sympa-community · ikedas · Jan 15, 2023 · Jan 15, 2023 · Jan 15, 2023 · Jan 18, 2023
diff --git a/default/web_tt2/compose_mail.tt2 b/default/web_tt2/compose_mail.tt2
@@ -15,8 +15,12 @@
             <input type="hidden" name="html_news_letter" value="[% subaction %]" />
         [% END %]
         <input type="hidden" name="action" value="send_mail"/>
-        <input class="MainMenuLinks" type="submit" name="sub_action_sendmailtolist" value="[%|loc%]Send to list[%END%]" [%- IF topic_required -%] onclick="return checkbox_check_topic(compose_mail)" [% END %]/>
-        <input class="MainMenuLinks" type="submit" name="sub_action_sendmailtome" value="[%|loc%]Send to me[%END%]" [%- IF topic_required -%] onclick="return checkbox_check_topic(compose_mail)" [% END %]/>
+        <input class="MainMenuLinks[%IF topic_required%] topicChecked[%END%]"
+         type="submit"
+         name="sub_action_sendmailtolist" value="[%|loc%]Send to list[%END%]" />
+        <input class="MainMenuLinks[%IF topic_required%] topicChecked[%END%]"
+         type="submit"
+         name="sub_action_sendmailtome" value="[%|loc%]Send to me[%END%]" />
         <br />
 
         <input type="hidden" name="in_reply_to" value="[% in_reply_to %]" />

diff --git a/default/web_tt2/confirm_action.tt2 b/default/web_tt2/confirm_action.tt2
@@ -615,7 +615,7 @@
 
 [% IF confirm_action == 'arc_delete' ~%]
     [%# FIXME. ~%]
-    <script>
+    <script nonce="[% csp_nonce %]">
     <!--
     $('#response_action_confirm').click(function(){
         if ($('#zip').prop('checked'))

diff --git a/default/web_tt2/crash.tt2 b/default/web_tt2/crash.tt2
@@ -3,6 +3,8 @@
     <!-- crash.tt2 -->
     <head>
         <meta charset="UTF-8" />
+        <meta http-equiv="Content-Security-Policy"
+         content="script-src 'self' 'unsafe-inline' 'nonce-[% csp_nonce %]'" />
         <meta name="generator" content="Sympa [% version %]" />
         <meta name="viewport" content="width=device-width, initial-scale=1.0">
         <title> [% main_title %] - [% action %] </title>

diff --git a/default/web_tt2/create_list_request.tt2 b/default/web_tt2/create_list_request.tt2
@@ -97,7 +97,7 @@
 </div>
 
 [%# Initialize toggle. #%]
-<script>
+<script nonce="[% csp_nonce %]">
 <!--
     $('#list_copy').hide();
 

diff --git a/default/web_tt2/head_javascript.tt2 b/default/web_tt2/head_javascript.tt2
@@ -6,7 +6,7 @@
 ## Use the js/sympa.js file instead of writing your scripts.
 ## This script only contains variable initializations.
 #%]
-<script>
+<script nonce="[% csp_nonce %]">
 <!--
 [%# A few configuration settings and miscellaneous vars. ~%]
 var sympa = {

diff --git a/default/web_tt2/lists.tt2 b/default/web_tt2/lists.tt2
@@ -76,7 +76,7 @@
 [% END %]
 
 [% IF all_letters.size %]
-    <script>
+    <script nonce="[% csp_nonce %]">
     <!--
     $(
         '[% 'a[href="#' _ all_letters.join( '"], a[href="#' ) _ '"]' %]'

diff --git a/default/web_tt2/main.tt2 b/default/web_tt2/main.tt2
@@ -3,6 +3,8 @@
     <!-- main.tt2 -->
     <head>
         <meta charset="UTF-8" />
+        <meta http-equiv="Content-Security-Policy"
+         content="script-src 'self' 'unsafe-inline' 'nonce-[% csp_nonce %]'" />
         <meta name="generator" content="Sympa [% version %]" />
         <meta name="viewport"  content="width=device-width, initial-scale=1.0">
         <title> [% main_title %] - [% action %] </title>

diff --git a/default/web_tt2/request_topic.tt2 b/default/web_tt2/request_topic.tt2
@@ -15,8 +15,9 @@
         [% END %]
         <br />
         [%- IF topic_required -%]
-            <input class="MainMenuLinks" type="submit" name="action_tag_topic_by_sender" value="[%|loc%]Tag this mail[%END%]"
-                   onclick="return checkbox_check_topic(select_topic_msg)" />
+            <input class="MainMenuLinks topicChecked" type="submit"
+             name="action_tag_topic_by_sender"
+             value="[%|loc%]Tag this mail[%END%]" />
         [%- ELSE -%]
             <input class="MainMenuLinks" type="submit" name="action_tag_topic_by_sender" value="[%|loc%]Tag this mail[%END%]" />
         [%- END -%]

