Tag script blocks with nonce (#382)

SkylineToolsStore/src/org/labkey/skylinetoolsstore/view/SkylineRating.jsp

@@ -75,7 +75,7 @@
 <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
 <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
 <link rel="stylesheet" href="https://code.jquery.com/ui/1.10.3/themes/smoothness/jquery-ui.css">
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     $(function() {
         initRatingSlider($("#slider"), $("#sliderover"), $("#ratingvalue"));
     });

SkylineToolsStore/src/org/labkey/skylinetoolsstore/view/SkylineToolDetails.jsp

@@ -594,7 +594,7 @@ a { text-decoration: none; }
 <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
 <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
 
-<script>
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     $(function() {
         initRatingSlider($("#ratingSlider"), $("#ratingSliderOver"), $("#reviewValue"));
         initRatingSlider($("#ratingSliderPop"), $("#ratingSliderOverPop"), $("#reviewValuePop"));

SkylineToolsStore/src/org/labkey/skylinetoolsstore/view/SkylineToolManageOwners.jsp

@@ -47,7 +47,7 @@
 <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
 <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
 
-<script>
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     var ownersTxt = $("#toolOwners");
     ownersTxt.focus();
     ownersTxt.val("<%= h(toolOwners) %>");

SkylineToolsStore/src/org/labkey/skylinetoolsstore/view/SkylineToolsStoreUpload.jsp

@@ -52,7 +52,7 @@
 <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
 <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
 
-<script>
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     autocomplete($("#toolOwners"), <%=users%>);
     initJqueryUiImages("<%= h(imgDir + "jquery-ui") %>");
 </script>

SkylineToolsStore/src/org/labkey/skylinetoolsstore/view/SkylineToolsStoreWebPart.jsp

@@ -384,7 +384,7 @@
 <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.10.3/jquery-ui.min.js"></script>
 <link rel="stylesheet" href="https://code.jquery.com/ui/1.10.3/themes/smoothness/jquery-ui.css">
 
-<script>
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     var READ_MORE_TEXT = "Read more";
     var READ_LESS_TEXT = "Close";
     var BASE_SLIDE_TIME = 100;

lincs/resources/views/CustomGCT.html

@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=scriptNonce%>">
 
     LABKEY.requiresCss("/lincs/lincs.css");
 

lincs/src/org/labkey/lincs/view/customGCTForm.jsp

@@ -43,7 +43,7 @@
     span.heading {margin-bottom:20px 10px 20px 10px;}
 </style>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     // Download Ext4 js and css files.
     // LABKEY.requiresExt4Sandbox();

lincs/src/org/labkey/lincs/view/downloadCustomGCT.jsp

@@ -48,7 +48,7 @@
     downloadGctUrl.addParameter("fileName", fileName);
 %>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     LABKEY.requiresCss("/lincs/lincs.css");
     LABKEY.requiresScript("/lincs/lincs.js");

panoramapublic/resources/views/peptideSearchResults.html

@@ -1,5 +1,5 @@
 <div id="search-indicator"></div>
-<script type="text/javascript" nonce="<%=getScriptNonce()%>">
+<script type="text/javascript" nonce="<%=scriptNonce%>">
 
         let webpart = <%=webpartContext%>;
         const queryString = window.location.search;

panoramapublic/resources/views/proteinSearchResults.html

@@ -1,5 +1,5 @@
 <div id="search-indicator"></div>
-<script type="text/javascript" nonce="<%=getScriptNonce()%>">
+<script type="text/javascript" nonce="<%=scriptNonce%>">
 
         let webpart = <%=webpartContext%>;
         const queryString = window.location.search;

panoramapublic/resources/views/smallMoleculeSearchResults.html

@@ -1,5 +1,5 @@
 <div id="search-indicator"></div>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=scriptNonce%>">
 
         let webpart = <%=webpartContext%>;
         const queryString = window.location.search;

panoramapublic/src/org/labkey/panoramapublic/query/ExperimentAnnotationsTableInfo.java

@@ -622,9 +622,9 @@ public HtmlString getFormattedHtml(RenderContext ctx)
 
     private static class AutoCompleteColumn extends DataColumn
     {
-        private String _autoCompletionUrl;
-        private boolean _prefetch;
-        private String _placeholderText;
+        private final String _autoCompletionUrl;
+        private final boolean _prefetch;
+        private final String _placeholderText;
 
         public AutoCompleteColumn(ColumnInfo col, ActionURL autocompletionUrl, boolean prefetch, String placeHolderText)
         {
@@ -647,14 +647,14 @@ public void renderInputHtml(RenderContext ctx, Writer out, Object value) throws
             String renderId = getRenderId();
             StringBuilder sb = new StringBuilder();
 
