From 080436aebb4c4681f85cc8bf5d8563832ff8dbdd Mon Sep 17 00:00:00 2001
From: Literallie
Date: Wed, 18 Oct 2017 17:48:53 +0200
Subject: CSP: Add nonce to slide view inline JS

---
 public/views/slide.ejs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'public')

diff --git a/public/views/slide.ejs b/public/views/slide.ejs
index 7ff5016e..c7dd9898 100644
--- a/public/views/slide.ejs
+++ b/public/views/slide.ejs
@@ -41,7 +41,7 @@
         <link rel="stylesheet" href="<%- url %>/css/slide.css">
 
         <!-- Printing and PDF exports -->
-        <script>
+        <script nonce="<%= cspNonce %>">
             var link = document.createElement( 'link' );
             link.rel = 'stylesheet';
             link.type = 'text/css';
-- 
cgit v1.2.3


From 4238b9b3efc3a9c001b5e1cf6c1883ffd0f92800 Mon Sep 17 00:00:00 2001
From: Literallie
Date: Wed, 18 Oct 2017 19:37:55 +0200
Subject: Fix MathJax CSP issues

---
 public/js/mathjax-config-extra.js | 8 ++++++++
 public/views/hackmd/foot.ejs      | 4 +---
 public/views/pretty.ejs           | 4 +---
 public/views/slide.ejs            | 4 +---
 4 files changed, 11 insertions(+), 9 deletions(-)
 create mode 100644 public/js/mathjax-config-extra.js

(limited to 'public')

diff --git a/public/js/mathjax-config-extra.js b/public/js/mathjax-config-extra.js
new file mode 100644
index 00000000..54cee794
--- /dev/null
+++ b/public/js/mathjax-config-extra.js
@@ -0,0 +1,8 @@
+var MathJax = {
+  messageStyle: 'none',
+  skipStartupTypeset: true,
+  tex2jax: {
+    inlineMath: [['$', '$'], ['\\(', '\\)']],
+    processEscapes: true
+  }
+}
diff --git a/public/views/hackmd/foot.ejs b/public/views/hackmd/foot.ejs
index 6a1f3b99..8438dce2 100644
--- a/public/views/hackmd/foot.ejs
+++ b/public/views/hackmd/foot.ejs
@@ -1,6 +1,4 @@
-<script type="text/x-mathjax-config">
-    MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }});
-</script>
+<script src="<%= url %>/js/mathjax-config-extra.js"></script>
 <% if(useCDN) { %>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/spin.js/2.3.2/spin.min.js" integrity="sha256-PieqE0QdEDMppwXrTzSZQr6tWFX3W5KkyRVyF1zN3eg=" crossorigin="anonymous" defer></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
diff --git a/public/views/pretty.ejs b/public/views/pretty.ejs
index 80d2505c..b2988e39 100644
--- a/public/views/pretty.ejs
+++ b/public/views/pretty.ejs
@@ -72,9 +72,7 @@
 </body>
 
 </html>
-<script type="text/x-mathjax-config">
-    MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }});
-</script>
+<script src="<%= url %>/js/mathjax-config-extra.js"></script>
 <% if(useCDN) { %>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/velocity/1.4.0/velocity.min.js" integrity="sha256-bhm0lgEt6ITaZCDzZpkr/VXVrLa5RP4u9v2AYsbzSUk=" crossorigin="anonymous" defer></script>
diff --git a/public/views/slide.ejs b/public/views/slide.ejs
index c7dd9898..269ce044 100644
--- a/public/views/slide.ejs
+++ b/public/views/slide.ejs
@@ -89,9 +89,7 @@
             </div>
         </div>
 
-        <script type="text/x-mathjax-config">
-            MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }});
-        </script>
+        <script src="<%= url %>/js/mathjax-config-extra.js"></script>
         <% if(useCDN) { %>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/reveal.js/3.3.0/lib/js/head.min.js" integrity="sha256-+09kLhwACKXFPDvqo4xMMvi4+uXFsRZ2uYGbeN1U8sI=" crossorigin="anonymous"></script>
         <script src="https://cdnjs.cloudflare.com/ajax/libs/reveal.js/3.3.0/js/reveal.min.js" integrity="sha256-lvaInSKflJWLPqf5N5oHr/UZFwXKD6gckerdwoHqECY=" crossorigin="anonymous"></script>
-- 
cgit v1.2.3


From 5b83deb043296c23ff912a2472703c1f7faddb4b Mon Sep 17 00:00:00 2001
From: Literallie
Date: Thu, 19 Oct 2017 22:48:13 +0200
Subject: Load js-url lib using legacy-loader

Doesn't use eval, plus no window object access
---
 public/js/history.js | 6 ++++--
 public/js/index.js   | 7 +++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

(limited to 'public')

diff --git a/public/js/history.js b/public/js/history.js
index e14b80d8..da82fd04 100644
--- a/public/js/history.js
+++ b/public/js/history.js
@@ -12,14 +12,16 @@ import {
     urlpath
 } from './lib/config'
 
+var jsUrl = require('js-url')
+
 window.migrateHistoryFromTempCallback = null
 
 migrateHistoryFromTemp()
 
 function migrateHistoryFromTemp () {
-  if (window.url('#tempid')) {
+  if (jsUrl('#tempid')) {
     $.get(`${serverurl}/temp`, {
-      tempid: window.url('#tempid')
+      tempid: jsUrl('#tempid')
     })
     .done(data => {
       if (data && data.temp) {
diff --git a/public/js/index.js b/public/js/index.js
index b336af90..25bd1c36 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -3,6 +3,7 @@
    modeType, Idle, serverurl, key, gapi, Dropbox, FilePicker
    ot, MediaUploader, hex2rgb, num_loaded, Visibility */
 
