From a6eca28ec6dcebea958922d36909cb94da9c2b7d Mon Sep 17 00:00:00 2001
From: Kyle Zhao <kzhao.sw@gmail.com>
Date: Thu, 25 Oct 2018 09:52:01 -0400
Subject: [PATCH] CSP - extract all other inline JavaScripts (#6528)

* wizard page inline js

* print topic inline js

* drop JS for preventing double submission

this is the default behavior with Rails' UJS `disable_with` helper

* omniauth complete redirect JS

* account activate inline js
---
 .../activate-account.js.no-module.es6         | 24 +++++++++++++++++++
 .../auto-redirect.js.no-module.es6            |  6 +++++
 .../omniauth-complete.js.no-module.es6        | 14 +++++++++++
 app/assets/javascripts/print-page.js          |  3 +++
 .../javascripts/wizard-start.js.no-module.es6 |  4 ++++
 app/views/topics/show.html.erb                |  6 +----
 app/views/user_api_keys/new.html.erb          | 14 +----------
 app/views/users/_auto_redirect_home.html.erb  |  7 ------
 app/views/users/activate_account.html.erb     | 19 ++-------------
 .../omniauth_callbacks/complete.html.erb      | 17 ++++---------
 .../users/perform_account_activation.html.erb |  5 +++-
 app/views/wizard/index.html.erb               |  8 +------
 config/application.rb                         |  5 ++++
 .../complete.html.erb_spec.rb                 |  2 +-
 14 files changed, 71 insertions(+), 63 deletions(-)
 create mode 100644 app/assets/javascripts/activate-account.js.no-module.es6
 create mode 100644 app/assets/javascripts/auto-redirect.js.no-module.es6
 create mode 100644 app/assets/javascripts/omniauth-complete.js.no-module.es6
 create mode 100644 app/assets/javascripts/print-page.js
 create mode 100644 app/assets/javascripts/wizard-start.js.no-module.es6
 delete mode 100644 app/views/users/_auto_redirect_home.html.erb

