Changes to make ACE editor useStrictCSP

tenet-ac-za · May 20, 2024 · 2ca743e · 2ca743e
1 parent d0238b7
commit 2ca743e
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/ui/footer.inc.php b/ui/footer.inc.php
@@ -40,6 +40,10 @@
   <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js" integrity="sha512-v2CJ7UaYy4JwqLDIrZUI/4hqeoQieOmAZNXBeQyjo21dadnwR+8ZaIJVT8EE2iyI61OV8e6M8PP2/4hpQINQ/g==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.13.3/jquery-ui.min.js" integrity="sha512-Ww1y9OuQ2kehgVWSD/3nhgfrb424O3802QYP/A5gPXoM4+rRjiKrjHdGxQKrMGQykmsJ/86oGdHszfcVgUr4hA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/ace/1.33.2/ace.min.js" integrity="sha512-40pej1Lz2wywxd9lNJwJNSp9ekNFyX6wCmOzoaqIuUqexcjAUYqnhbg+fYUuPHzVyr5hshGv5FX8Om7yuTuWnA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+  <script<?= $nonce ?>>
+  // see header.inc.php about CSS from JSdelivr
+  ace.config.set("useStrictCSP", true);
+  </script>
   <script src="validate.js"></script>
 </html>
 
diff --git a/ui/header.inc.php b/ui/header.inc.php
@@ -43,6 +43,9 @@
     <!-- these are the bits you need to keep in a new skin -->
     <link rel="preconnect" href="https://cdnjs.cloudflare.com">
     <link rel="stylesheet" type="text/css" href="ui/jquery-ui.css">
+    <!-- cdnjs preferred, but doesn't have style sheets for ace editor :-(. These are unnecessary if you disable useStrictCSP in footer.inc.php -->
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/css/ace.css" integrity="sha256-attAqBHW7Lrtbe8maDpZhm2GoONy1kaP6RFBAYp3bGI=" crossorigin="anonymous">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/css/theme/xcode.css" integrity="sha256-j5T9X1QnSjk9DPjHuebrv01S8/x1VqCWGAhq4NYPdh8=" crossorigin="anonymous">
     <link rel="stylesheet" type="text/css" href="ui/validator.css">
 
     <!-- this is for the github-corners - https://github.com/tholman/github-corners -->

diff --git a/validate.js b/validate.js
@@ -501,9 +501,10 @@ $(document).ready(function ()
 
     content = false;
 
+    /* This is how we do CSP, but the cdnjs builds don't have CSS */
     editor = ace.edit("metadata");
     editor.setTheme("ace/theme/xcode");
-    editor.getSession().setMode("ace/mode/xml");
+    editor.session.setMode("ace/mode/xml");
     editor.$blockScrolling = Infinity;
     editor.on('paste', function() { resetUI(); });
     editor.on('change', function() {