+
 require('../vendor/showup/showup')
 
 require('../css/index.css')
@@ -21,6 +22,8 @@ import _ from 'lodash'
 
 import List from 'list.js'
 
+var jsUrl = require('js-url')
+
 import {
     checkLoginStateChanged,
     setloginStateChangeEvent
@@ -1474,12 +1477,12 @@ $('#gistImportModalConfirm').click(function () {
   if (!isValidURL(gisturl)) {
     showMessageModal('<i class="fa fa-github"></i> Import from Gist', 'Not a valid URL :(', '', '', false)
   } else {
-    var hostname = window.url('hostname', gisturl)
+    var hostname = jsUrl('hostname', gisturl)
     if (hostname !== 'gist.github.com') {
       showMessageModal('<i class="fa fa-github"></i> Import from Gist', 'Not a valid Gist URL :(', '', '', false)
     } else {
       ui.spinner.show()
-      $.get('https://api.github.com/gists/' + window.url('-1', gisturl))
+      $.get('https://api.github.com/gists/' + jsUrl('-1', gisturl))
                 .done(function (data) {
                   if (data.files) {
                     var contents = ''
-- 
cgit v1.2.3


From 04f5e3a3414abbb76841df8375598fb690323f11 Mon Sep 17 00:00:00 2001
From: Literallie
Date: Sun, 22 Oct 2017 01:22:48 +0200
Subject: Move CSP logic to new file, Fix boolean config examples

Not sure why I was quoting these in the first place
---
 public/js/index.js | 1 -
 1 file changed, 1 deletion(-)

(limited to 'public')

diff --git a/public/js/index.js b/public/js/index.js
index 25bd1c36..56522e9c 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -3,7 +3,6 @@
    modeType, Idle, serverurl, key, gapi, Dropbox, FilePicker
    ot, MediaUploader, hex2rgb, num_loaded, Visibility */
 
-
 require('../vendor/showup/showup')
 
 require('../css/index.css')
-- 
cgit v1.2.3


From 567f26f5b9a5ffa0c28fba789ad502c54c4035a7 Mon Sep 17 00:00:00 2001
From: Literallie
Date: Sun, 22 Oct 2017 02:48:24 +0200
Subject: Fix MathJax config not being picked up

thanks standard
---
 public/js/mathjax-config-extra.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'public')

diff --git a/public/js/mathjax-config-extra.js b/public/js/mathjax-config-extra.js
index 54cee794..11ba59c6 100644
--- a/public/js/mathjax-config-extra.js
+++ b/public/js/mathjax-config-extra.js
@@ -1,4 +1,4 @@
-var MathJax = {
+window.MathJax = {
   messageStyle: 'none',
   skipStartupTypeset: true,
   tex2jax: {
-- 
cgit v1.2.3


From 3a752fde5117e800d65e26cbe7b15d65eb5b491e Mon Sep 17 00:00:00 2001
From: Literallie
Date: Thu, 2 Nov 2017 17:57:44 +0100
Subject: Revert "Load js-url lib using legacy-loader"

Didn't work in Firefox for some reason.

`[Script Loader] ReferenceError: module is not defined`

This reverts commit 5b83deb043296c23ff912a2472703c1f7faddb4b.
---
 public/js/history.js | 6 ++----
 public/js/index.js   | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

(limited to 'public')

diff --git a/public/js/history.js b/public/js/history.js
index da82fd04..e14b80d8 100644
--- a/public/js/history.js
+++ b/public/js/history.js
@@ -12,16 +12,14 @@ import {
     urlpath
 } from './lib/config'
 
-var jsUrl = require('js-url')
-
 window.migrateHistoryFromTempCallback = null
 
 migrateHistoryFromTemp()
 
 function migrateHistoryFromTemp () {
-  if (jsUrl('#tempid')) {
+  if (window.url('#tempid')) {
     $.get(`${serverurl}/temp`, {
-      tempid: jsUrl('#tempid')
+      tempid: window.url('#tempid')
     })
     .done(data => {
       if (data && data.temp) {
diff --git a/public/js/index.js b/public/js/index.js
index 56522e9c..b336af90 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -21,8 +21,6 @@ import _ from 'lodash'
 
 import List from 'list.js'
 
-var jsUrl = require('js-url')
-
 import {
     checkLoginStateChanged,
     setloginStateChangeEvent
@@ -1476,12 +1474,12 @@ $('#gistImportModalConfirm').click(function () {
   if (!isValidURL(gisturl)) {
     showMessageModal('<i class="fa fa-github"></i> Import from Gist', 'Not a valid URL :(', '', '', false)
   } else {
-    var hostname = jsUrl('hostname', gisturl)
+    var hostname = window.url('hostname', gisturl)
     if (hostname !== 'gist.github.com') {
       showMessageModal('<i class="fa fa-github"></i> Import from Gist', 'Not a valid Gist URL :(', '', '', false)
     } else {
       ui.spinner.show()
-      $.get('https://api.github.com/gists/' + jsUrl('-1', gisturl))
+      $.get('https://api.github.com/gists/' + window.url('-1', gisturl))
                 .done(function (data) {
                   if (data.files) {
                     var contents = ''
-- 
cgit v1.2.3