From cb913a3a76daf357ad36ca39c26b4aaf800211d2 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 21 Feb 2016 19:15:23 +0100
Subject: CSP for statistics and forms

https://github.com/FreshRSS/FreshRSS/issues/1075
---
 CHANGELOG.md                       |  2 ++
 app/FreshRSS.php                   |  6 +++++-
 app/layout/aside_feed.phtml        |  2 +-
 app/layout/nav_menu.phtml          |  2 +-
 app/views/extension/index.phtml    |  2 +-
 app/views/feed/add.phtml           |  2 +-
 app/views/helpers/pagination.phtml |  2 +-
 app/views/stats/idle.phtml         |  2 +-
 app/views/stats/index.phtml        | 10 +++++-----
 app/views/stats/repartition.phtml  | 10 +++++-----
 app/views/subscription/index.phtml |  4 ++--
 p/scripts/main.js                  |  6 +++---
 p/themes/base-theme/template.css   |  8 ++++++++
 13 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7f96839eb..7fc872040 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## 2016-xx-xx FreshRSS 1.3.1-beta
 
+* Security
+	* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075)
 * UI
 	* Fixed several small bugs in global and reader view [#1050](https://github.com/FreshRSS/FreshRSS/pull/1050)
 	* Updated to jQuery 2.2 and changed code for auto-load on scroll [#1050](https://github.com/FreshRSS/FreshRSS/pull/1050)
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index a6ed2a306..62ea18d96 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -111,7 +111,11 @@ class FreshRSS extends Minz_FrontController {
 	}
 
 	public static function preLayout() {
-		header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'");
+		if (Minz_Request::controllerName() === 'stats') {
+			header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'");
+		} else {
+			header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *");
+		}
 	}
 
 	private function loadNotifications() {
diff --git a/app/layout/aside_feed.phtml b/app/layout/aside_feed.phtml
index 307db6af8..4e1903a7a 100644
--- a/app/layout/aside_feed.phtml
+++ b/app/layout/aside_feed.phtml
@@ -19,7 +19,7 @@
 	<a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('index.menu.about'); ?></a>
 	<?php } ?>
 
-	<form id="mark-read-aside" method="post" style="display: none"></form>
+	<form id="mark-read-aside" method="post" aria-hidden="true"></form>
 
 	<ul class="tree">
 		<li class="tree-folder category all<?php echo FreshRSS_Context::isCurrentGet('a') ? ' active' : ''; ?>">
diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml
index 3a755b560..0f303beb8 100644
--- a/app/layout/nav_menu.phtml
+++ b/app/layout/nav_menu.phtml
@@ -79,7 +79,7 @@
 		);
 	?>
 
-	<form id="mark-read-menu" method="post" style="display: none"></form>
+	<form id="mark-read-menu" method="post" aria-hidden="true"></form>
 
 	<div class="stick" id="nav_menu_read_all">
 		<?php $confirm = FreshRSS_Context::$user_conf->reading_confirm ? 'confirm' : ''; ?>
diff --git a/app/views/extension/index.phtml b/app/views/extension/index.phtml
index f2d05028f..4b0d5ebeb 100644
--- a/app/views/extension/index.phtml
+++ b/app/views/extension/index.phtml
@@ -5,7 +5,7 @@
 
 	<h1><?php echo _t('admin.extensions.title'); ?></h1>
 
-	<form id="form-extension" method="post" style="display: none"></form>
+	<form id="form-extension" method="post" aria-hidden="true"></form>
 	<?php if (!empty($this->extension_list['system'])) { ?>
 	<h2><?php echo _t('admin.extensions.system'); ?></h2>
 	<?php
diff --git a/app/views/feed/add.phtml b/app/views/feed/add.phtml
index 35f6fbb12..fd6d41b1d 100644
--- a/app/views/feed/add.phtml
+++ b/app/views/feed/add.phtml
@@ -56,7 +56,7 @@
 					<option value="nc"><?php echo _t('sub.category.new'); ?></option>
 				</select>
 
-				<span style="display: none;">
+				<span aria-hidden="true">
 					<input type="text" name="new_category[name]" id="new_category_name" autocomplete="off" placeholder="<?php echo _t('sub.category.new'); ?>" />
 				</span>
 			</div>
diff --git a/app/views/helpers/pagination.phtml b/app/views/helpers/pagination.phtml
index b20201c4b..7eca8c525 100755
--- a/app/views/helpers/pagination.phtml
+++ b/app/views/helpers/pagination.phtml
@@ -14,7 +14,7 @@
 	);
 ?>
 
-<form id="mark-read-pagination" method="post" style="display: none"></form>
+<form id="mark-read-pagination" method="post" aria-hidden="true"></form>
 
 <ul class="pagination">
 	<li class="item pager-next">
diff --git a/app/views/stats/idle.phtml b/app/views/stats/idle.phtml
index 22117792d..11b7df8c4 100644
--- a/app/views/stats/idle.phtml
+++ b/app/views/stats/idle.phtml
@@ -18,7 +18,7 @@
 		<div class="stat">
 			<h2><?php echo _t('gen.date.' . $period); ?></h2>
 
-			<form id="form-delete" method="post" style="display: none"></form>
+			<form id="form-delete" method="post" aria-hidden="true"></form>
 