diff --git a/default/web_tt2/stats.tt2 b/default/web_tt2/stats.tt2
@@ -18,7 +18,7 @@
         <h4>[% o.title %]</h4>
         [% IF o.defined('stats_values') %]
             <div id="[% chartid %]" style="height:400px;">
-                <script>
+                <script nonce="[% csp_nonce %]">
                     <!--
                     var line = [% o.stats_values %];
                     $.jqplot('[% chartid %]', [line], {

diff --git a/default/web_tt2/tt2_error.tt2 b/default/web_tt2/tt2_error.tt2
@@ -3,6 +3,8 @@
     <!-- tt2_error.tt2 -->
     <head>
         <meta charset="UTF-8" />
+        <meta http-equiv="Content-Security-Policy"
+         content="script-src 'self' 'unsafe-inline' 'nonce-[% csp_nonce %]'" />
         <meta name="generator" content="Sympa [% version %]" />
         <meta name="viewport" content="width=device-width, initial-scale=1.0">
         <title> [% main_title %] - [% action %] </title>

diff --git a/default/web_tt2/viewmod.tt2 b/default/web_tt2/viewmod.tt2
@@ -13,12 +13,13 @@
             </button>&nbsp;
         </p>
         <p>
-            <button class="action" type="submit" name="action_reject"
-                    value="[%|loc%]Reject[%END%]" data-tooltip
-                    [% IF msg.value.spam_status == 'spam' ~%]
-                        onclick="return check_reject_spam(reject_mail,'warningSpam')" aria-haspopup="true"
-                    [%~ END %]
-                    title="[%|loc%]Reject[%END%]">
+            <button class="action[%IF msg.value.spam_status == 'spam'%] checkRejectSpam[%END%]"
+             type="submit" name="action_reject"
+             value="[%|loc%]Reject[%END%]" data-tooltip
+             [% IF msg.value.spam_status == 'spam' ~%]
+                aria-haspopup="true"
+             [% END ~%]
+             title="[%|loc%]Reject[%END%]">
                 <i class="fas fa-trash-alt fa-lg"></i> [%|loc%]Reject[%END%]
             </button>
             <select name="message_template">

diff --git a/src/cgi/wwsympa.fcgi.in b/src/cgi/wwsympa.fcgi.in
@@ -2177,6 +2177,9 @@ sub send_html {
     # No longer needed: Workaround for Internet Explorer 8 or later.
     #print "X-UA-Compatible: IE=100\n";
 
+    # Calculate CSP nonce.
+    $param->{'csp_nonce'} = Sympa::Tools::Text::nonce();
+
     ## Notify crash to client.
     if ($param->{'action'} eq 'crash') {
         print "Status: 503 Service Unavailable\n";

diff --git a/src/lib/Sympa/HTMLDecorator.pm b/src/lib/Sympa/HTMLDecorator.pm
@@ -267,47 +267,53 @@ sub decorate_email_concealed {
 sub decorate_email_js {
     my $self = shift;
 
-    my $text = '';
-    while (my $item = $self->_queue_shift) {
-        $text .= $item->{text};
-    }
-
-    if (index($text, '<') == 0) {
-        return _decorate_email_js($text);
-    }
-
     my $decorated = '';
-    my $dtext     = Sympa::Tools::Text::decode_html($text);
-    pos $dtext = 0;
-    while ($dtext =~ /\G((?:\n|.)*?)\b($email_like_re)\b/cg) {
-        $decorated .=
-              Sympa::Tools::Text::encode_html($1)
-            . _decorate_email_js(Sympa::Tools::Text::encode_html($2));
-    }
-    if (pos $dtext) {
-        return $decorated
-            . Sympa::Tools::Text::encode_html(substr $dtext, pos $dtext);
+    while (my $item = $self->_queue_shift) {
+        if ($item->{event} eq 'text') {
+            my $dtext = Sympa::Tools::Text::decode_html($item->{text});
+            pos $dtext = 0;
+            while ($dtext =~ m{\G(.*?)\b($email_like_re)\b}cg) {
+                $decorated .= Sympa::Tools::Text::encode_html($1)
+                    . _decorate_email_js($2);
+            }
+            $decorated .=
+                Sympa::Tools::Text::encode_html(substr $dtext, pos $dtext);
+        } elsif ($item->{event} eq 'start'
+            and $item->{attr}
+            and 0 == index(lc($item->{attr}->{href} // ''), 'mailto:')) {
+            # Empties mailto URL in link target
+            my $text = $item->{text};
+            $text =~ s{(?<=\bhref=)([^\s>]+)}{
+                my $val = $1;
+                $val =~ s/\A['"\s]+//;
+                $val =~ s/['"\s]+\z//;
+                $val =~ s/\Amailto://i;
+                sprintf '"mailto:decoText" data-text="%s"',
+                    _decorate_email_js_encode(
+                        Sympa::Tools::Text::decode_html($val))
+            }egi;
+            $decorated .= $text;
+        } else {
+            $decorated .= $item->{text};
+        }
     }
 
-    return $text;
+    return $decorated;
 }
 
 sub _decorate_email_js {
     my $text = shift;
 
