Another Javascript question

[cas]

In some of my plugins, i use sometimes popup-windows.
This is broken in version 2.0 (already with the 1.3 series this also was the case).
Looking at the discussions mid last year, i thought better to wait to update my plugins. With version 2.0 i wanted to catch up.
The quick fix (http://mantisbt.org/forums/viewtopic.ph ... ipt#p60035) still works which is fine but this cannot be the way.
In standard mantis now the following line even fails:
<a href="javascript: alert('Hello World')">Click Me</a>

So my question is how I would need to handle this properly, is there some guidance avaiable /

[atrol]

The quick fix (http://mantisbt.org/forums/viewtopic.ph ... ipt#p60035) still works which is fine but this cannot be the way

Right, this was very quick and dirty.

A bit better would be to add your CSP headers as needed by using our new API

Code: Select all

/**
 * Add a Content-Security-Policy directive.
 *
 * @param  string $p_type  The directive type, e.g. style-src, script-src.
 * @param  string $p_value The directive value, e.g. 'self', https://ajax.googleapis.com
 * @return void
 */
function http_csp_add( $p_type, $p_value )

For example have a look at our own embedded Gravatar plugin for usage

Code: Select all

	function csp_headers() {
		if( config_get( 'show_avatar' ) !== OFF ) {
			http_csp_add( 'img-src', self::getAvatarUrl() );
		}
	}

The clean way would be to remove all embedded JavaScript code.
This is what we did in 1.3 for it http://www.mantisbt.org/bugs/view.php?id=11826