diff --git a/app/assets/javascripts/activate-account.js.no-module.es6 b/app/assets/javascripts/activate-account.js.no-module.es6
new file mode 100644
index 00000000000..8d5691d0d81
--- /dev/null
+++ b/app/assets/javascripts/activate-account.js.no-module.es6
@@ -0,0 +1,24 @@
+(function() {
+  setTimeout(function() {
+    const $activateButton = $("#activate-account-button");
+    $activateButton.on("click", function() {
+      $activateButton.prop("disabled", true);
+      const hpPath = document.getElementById("data-activate-account").dataset
+        .path;
+      $.ajax(hpPath)
+        .then(function(hp) {
+          $("#password_confirmation").val(hp.value);
+          $("#challenge").val(
+            hp.challenge
+              .split("")
+              .reverse()
+              .join("")
+          );
+          $("#activate-account-form").submit();
+        })
+        .fail(function() {
+          $activateButton.prop("disabled", false);
+        });
+    });
+  }, 50);
+})();
diff --git a/app/assets/javascripts/auto-redirect.js.no-module.es6 b/app/assets/javascripts/auto-redirect.js.no-module.es6
new file mode 100644
index 00000000000..1b549887400
--- /dev/null
+++ b/app/assets/javascripts/auto-redirect.js.no-module.es6
@@ -0,0 +1,6 @@
+(function() {
+  const path = document.getElementById("data-auto-redirect").dataset.path;
+  setTimeout(function() {
+    window.location.href = path;
+  }, 2000);
+})();
diff --git a/app/assets/javascripts/omniauth-complete.js.no-module.es6 b/app/assets/javascripts/omniauth-complete.js.no-module.es6
new file mode 100644
index 00000000000..b04fbb013b9
--- /dev/null
+++ b/app/assets/javascripts/omniauth-complete.js.no-module.es6
@@ -0,0 +1,14 @@
+(function() {
+  const { authResult, baseUrl } = document.getElementById(
+    "data-auth-result"
+  ).dataset;
+  const parsedAuthResult = JSON.parse(authResult);
+
+  if (!window.opener) {
+    localStorage.setItem("lastAuthResult", authResult);
+    window.location.href = `${baseUrl}?authComplete=true`;
+  } else {
+    window.opener.Discourse.authenticationComplete(parsedAuthResult);
+    window.close();
+  }
+})();
diff --git a/app/assets/javascripts/print-page.js b/app/assets/javascripts/print-page.js
new file mode 100644
index 00000000000..beade695615
--- /dev/null
+++ b/app/assets/javascripts/print-page.js
@@ -0,0 +1,3 @@
+document.addEventListener("DOMContentLoaded", function() {
+  window.print();
+});
diff --git a/app/assets/javascripts/wizard-start.js.no-module.es6 b/app/assets/javascripts/wizard-start.js.no-module.es6
new file mode 100644
index 00000000000..403ef667496
--- /dev/null
+++ b/app/assets/javascripts/wizard-start.js.no-module.es6
@@ -0,0 +1,4 @@
+(function() {
+  var wizard = require("wizard/wizard").default.create();
+  wizard.start();
+})();
diff --git a/app/views/topics/show.html.erb b/app/views/topics/show.html.erb
index 21788d3b77e..f0d02c9d8db 100644
--- a/app/views/topics/show.html.erb
+++ b/app/views/topics/show.html.erb
@@ -110,10 +110,6 @@
           color: #0088cc !important;
         }
       </style>
-      <script>
-        document.addEventListener("DOMContentLoaded", function() {
-          window.print();
-        });
-      </script>
+      <%= preload_script('print-page') %>
   <% end %>
 <% end %>
diff --git a/app/views/user_api_keys/new.html.erb b/app/views/user_api_keys/new.html.erb
index fb689adc864..28531e07db6 100644
--- a/app/views/user_api_keys/new.html.erb
+++ b/app/views/user_api_keys/new.html.erb
@@ -28,20 +28,8 @@
   <%= hidden_field_tag 'push_url', @push_url %>
   <%= hidden_field_tag 'public_key', @public_key%>
   <%= hidden_field_tag 'scopes', @scopes%>
-  <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger', id: 'submit' %>
+  <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger' %>
 <% end %>
-<script>
-  window.__submitted = false;
-
-  // prevent double submission which would invalidate the nonce
-  document.getElementById('submit').addEventListener('click', function(e){
-    if (window.__submitted) {
-      e.preventDefault();
-    } else {
-      window.__submitted = true;
-    }
-  });
-</script>
 </div>
 <% end %>
 
diff --git a/app/views/users/_auto_redirect_home.html.erb b/app/views/users/_auto_redirect_home.html.erb
deleted file mode 100644
index 7243a2bbca3..00000000000
--- a/app/views/users/_auto_redirect_home.html.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-<script language="javascript">
-  (function() {
-    setTimeout(function() {
-      window.location.href = '<%= path("/") %>';
-    }, 2000);
-  })();
-</script>
\ No newline at end of file
diff --git a/app/views/users/activate_account.html.erb b/app/views/users/activate_account.html.erb
index 2bf9393135f..85d99fa5369 100644
--- a/app/views/users/activate_account.html.erb
+++ b/app/views/users/activate_account.html.erb
@@ -13,22 +13,7 @@
   <%= preload_script "ember_jquery" %>
   <%= preload_script "vendor" %>
   <%= render_google_universal_analytics_code %>
+  <%= tag.meta id: 'data-activate-account', data: { path: path('/u/hp') } %>
 <%- end %>
 
