Closes #99

Added measures to work with CSP

Author: bkraul

BBCodePlus/BBCodePlus.php

@@ -12,6 +12,7 @@ class BBCodePlusPlugin extends MantisFormattingPlugin {
       private $t_MantisCoreFormatting_process_markdown = OFF;
       private $t_bbCode = null;
       private $t_HTML = null;
+      private $t_nonceToken = null;
       //-------------------------------------------------------------------
       /**
        *  A method that populates the plugin information and minimum requirements.
@@ -22,7 +23,7 @@ function register() {
          $this->name        = plugin_lang_get( 'title' );
          $this->description = plugin_lang_get( 'description' );
          $this->page        = 'config';
-         $this->version     = '2.1.17';
+         $this->version     = '2.1.18';
 
          $this->requires['MantisCore'] = '2.0.0';
          # this plugin can coexist with MantisCoreFormatting.
@@ -74,6 +75,8 @@ function init() {
                $this->t_MantisCoreFormatting_process_markdown = OFF;
             }
          }
+         # create the random nonce token for allowing unsafe-eval on csp
+         $this->t_nonceToken = base64_encode(substr(md5(mt_rand()), 0, 12));
       }
       //-------------------------------------------------------------------
       /**
@@ -121,6 +124,7 @@ function csp_headers() {
          if ( (ON == plugin_config_get( 'process_markitup' )) && function_exists( 'http_csp_add' ) ) {
             http_csp_add( 'img-src', "*" );
             http_csp_add( 'frame-ancestors', "'self'" );
+            http_csp_add( 'script-src', "'nonce-$this->t_nonceToken'");
          }
       }
       //-------------------------------------------------------------------
@@ -132,23 +136,23 @@ function csp_headers() {
       function resources( $p_event ) {
          # includes.
          $resources = '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'bbcodeplus.css' ) . '" />';
-         $resources .= '<script type="text/javascript" src="' . plugin_file( 'bbcodeplus-init.js' ) . '"></script>';
+         $resources .= '<script type="text/javascript" src="' . plugin_file( 'bbcodeplus-init.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
 
          if ( ON == plugin_config_get( 'process_markitup' ) ) {
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'markitup/skins/' . plugin_config_get( 'markitup_skin' ) . '/style.css' ) . '" />';
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'markitup/sets/mantis/style.css' ) . '" />';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/jquery_markitup.js' ) . '"></script>';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/sets/mantis/set.js' ) . '"></script>';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup-init.js' ) . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/jquery_markitup.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup/sets/mantis/set.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'markitup-init.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
          }
 
          if ( ON == plugin_config_get( 'process_highlight' ) ) {
             $resources .= '<link rel="stylesheet" type="text/css" href="' . plugin_file( 'prism/styles/' . plugin_config_get( 'highlight_css' ) . '.css' ) . '" />';
-            $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism.js' ) . '"></script>';
+            $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
 
             # load additional languages.
             if ( ON == plugin_config_get( 'highlight_extralangs' ) ) {
-               $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism_additional_languages.js' ) . '"></script>';
+               $resources .= '<script type="text/javascript" src="' . plugin_file( 'prism/prism_additional_languages.js' ) . '" nonce="' . $this->t_nonceToken . '"></script>';
             }
          }
 

BBCodePlus/files/markitup/jquery_markitup.js

@@ -220,9 +220,7 @@
 						}).bind("focusin.markItUp", function(){
                             $$.focus();
 						}).bind('mouseup', function(e) {
-							if (button.call) {
-								eval(button.call)(e); // Pass the mouseup event to custom delegate
-							}
+							if (button.call == 'preview') { preview(); }
 							setTimeout(function() { markup(button) },1);
 							return false;
 						}).bind('mouseenter.markItUp', function() {

BBCodePlus/files/markitup/sets/mantis/set.js

@@ -199,8 +199,7 @@ mySettings = {
                     list.attr("class", "bbcodeplus image-picker");
 
                     $(".bug-attachment-preview-image a img").each(function(index, value) {
-                        var imgUrl = this.src;
-                        
+                        var imgUrl = $(this).parent().prop('href');
                         var img = $("<li><a href=\"#\"><img src=\"" + imgUrl + "\"></a></li>");
                         var link = img.children('a');
                         link.click(function() {

README.md

@@ -26,6 +26,11 @@ If you would like to contribute to BBCode plus, please [read this guide first](h
 
 ## Change Log
 
+### 2.1.18
+
+- Added `nonce` random token and directives for included js scripts in order to hopefully address CSP restrictions.
+- Corrected issue with referencing issue images (removed volatile token, now using only file id and type).
+
 ### 2.1.17
 
 - Fixed styling and scripting issues with issue image picker.