-    my @texts = map {
-        my $str = (defined $_) ? $_ : '';
-        $str =~ s/([\\\"])/\\$1/g;
-        $str =~ s/\r\n|\r|\n/\\n/g;
-        $str =~ s/\t/\\t/g;
-        $str;
+    return join '', map {
+        sprintf '<span class="decoText" data-text="%s">%s</span>',
+            _decorate_email_js_encode($_), '*' x length $_;
     } split /\b|(?=\@)|(?<=\@)/, $text;
-    return
-          sprintf '<script type="text/javascript">' . "\n" . '<!--' . "\n"
-        . 'document.write(%s)' . "\n"
-        . '// -->' . "\n"
-        . '</script>',
-        join(" +\n", map { '"' . $_ . '"' } @texts);
+}
+
+sub _decorate_email_js_encode {
+    my $text = shift;
+
+    join ',', map { ord $_ } split //, $text;
 }
 
 1;

diff --git a/src/lib/Sympa/Tools/Text.pm b/src/lib/Sympa/Tools/Text.pm
@@ -408,6 +408,16 @@ sub _url_query_string {
     }
 }
 
+#FIXME: rand() is not cryptographically secure, despite CSP requesting.
+sub nonce {
+    my $md5 = Digest::MD5->new;
+    $md5->add(time);
+    foreach (0..7) {
+        $md5->add(pack 'S', int rand(2 << 16 - 1));
+    }
+    return MIME::Base64::encode_base64url($md5->digest);
+}
+
 sub permalink_id {
     my $message_id = shift;
 

diff --git a/www/js/sympa.js b/www/js/sympa.js
@@ -5,7 +5,7 @@
 # Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 # 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
 # Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
-# Copyright 2017, 2018, 2023 The Sympa Community. See the
+# Copyright 2017, 2018, 2019, 2023 The Sympa Community. See the
 # AUTHORS.md file at the top-level directory of this distribution and at
 # <https://github.com/sympa-community/sympa.git>.
 #
@@ -72,11 +72,13 @@ $(function() {
 });
 
 /*
- * No longer used as of 6.2.17, however, can be included in older archives.
+ * No longer used, however, can be included in older archives.
  */
 function isNotEmpty(i) { return true; }
 function request_confirm(m) { return true; }
 function toggle_selection(myfield) { return false; }
+function checkbox_check_topic(f) { return true; }
+function check_reject_spam(f, w) { return true; }
 
 /* Toggle selection. */
 /* Fields included in .toggleContainer and specified by data-selector
@@ -102,23 +104,37 @@ $(function() {
     });
 });
 
-// check if rejecting quietly spams TODO
-function check_reject_spam(form,warningId) {
-	if(form.elements['iConfirm'].checked) return true;
-
-	if(form.elements['message_template'].options[form.elements['message_template'].selectedIndex].value ==  'reject_quiet') return true;
-
-	$('#' + warningId).show();
-	return false;
-}
+// check if rejecting quietly spams
+$(function() {
+    $('.checkRejectSpam').on('click', function() {
+        var form = $(this).parents('form');
+
+        if (form.elements['iConfirm'].checked)
+            return true;
+        if (form.elements['message_template']
+            .options[form.elements['message_template'].selectedIndex]
+            .value == 'reject_quiet')
+            return true;
+
+        $('#warningSpam').show();
+        return false;
+    });
+});
 
 // To check at least one checkbox checked
-function checkbox_check_topic(form, warningId) {
-	if($(form).find('input[name^="topic_"]:checked').length) return true;
-
-	$('#' + warningId).show();
-	return false;
-}
+$(function() {
+    $('.topicChecked').each(
+        function () {
+            var form = $(this).parents('form');
+            $(this).on('click', function() {
+                if (form.find('input[name^="topic_"]:checked').length)
+                    return true;
+                return false;
+            });
+            return true;
+        }
+    );
+});
 
 /* Add a button to reset all fields in log form. */
 $(function() {
@@ -342,6 +358,46 @@ $(function(){
     });
 });
 
+$(function() {
+    $('span.decoText').each(function(){
+        var elm = $(this);
+        try {
+            var chars = String(elm.data('text')).split(',').map(
+                function(val) {
+                    if (isNaN(val)) {
+                        throw new Error('Non-numeric data');
+                    }
+                    return val.toString(10);
+                }
+            );
+            elm.text(String.fromCharCode.apply(null, chars));
+            elm.attr('data-text', null);
+        } catch(e) {
+            return false;
+        }
+        return true;
+    });
+
+    $("a[href='mailto:decoText']").each(function(){
+        var elm = $(this);
+        try {
+            var chars = String(elm.data('text')).split(',').map(
+                function(val) {
+                    if (isNaN(val)) {
+                        throw new Error('Non-numeric data');
+                    }
+                    return val.toString(10);
+                }
+            );
+            elm.attr('href', 'mailto:' + String.fromCharCode.apply(null, chars));
+            elm.attr('data-text', null);
+        } catch(e) {
+            return false;
+        }
+        return true;
+    });
+});
+
 /* Align the scrollable calendar. */
 $(function() {
     $('.calendarLinksCurrentPage').each(function(){