-<script language="javascript">
-  (function() {
-    setTimeout(function() {
-      var $activateButton = $('#activate-account-button');
-      $activateButton.on('click', function() {
-        $activateButton.prop('disabled', true);
-        $.ajax("<%= path "/u/hp" %>").then(function(hp) {
-          $('#password_confirmation').val(hp.value);
-          $('#challenge').val(hp.challenge.split("").reverse().join(""));
-          $('#activate-account-form').submit();
-        }).fail(function() {
-          $activateButton.prop('disabled', false);
-        });
-      });
-    }, 50);
-  })();
-</script>
+<%= preload_script "activate-account" %>
diff --git a/app/views/users/omniauth_callbacks/complete.html.erb b/app/views/users/omniauth_callbacks/complete.html.erb
index c4dd3c9db4c..5eb0ab9db92 100644
--- a/app/views/users/omniauth_callbacks/complete.html.erb
+++ b/app/views/users/omniauth_callbacks/complete.html.erb
@@ -15,6 +15,11 @@
       border-bottom-color: #999;
     }
   </style>
+  <%= tag.meta id: 'data-auth-result', data: {
+    auth_result: @auth_result.to_client_hash,
+    base_url: Discourse.base_url
+  } %>
+  <%= preload_script('omniauth-complete') %>
 </head>
 
 <body>
@@ -23,18 +28,6 @@
       <%=t "login.auth_complete" %>
       <a href="<%= Discourse.base_url.html_safe %>?authComplete=true"><%= t("login.click_to_continue") %></a>
     </p>
-
-    <script type="text/javascript">
-       var authResult = <%=@auth_result.to_client_hash.to_json.html_safe%>;
-
-       if (!window.opener) {
-         localStorage.setItem('lastAuthResult', JSON.stringify(authResult));
-         window.location.href = '<%= Discourse.base_url.html_safe %>?authComplete=true';
-       } else {
-         window.opener.Discourse.authenticationComplete(authResult);
-         window.close();
-       }
-    </script>
   </div>
 </body>
 </html>
diff --git a/app/views/users/perform_account_activation.html.erb b/app/views/users/perform_account_activation.html.erb
index 09d66b2224f..ae726da69f8 100644
--- a/app/views/users/perform_account_activation.html.erb
+++ b/app/views/users/perform_account_activation.html.erb
@@ -13,7 +13,10 @@
     <% else %>
       <p><%= t('activation.please_continue') %></p>
       <p><a class="btn" href="<%= path "/" %>"><%= t('activation.continue_button', site_name: SiteSetting.title) -%></a></p>
-      <%= render partial: 'auto_redirect_home' %>
+      <%- content_for(:no_ember_head) do %>
+        <%= tag.meta id: 'data-auto-redirect', data: { path: path('/') } %>
+      <%- end %>
+      <%= preload_script 'auto-redirect' %>
     <% end %>
   <%end%>
 </div>
diff --git a/app/views/wizard/index.html.erb b/app/views/wizard/index.html.erb
index 74092def2e7..942e77bd92c 100644
--- a/app/views/wizard/index.html.erb
+++ b/app/views/wizard/index.html.erb
@@ -17,12 +17,6 @@
 
   <body class='wizard'>
     <div id='wizard-main'></div>
-
-    <script>
-      (function() {
-        var wizard = require('wizard/wizard').default.create();
-        wizard.start();
-      })();
-    </script>
+    <%= preload_script 'wizard-start' %>
   </body>
 </html>
diff --git a/config/application.rb b/config/application.rb
index a320d6dc366..4a64cead119 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -121,6 +121,11 @@ module Discourse
       google-universal-analytics.js
       preload-application-data.js
       authentication-complete.js
+      print-page.js
+      omniauth-complete.js
+      activate-account.js
+      auto-redirect.js
+      wizard-start.js
     }
 
     # Precompile all available locales
diff --git a/spec/views/omniauth_callbacks/complete.html.erb_spec.rb b/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
index f66ad99d8a4..bb633f0c29d 100644
--- a/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
+++ b/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
@@ -6,7 +6,7 @@ require_dependency "auth/result"
 describe "users/omniauth_callbacks/complete.html.erb" do
 
   let :rendered_data do
-    JSON.parse(rendered.match(/var authResult = (.*);/)[1])
+    JSON.parse(rendered.match(/data-auth-result="([^"]*)"/)[1].gsub('&quot;', '"'))
   end
 
   it "renders auth info" do