[Pkg-owncloud-commits] [php-sabredav] 33/42: Fixed CSP policy and removed extra backslash.

Wed Jul 23 16:41:27 UTC 2014

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository php-sabredav.

commit 048df88a73e74124b77dc6b506c385cbad29b017
Author: Evert Pot <me at evertpot.com>
Date:   Wed Jul 2 12:10:49 2014 -0400

    Fixed CSP policy and removed extra backslash.
    
    Fixes #476.
---
 ChangeLog.md               |  4 +++-
 lib/DAV/Browser/Plugin.php | 12 ++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index a6f905e..5b869ec 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -5,7 +5,9 @@ ChangeLog
 ------------------
 
 * #474: Fixed PropertyStorage `pathFilter()`.
-
+* #476: CSP policy incorrect, causing stylesheets to not load in the browser
+  plugin.
+* #476: Href properties in the browser plugin sometimes included a backslash.
 
 2.0.2 (2014-06-12)
 ------------------
diff --git a/lib/DAV/Browser/Plugin.php b/lib/DAV/Browser/Plugin.php
index b705e6e..29b6f52 100644
--- a/lib/DAV/Browser/Plugin.php
+++ b/lib/DAV/Browser/Plugin.php
@@ -195,10 +195,10 @@ class Plugin extends DAV\ServerPlugin {
 
         $vars = [
             'path'      => $this->escapeHTML($path),
-            'favicon'   => $this->getAssetUrl('favicon.ico'),
-            'style'     => $this->getAssetUrl('sabredav.css'),
-            'iconstyle' => $this->getAssetUrl('openiconic/open-iconic.css'),
-            'logo'      => $this->getAssetUrl('sabredav.png'),
+            'favicon'   => $this->escapeHTML($this->getAssetUrl('favicon.ico')),
+            'style'     => $this->escapeHTML($this->getAssetUrl('sabredav.css')),
+            'iconstyle' => $this->escapeHTML($this->getAssetUrl('openiconic/open-iconic.css')),
+            'logo'      => $this->escapeHTML($this->getAssetUrl('sabredav.png')),
             'baseUrl'   => $this->server->getBaseUri(),
        ];
 
@@ -320,7 +320,7 @@ HTML;
         </body>
         </html>";
 
-        $this->server->httpResponse->setHeader('Content-Security-Policy', "img-src 'self'; style-src 'unsafe-inline';");
+        $this->server->httpResponse->setHeader('Content-Security-Policy', "img-src 'self'; style-src 'self';");
 
         return $html;
 
@@ -573,7 +573,7 @@ HTML;
                     if (stripos($href,'mailto:')===0 || stripos($href,'/')===0 || stripos($href,'http:')===0 || stripos($href,'https:') === 0) {
                         return "<a href=\"" . $this->escapeHTML($href) . '\">' . $this->escapeHTML($href) . '</a>';
                     } else {
-                        return "<a href=\"" . $this->escapeHTML($this->server->getBaseUri() . $href) . '\">' . $this->escapeHTML($this->server->getBaseUri() . $href) . '</a>';
+                        return "<a href=\"" . $this->escapeHTML($this->server->getBaseUri() . $href) . '">' . $this->escapeHTML($this->server->getBaseUri() . $href) . '</a>';
                     }
                 }, $value->getHrefs()));
                 break;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git

