Fossil SCM
Put the javascript for SVG/source toggling inside of the safe-html nonce so that it survives safing.
Commit
ebf5b595704788c4e89704b7de38b7b23a663fa209edcab5330bd1212ff0b02c
Parent
3c786c6fc3603d8…
1 file changed
+1
-1
+1
-1
| --- src/markdown_html.c | ||
| +++ src/markdown_html.c | ||
| @@ -423,20 +423,20 @@ | ||
| 423 | 423 | blob_appendf(ob, "</div>\n"); |
| 424 | 424 | blob_reset(&css); |
| 425 | 425 | blob_appendf(ob, "<pre class='pikchr-src' style='display:none;'>" |
| 426 | 426 | "%s</pre>\n", zIn); |
| 427 | 427 | blob_appendf(ob, "</div>\n"); |
| 428 | - blob_appendf(ob, "%s\n", zSafeNonce); | |
| 429 | 428 | blob_appendf(ob, |
| 430 | 429 | "<script nonce='%s'>\n" |
| 431 | 430 | "document.getElementById('svgid-%d').ondblclick=function(){\n" |
| 432 | 431 | " for(var c of this.children){" |
| 433 | 432 | " c.style.display = c.style.display=='none'?'block':'none';" |
| 434 | 433 | " }\n" |
| 435 | 434 | "}\n" |
| 436 | 435 | "</script>\n", |
| 437 | 436 | style_nonce(), nSvg); |
| 437 | + blob_appendf(ob, "%s\n", zSafeNonce); | |
| 438 | 438 | }else{ |
| 439 | 439 | blob_appendf(ob, "<pre>\n%s\n</pre>\n", zOut); |
| 440 | 440 | } |
| 441 | 441 | fossil_free(zIn); |
| 442 | 442 | free(zOut); |
| 443 | 443 |
| --- src/markdown_html.c | |
| +++ src/markdown_html.c | |
| @@ -423,20 +423,20 @@ | |
| 423 | blob_appendf(ob, "</div>\n"); |
| 424 | blob_reset(&css); |
| 425 | blob_appendf(ob, "<pre class='pikchr-src' style='display:none;'>" |
| 426 | "%s</pre>\n", zIn); |
| 427 | blob_appendf(ob, "</div>\n"); |
| 428 | blob_appendf(ob, "%s\n", zSafeNonce); |
| 429 | blob_appendf(ob, |
| 430 | "<script nonce='%s'>\n" |
| 431 | "document.getElementById('svgid-%d').ondblclick=function(){\n" |
| 432 | " for(var c of this.children){" |
| 433 | " c.style.display = c.style.display=='none'?'block':'none';" |
| 434 | " }\n" |
| 435 | "}\n" |
| 436 | "</script>\n", |
| 437 | style_nonce(), nSvg); |
| 438 | }else{ |
| 439 | blob_appendf(ob, "<pre>\n%s\n</pre>\n", zOut); |
| 440 | } |
| 441 | fossil_free(zIn); |
| 442 | free(zOut); |
| 443 |
| --- src/markdown_html.c | |
| +++ src/markdown_html.c | |
| @@ -423,20 +423,20 @@ | |
| 423 | blob_appendf(ob, "</div>\n"); |
| 424 | blob_reset(&css); |
| 425 | blob_appendf(ob, "<pre class='pikchr-src' style='display:none;'>" |
| 426 | "%s</pre>\n", zIn); |
| 427 | blob_appendf(ob, "</div>\n"); |
| 428 | blob_appendf(ob, |
| 429 | "<script nonce='%s'>\n" |
| 430 | "document.getElementById('svgid-%d').ondblclick=function(){\n" |
| 431 | " for(var c of this.children){" |
| 432 | " c.style.display = c.style.display=='none'?'block':'none';" |
| 433 | " }\n" |
| 434 | "}\n" |
| 435 | "</script>\n", |
| 436 | style_nonce(), nSvg); |
| 437 | blob_appendf(ob, "%s\n", zSafeNonce); |
| 438 | }else{ |
| 439 | blob_appendf(ob, "<pre>\n%s\n</pre>\n", zOut); |
| 440 | } |
| 441 | fossil_free(zIn); |
| 442 | free(zOut); |
| 443 |