-            sb.append("<script type=\"text/javascript\">");
+            sb.append("<script type=\"text/javascript\" nonce=\"").append(HttpView.currentPageConfig().getScriptNonce()).append("\">");
             sb.append("LABKEY.requiresScript([\"/PanoramaPublic/js/ExpAnnotAutoComplete.js\"], function() {\n");
             sb.append("Ext4.onReady(function(){\n");
             sb.append("    initAutoComplete(").append(_autoCompletionUrl).append(", '").append(renderId).append("', ").append(_prefetch ? "true": "false").append(");\n");
             sb.append("});});\n");
             sb.append("</script>\n");
             sb.append("<div style=\"margin-top:5px;\" id=\"").append(renderId).append("\" class=\"scrollable-dropdown-menu\">");
-            sb.append("<input type=\"text\" class=\"tags\" placeholder=\"" + _placeholderText + "\" name=\"" + name + "\" value=\"" + valueString + "\">");
+            sb.append("<input type=\"text\" class=\"tags\" placeholder=\"").append(_placeholderText).append("\" name=\"").append(name).append("\" value=\"").append(valueString).append("\">");
             sb.append("</div>");
             sb.append("<div style=\"font-size:11px\">").append(PageFlowUtil.filter(getHelpText(), true, false)).append("</div>");
 

panoramapublic/src/org/labkey/panoramapublic/view/combinationModInfo.jsp

@@ -38,7 +38,7 @@
 
 <div id="combinationModInfoForm"></div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     const elementOrder = {}; // Order of elements in a normalized formula
     let idx = 0;

panoramapublic/src/org/labkey/panoramapublic/view/editSpecLibInfo.jsp

@@ -31,7 +31,7 @@
 <labkey:errors/>
 <div id="editSpecLibInfoForm"/>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/expannotations/experimentDetails.jsp

@@ -230,7 +230,7 @@
  }
 
 </style>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 
@@ -369,7 +369,7 @@
 
 </div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     var SHOW_MORE_TEXT = "[Show more]";
     var SHOW_LESS_TEXT = "[Show less]";

panoramapublic/src/org/labkey/panoramapublic/view/publish/CatalogEntryWebPart.java

@@ -1,6 +1,5 @@
 package org.labkey.panoramapublic.view.publish;
 
-import org.labkey.api.action.UrlProvider;
 import org.labkey.api.data.Container;
 import org.labkey.api.portal.ProjectUrls;
 import org.labkey.api.security.User;

panoramapublic/src/org/labkey/panoramapublic/view/publish/catalogEntryForm.jsp

@@ -1,19 +1,19 @@
 <%
-    /*
-     * Copyright (c) 2008-2019 LabKey Corporation
-     *
-     * Licensed under the Apache License, Version 2.0 (the "License");
-     * you may not use this file except in compliance with the License.
-     * You may obtain a copy of the License at
-     *
-     *     http://www.apache.org/licenses/LICENSE-2.0
-     *
-     * Unless required by applicable law or agreed to in writing, software
-     * distributed under the License is distributed on an "AS IS" BASIS,
-     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-     * See the License for the specific language governing permissions and
-     * limitations under the License.
-     */
+/*
+ * Copyright (c) 2008-2019 LabKey Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 %>
 <%@ taglib prefix="labkey" uri="http://www.labkey.org/taglib" %>
 <%@ page import="org.apache.commons.io.FileUtils" %>
@@ -161,7 +161,7 @@
 </div>
 
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     let cropper;
     let croppedImageDataUrl;

panoramapublic/src/org/labkey/panoramapublic/view/publish/confirmPublish.jsp

@@ -25,7 +25,7 @@
 <div id="publishDataDetails"></div>
 <div id="publishDataForm"></div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/publish/copyExperimentForm.jsp

@@ -86,7 +86,7 @@
     <%=link("ProteomeXchange Actions", pxActionsUrl)%>
 </div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/publish/publicationDetails.jsp

@@ -24,7 +24,7 @@
 
 <div id="publishDataForm"></div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/publish/publishExperimentForm.jsp

@@ -107,7 +107,7 @@
         color: red;
     }
 </style>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     var urlFixedPre = <%=q(AppProps.getInstance().getBaseServerUrl() + AppProps.getInstance().getContextPath() + "/")%>;
     var urlFixedPost = <%=q(ShortURLRecord.URL_SUFFIX)%>;

panoramapublic/src/org/labkey/panoramapublic/view/publish/publishSuccessView.jsp

@@ -73,7 +73,7 @@
     </div>
 </div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     <% if (canAddCatalogEntry) { %>
         Ext4.onReady(function() {

panoramapublic/src/org/labkey/panoramapublic/view/publish/pxActions.jsp

@@ -47,7 +47,7 @@
 <div id="pxLinks"></div>
 <div id="pxMethodsForm"></div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/publish/pxMissingFiles.jsp

