LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CSP by removing unsafe-inline for scripts

Browse Source 
Refactored all inline event handlers (onclick, onchange, onsubmit) to use
addEventListener with data-action attributes and event delegation pattern.

Changes:
- views/*.php: Replaced inline handlers with data-action attributes
- views/admin/*.php: Same refactoring for all admin views
- assets/js/dashboard.js: Added event delegation for bulk/quick action modals
- assets/js/ticket.js: Added event delegation for dynamic elements
- assets/js/markdown.js: Refactored toolbar button handlers
- assets/js/keyboard-shortcuts.js: Refactored modal close button
- SecurityHeadersMiddleware.php: Enabled strict CSP with nonces

The CSP now uses script-src 'self' 'nonce-{nonce}' instead of 'unsafe-inline',
significantly improving XSS protection.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Jared Vititoe
2026-01-30 13:15:55 -05:00
parent 37be81b3e2
commit c3f7593f3c
13 changed files with 564 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
views/admin/CustomFieldsView.php
View File

@@ -41,7 +41,7 @@ $nonce = SecurityHeadersMiddleware::getNonce();
<div class="ascii-frame-inner">
<div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 1rem;">
<h2 style="margin: 0;">Custom Field Definitions</h2>
<button onclick="showCreateModal()" class="btn">+ New Field</button>
<button data-action="show-create-modal" class="btn">+ New Field</button>
</div>
<table style="width: 100%;">
@@ -79,8 +79,8 @@ $nonce = SecurityHeadersMiddleware::getNonce();
</span>
</td>
<td>
<button onclick="editField(<?php echo $field['field_id']; ?>)" class="btn btn-small">Edit</button>
<button onclick="deleteField(<?php echo $field['field_id']; ?>)" class="btn btn-small btn-danger">Delete</button>
<button data-action="edit-field" data-id="<?php echo $field['field_id']; ?>" class="btn btn-small">Edit</button>
<button data-action="delete-field" data-id="<?php echo $field['field_id']; ?>" class="btn btn-small btn-danger">Delete</button>
</td>
</tr>
<?php endforeach; ?>
@@ -92,13 +92,13 @@ $nonce = SecurityHeadersMiddleware::getNonce();
</div>
<!-- Create/Edit Modal -->
<div class="settings-modal" id="fieldModal" style="display: none;">
<div class="settings-modal" id="fieldModal" style="display: none;" data-action="close-modal-backdrop">
<div class="settings-content" style="max-width: 500px;">
<div class="settings-header">
<h3 id="modalTitle">Create Custom Field</h3>
<button class="close-settings" onclick="closeModal()">×</button>
<button class="close-settings" data-action="close-modal">×</button>
</div>
<form id="fieldForm" onsubmit="saveField(event)">
<form id="fieldForm">
<input type="hidden" id="field_id" name="field_id">
<div class="settings-body">
<div class="setting-row">
@@ -111,7 +111,7 @@ $nonce = SecurityHeadersMiddleware::getNonce();
</div>
<div class="setting-row">
<label for="field_type">Field Type *</label>
<select id="field_type" name="field_type" required onchange="toggleOptionsField()">
<select id="field_type" name="field_type" required data-action="toggle-options-field">
<option value="text">Text</option>
<option value="textarea">Text Area</option>
<option value="select">Dropdown (Select)</option>
@@ -148,7 +148,7 @@ $nonce = SecurityHeadersMiddleware::getNonce();
</div>
<div class="settings-footer">
<button type="submit" class="btn btn-primary">Save</button>
<button type="button" class="btn btn-secondary" onclick="closeModal()">Cancel</button>
<button type="button" class="btn btn-secondary" data-action="close-modal">Cancel</button>
</div>
</form>
</div>
@@ -169,16 +169,48 @@ $nonce = SecurityHeadersMiddleware::getNonce();
document.getElementById('fieldModal').style.display = 'none';
}
// Close modal on ESC key
document.addEventListener('keydown', (e) => {
if (e.key === 'Escape') {
closeModal();
// Event delegation for data-action handlers
document.addEventListener('click', function(event) {
const target = event.target.closest('[data-action]');
if (!target) return;
const action = target.dataset.action;
switch (action) {
case 'show-create-modal':
showCreateModal();
break;
case 'close-modal':
closeModal();
break;
case 'close-modal-backdrop':
if (event.target === target) closeModal();
break;
case 'edit-field':
editField(target.dataset.id);
break;
case 'delete-field':
deleteField(target.dataset.id);
break;
}
});
// Close modal when clicking on backdrop (outside content)
document.getElementById('fieldModal').addEventListener('click', (e) => {
if (e.target.classList.contains('settings-modal')) {
document.addEventListener('change', function(event) {
const target = event.target.closest('[data-action]');
if (!target) return;
if (target.dataset.action === 'toggle-options-field') {
toggleOptionsField();
}
});
// Form submit handler
document.getElementById('fieldForm').addEventListener('submit', function(e) {
saveField(e);
});
// Close modal on ESC key
document.addEventListener('keydown', (e) => {
if (e.key === 'Escape') {
closeModal();
}
});