csp: clean up additional js bugs, add hole in security policy for rea…

…ct-jsonschema-form

app/assets/javascripts/ajax_events.js

@@ -35,10 +35,14 @@ export function renderFlash(event, request) {
         const messages = flashMessage.split(';');
         const contents = flashDiv.getElementsByClassName('flash-content')[0] || flashDiv;
         contents.innerHTML = '';
-        messages.forEach(message => {
-          contents.insertAdjacentHTML('beforeend', message);
-        });
-        flashDiv.style.display = '';
+        if (messages.length) {
+          messages.forEach(message => {
+            contents.insertAdjacentHTML('beforeend', message);
+          });
+          flashDiv.style.display = 'block';
+        } else {
+          flashDiv.style.display = 'none'
+        }
       }
     }
   });

app/controllers/automated_tests_controller.rb

@@ -7,6 +7,10 @@ class AutomatedTestsController < ApplicationController
     # required because jquery-ui-timepicker-addon inserts style
     # dynamically. TODO: remove this when possible
     p.style_src :self, "'unsafe-inline'"
+    # required because react-jsonschema-form uses ajv which calls
+    # eval (javascript) and creates an image as a blob.
+    # TODO: remove this when possible
+    p.script_src :self, "'strict-dynamic'", "'unsafe-eval'"
   end
 
   def update

app/views/exam_templates/_boot.js

@@ -1,8 +1,12 @@
 $(document).ready(function() {
   window.modal_create_new   = new ModalMarkus('#create_new_template');
+  $('.add-template-division').click((e) => {
+    add_template_division(e.target);
+    e.preventDefault();
+  })
 });
 
-function add_template_division() {
+function add_template_division(target) {
   var new_id = new Date().getTime();
   var nested_form_path = `exam_template[template_divisions_attributes][${new_id}]`;
   var input_id = 'exam_template_template_divisions_attributes' + new_id;
@@ -24,7 +28,7 @@ function add_template_division() {
       </td>
     </tr>
     `;
-  $('.table-with-add tbody').append(new_division_row);
+  $(target).parent('.table-with-add').find('tbody').append(new_division_row);
   $('.delete-exam-template-row').click((e) => {
     $(e.target).parents('tr').remove();
     e.preventDefault();

app/views/exam_templates/_create_new_template.html.erb

@@ -19,7 +19,7 @@
                    name: 'submit',
                    data: { disable_with: t('working') },
                    class: 'button' %>
-      <input type='reset' value='<%= t(:cancel) %>' onclick='modal_create_new.close();'/>
+      <input type='reset' value='<%= t(:cancel) %>'/>
     </section>
   <% end %>
 <% end %>

app/views/exam_templates/_template_division_pane.html.erb

@@ -1,14 +1,3 @@
-<%= content_for :head do %>
-  <%= javascript_tag nonce: true do %>
-    $(() => {
-      $('#add-template-division').click((e) => {
-        add_template_division();
-        e.preventDefault();
-      })
-    })
-  <% end %>
-<% end %>
-
 <div class="table-with-add">
   <% disabled = exam_template.exam_been_uploaded? %>
   <table>
@@ -29,7 +18,7 @@
     <td class="add_template" colspan="4">
       <%= link_to t('exam_templates.create.add_division'),
                   '#',
-                  id: 'add-template-division' %>
+                  class: 'add-template-division' %>
     </td>
   <% end %>
 </div>

app/views/groups/_rename_group_modal.html.erb

@@ -6,7 +6,7 @@
         <%= text_field_tag :new_groupname, '', maxlength: 30 %>
         <section class='dialog-actions'>
           <%= submit_tag t('groups.rename_group') %>
-          <input type='reset' value='<%= t(:cancel) %>' onclick='modal_rename.close();' />
+          <input type='reset' value='<%= t(:cancel) %>'/>
         </section>
     <% end %>
 <% end %>

app/views/results/edit.html.erb

@@ -118,8 +118,7 @@
           <%= hidden_field_tag 'grouping_id', @grouping.id %>
           <%= f.submit t(:save) %>
           <input type='reset'
-                 value='<%= t(:cancel) %>'
-                 onclick='modal_create_new_tag.close();'>
+                 value='<%= t(:cancel) %>'>
         </section>
     <% end %>
   </aside>

app/views/shared/_flash_message.html.erb

@@ -2,13 +2,13 @@
 <% [:notice, :error, :success, :warning].each do |key| %>
   <% if flash[key].nil? %>
     <div class="<%= key.to_s %> no-display">
-      <a class="hide-flash" onclick="$(this).parent().hide()">&nbsp;</a>
+      <a class="hide-flash">&nbsp;</a>
       <div class="flash-content"></div>
     </div>
   <% else %>
     <% flash[key] = [flash[key]] unless flash[key].respond_to?(:each) %>
     <div class="<%= key.to_s %>">
-      <a class="hide-flash" onclick="$(this).parent().hide()">&nbsp;</a>
+      <a class="hide-flash">&nbsp;</a>
       <div class="flash-content">
         <% flash[key].each do |content| %>
           <p><%= content.html_safe %></p>
@@ -17,3 +17,11 @@
     </div>
   <% end %>
 <% end %>
+<%= javascript_tag nonce: true do %>
+  $(() => {
+    $('.hide-flash').click((e) => {
+      $(e.target).parent().hide();
+      e.preventDefault();
+    })
+  })
+<% end %>

config/initializers/content_security_policy.rb

@@ -3,6 +3,7 @@
 #          MathJax: requires style-src 'unsafe-inline' and worker-src blob
 #          jquery-ui-timepicker-addon: requires style-src 'unsafe-inline'
 #          bullet: requires style-src 'unsafe-inline'
+#          react-jsonschema-form: required script-src 'unsafe-eval'
 #       - These are set as needed in controllers. Eventually we should update
 #         all code and dependencies so that these unsafe configs are not needed