@@ -30,7 +30,7 @@
 
 <div id="missingFilesDiv"/>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function() {
 

panoramapublic/src/org/labkey/panoramapublic/view/publish/pxValidationRunning.jsp

@@ -44,7 +44,7 @@
 
 <div style="margin-top:10px;" id="validationProgressDiv"></div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     var htmlEncode = Ext4.util.Format.htmlEncode;
 

panoramapublic/src/org/labkey/panoramapublic/view/publish/pxValidationStatus.jsp

@@ -44,7 +44,7 @@
 
 <div id="validationStatusDiv"/>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     // Links that helped:
     // https://docs.sencha.com/extjs/4.2.2/extjs-build/examples/build/KitchenSink/ext-theme-neptune/#row-expander-grid

panoramapublic/src/org/labkey/panoramapublic/view/publish/updatePxDetails.jsp

@@ -30,7 +30,7 @@
     </ul>
 </div>
 <div style="margin-top:15px;" id="updateDetailsForm"></div>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/search/panoramaWebSearch.jsp

@@ -176,7 +176,7 @@
 
 </div>
 
-<script>
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     const expSearchPanelItemId = 'expSearchPanel';
     const authorsItemId = 'Authors';
     const titleItemId = 'Title';

panoramapublic/src/org/labkey/panoramapublic/view/unimodMatchInfo.jsp

@@ -46,7 +46,7 @@
 <% } %>
 <div style="width:800px;margin-top:30px; margin-left:8px;"><%=button("Cancel").href(form.getCancelActionURL(PanoramaPublicController.getViewExperimentDetailsURL(form.getId(), getContainer()))).style("padding:4px 15px")%></div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce=<%=getScriptNonce()%>>
 
     Ext4.onReady(function(){
 

panoramapublic/src/org/labkey/panoramapublic/view/viewSlideshow.jsp

@@ -35,7 +35,7 @@
 
 <labkey:errors/>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     Ext4.onReady(function() {
 

signup/src/org/labkey/signup/SignUpAdmin.jsp

@@ -139,7 +139,7 @@
 <%
 JSONObject json = new JSONObject(m);
 %>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 
     function showAdd(group) {
         if (group.length > 1)

testresults/src/org/labkey/testresults/view/errorFiles.jsp

@@ -21,7 +21,7 @@
 
 <%@include file="menu.jsp" %>
 <script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     LABKEY.requiresCss("/TestResults/css/style.css");
 </script>
 <p>All the files listed below at one point or another failed to post.  When a run is successfully posted through this page it gets removed from the list.</p>
@@ -48,7 +48,7 @@
     </table><br/>
 <% } %>
 <p><a href="filecontent-begin.view">Files</a></p>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     $(document).ajaxStart(function() {
         $("#loading").show();
     }).ajaxStop(function() {

testresults/src/org/labkey/testresults/view/failureDetail.jsp

@@ -173,7 +173,7 @@
 %>
 
 <%@include file="menu.jsp" %>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     LABKEY.requiresCss("/TestResults/css/style.css");
     LABKEY.requiresCss("/TestResults/css/tablesorter-default.css");
 </script>
@@ -250,7 +250,7 @@
     </tbody>
 </table>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
 $(document).ready(function() {
     const problemData = <%=json(problemData, 0)%>;
 

testresults/src/org/labkey/testresults/view/flagged.jsp

@@ -17,7 +17,7 @@
 %>
 
 <%@include file="menu.jsp" %>
-<script type="text/javascript">
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
     LABKEY.requiresCss("/TestResults/css/style.css");
 </script>
 <p>Runs which are flagged will not show up in the Overview breakdown, Long Term, and Failure pages.  This includes graphs, charts, and any other sort of data visualization.</p>

testresults/src/org/labkey/testresults/view/longTerm.jsp

@@ -57,7 +57,7 @@
 
     <% if (trendsJson != null) { %>
         <script src="<%=h(contextPath)%>/TestResults/js/generateTrendCharts.js"></script>
-        <script type="text/javascript">
+        <script type="text/javascript" nonce="<%=getScriptNonce()%>">
             var trendsJson = jQuery.parseJSON(<%= q(trendsJson.toString())%>);
             var failureJson = jQuery.parseJSON(<%= q(failureJson.toString())%>);
             var runCountPerDayJson = jQuery.parseJSON(<%=q(runCountPerDayJson.toString())%>);