -event onload" into a body_script

- add CSP directive "img-src 'self'" per default

- CSP-reform: turn hrefs with javascript: URLs into body_scripts with eventListener for "click"

- reduce verbosity

- CSP-reform: turn onclick handler into body_script with eventListener

- composition-rel reform: add one more type-cast

- add CSP nonce to script tags if nonce value is available

- turn function definition of acs_Focus() into a conditionally defined

body-script

- turn "body_event_handlers" into "window.addEventListener"

- Improved compatiblity with PostgreSQL before 9.2:

don't use SQL-language function names to reference parameters to

obtain compatibility for earlier PostgreSQL versions

(see https://www.postgresql.org/docs/9.2/static/release-9-2.html

item E.19.3.9.3)

- fix upgrade script for PostgreSQL before 9.2: the old version checked

already the version number, but actually the SQL compilation failed

due to the unknown "IF EXISTS" for sequences.

- add required CSP directives

- update dependences on acs-tcl for CSP

- upgrade CKEditor version to 4.5.11

- bump version number to 5.9.1d11

    • -4
    • +4
    /openacs-4/packages/xowiki/xowiki.info
- add required CSP directives

- update dependences for CSP

- upgrade CKEditor version to 4.5.10

- bump version number to 0.6

- turn hardcoded inline script into a template::add_body_script to use CSP nonces

- bump version number to 1.3d15

    • -2
    • +2
    /openacs-4/packages/forums/forums.info
- use functions rather than strings in js setTimeout() for CSP

- use template::add_body_script to get csp nonces generated

- bump version to 0.47

- Added support for W3C Content Security Policy(CSP)

* For details about CSP, see https://www.w3.org/TR/CSP/

* New calls:

security::csp::nonce:

Generate a CSP nonce token token

security::csp::require /directive/ /value/:

Add a requirements of a page to the CSP in order to generate

later a tailored policy with the minimal permissions for

this page. For example, the following requirement is

currently added per default to the oacs-master template to

permit style tags and style attribites in the markup.

security::csp::require style-src 'unsafe-inline'

security::csp::render:

Generate a policy from the requirements

* Added Kernel Parameter CSPEnabledP to activate/desctivate CSP

(default on)

- Bump version numbers

acs-tcl to 5.9.1d11

acs-bootstrap-installer to 5.9.1d4

acs-kernel to 5.9.1d17

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
- new function ::security::nonce_token to generate a nonce token as described in W3C Content Security Policy