 			<?php foreach ($feeds as $feed) { ?>
 			<ul class="horizontal-list">
diff --git a/app/views/stats/index.phtml b/app/views/stats/index.phtml
index c11b88999..0a2fbdb10 100644
--- a/app/views/stats/index.phtml
+++ b/app/views/stats/index.phtml
@@ -66,18 +66,18 @@
 
 	<div class="stat">
 		<h2><?php echo _t('admin.stats.entry_per_day'); ?></h2>
-		<div id="statsEntryPerDay" style="height: 300px"></div>
+		<div id="statsEntryPerDay" class="statGraph"></div>
 	</div>
 
 	<div class="stat half">
 		<h2><?php echo _t('admin.stats.feed_per_category'); ?></h2>
-		<div id="statsFeedPerCategory" style="height: 300px"></div>
+		<div id="statsFeedPerCategory" class="statGraph"></div>
 		<div id="statsFeedPerCategoryLegend"></div>
-	</div><!--
+	</div>
 
-	--><div class="stat half">
+	<div class="stat half">
 		<h2><?php echo _t('admin.stats.entry_per_category'); ?></h2>
-		<div id="statsEntryPerCategory" style="height: 300px"></div>
+		<div id="statsEntryPerCategory" class="statGraph"></div>
 		<div id="statsEntryPerCategoryLegend"></div>
 	</div>
 </div>
diff --git a/app/views/stats/repartition.phtml b/app/views/stats/repartition.phtml
index 980b26a3d..ffb2c361e 100644
--- a/app/views/stats/repartition.phtml
+++ b/app/views/stats/repartition.phtml
@@ -48,17 +48,17 @@
 
 	<div class="stat">
 		<h2><?php echo _t('admin.stats.entry_per_hour', $this->averageHour); ?></h2>
-		<div id="statsEntryPerHour" style="height: 300px"></div>
+		<div id="statsEntryPerHour" class="statGraph"></div>
 	</div>
 
 	<div class="stat half">
 		<h2><?php echo _t('admin.stats.entry_per_day_of_week', $this->averageDayOfWeek); ?></h2>
-		<div id="statsEntryPerDayOfWeek" style="height: 300px"></div>
-	</div><!--
+		<div id="statsEntryPerDayOfWeek" class="statGraph"></div>
+	</div>
 
-	--><div class="stat half">
+	<div class="stat half">
 		<h2><?php echo _t('admin.stats.entry_per_month', $this->averageMonth); ?></h2>
-		<div id="statsEntryPerMonth" style="height: 300px"></div>
+		<div id="statsEntryPerMonth" class="statGraph"></div>
 	</div>
 </div>
 
diff --git a/app/views/subscription/index.phtml b/app/views/subscription/index.phtml
index 2cfe3f33c..07cebf817 100644
--- a/app/views/subscription/index.phtml
+++ b/app/views/subscription/index.phtml
@@ -28,7 +28,7 @@
 						</select>
 					</li>
 
-					<li class="input" style="display:none">
+					<li class="input" aria-hidden="true">
 						<input type="text" name="new_category[name]" id="new_category_name" autocomplete="off" placeholder="<?php echo _t('sub.category.new'); ?>" />
 					</li>
 
@@ -62,7 +62,7 @@
 		</ul>
 	</div>
 
-	<form id="controller-category" method="post" style="display: none;"></form>
+	<form id="controller-category" method="post" aria-hidden="true"></form>
 
 	<?php
 		foreach ($this->categories as $cat) {
diff --git a/p/scripts/main.js b/p/scripts/main.js
index cfde5fd4e..d62a6aff8 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -899,7 +899,7 @@ function refreshUnreads() {
 
 			if ((incUnreadsFeed(null, feed_id, nbUnreads - feed_unreads) || isAll) &&	//Update of current view?
 				(nbUnreads - feed_unreads > 0)) {
-				$('#new-article').show();
+				$('#new-article').attr('aria-hidden', 'false').show();
 				new_articles = true;
 			};
 		});
@@ -1122,10 +1122,10 @@ function init_feed_observers() {
 	$('select[id="category"]').on('change', function() {
 		var detail = $('#new_category_name').parent();
 		if ($(this).val() === 'nc') {
-			detail.show();
+			detail.attr('aria-hidden', 'false').show();
 			detail.find('input').focus();
 		} else {
-			detail.hide();
+			detail.attr('aria-hidden', 'true').hide();
 		}
 	});
 }
diff --git a/p/themes/base-theme/template.css b/p/themes/base-theme/template.css
index 17a43d3ed..8a12423be 100644
--- a/p/themes/base-theme/template.css
+++ b/p/themes/base-theme/template.css
@@ -110,6 +110,11 @@ td.numeric {
 
 /*=== COMPONENTS */
 /*===============*/
+
+[aria-hidden="true"] {
+	display: none;
+}
+
 /*=== Forms */
 .form-group::after {
 	content: "";
@@ -620,6 +625,9 @@ br + br + br {
 .stat > table {
 	width: 100%;
 }
+.statGraph {
+	height: 300px;
+}
 
 /*=== GLOBAL VIEW */
 /*================*/
-- 
cgit v1.2.3