echo "<fieldset><legend>" . lang('Action') . "</legend><div>";
echo "<input type='submit' value='" . lang('Select') . "'>";
echo " <span id='noindex' title='" . lang('Full table scan') . "'></span>";
- echo "<script>\n";
+ echo "<script" . nonce() . ">\n";
echo "var indexColumns = ";
$columns = array();
foreach ($indexes as $index) {
if (support("sql")) {
echo script_src("../externals/jush/modules/jush-$jush.js");
?>
-<script>
+<script<?php echo nonce(); ?>>
<?php
if ($tables) {
$links = array();
<?php } ?>
<body class="<?php echo lang('ltr'); ?> nojs">
-<script>
+<script<?php echo nonce(); ?>>
mixin(document.body, {onkeydown: bodyKeydown, onclick: bodyClick<?php echo (isset($_COOKIE["adminer_version"]) ? "" : ", onload: partial(verifyVersion, '$VERSION')"); ?>});
document.body.className = document.body.className.replace(/ nojs/, ' js');
var offlineMessage = '<?php echo js_escape(lang('You are offline.')); ?>';
function csp() {
return array(
"default-src" => "'none'",
- "script-src" => "'self' 'unsafe-inline'",
+ "script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
"style-src" => "'self' 'unsafe-inline'",
"connect-src" => "'self'",
"img-src" => "'self' data:",
);
}
+/** Get a CSP nonce
+* @return string Base64 value
+*/
+function get_nonce() {
+ static $nonce;
+ if (!$nonce) {
+ $nonce = base64_encode(rand_string());
+ }
+ return $nonce;
+}
+
/** Print flash and error messages
* @param string
* @return null
* @return string
*/
function script($source, $trailing = "\n") {
- return "<script>$source</script>$trailing";
+ return "<script" . nonce() . ">$source</script>$trailing";
}
/** Return <script src> element
* @return string
*/
function script_src($url) {
- return "<script src='" . h($url) . "'></script>\n";
+ return "<script src='" . h($url) . "'" . nonce() . "></script>\n";
+}
+
+/** Get a nonce="" attribute with CSP nonce
+* @return string
+*/
+function nonce() {
+ return ' nonce="' . get_nonce() . '"';
}
/** Escape for HTML
if (support("kill") && is_object($connection2 = connect()) && ($db == "" || $connection2->select_db($db))) {
$kill = $connection2->result(connection_id()); // MySQL and MySQLi can use thread_id but it's not in PDO_MySQL
?>
-<script>
+<script<?php echo nonce(); ?>>
var timeout = setTimeout(function () {
ajax('<?php echo js_escape(ME); ?>script=kill', function () {
}, 'token=<?php echo $token; ?>&kill=<?php echo $kill; ?>');
<?php
-$VERSION = "4.3.2-dev";
+$VERSION = "4.4.0-dev";
?>
<div id="schema" style="height: <?php echo $top; ?>em;">
-<script>
+<script<?php echo nonce(); ?>>
qs('#schema').onselectstart = function () { return false; };
var tablePos = {<?php echo implode(",", $table_pos_js) . "\n"; ?>};
var em = qs('#schema').offsetHeight / <?php echo $top; ?>;
-Adminer 4.3.2-dev:
+Adminer 4.4.0-dev:
Add Content Security Policy
+Disallow scripts without nonce
Add nosniff header
PHP 7.1: Prevent warning when using empty limit
MySQL: Remove dedicated view for replication status (added in 4.3.0)
function loginForm() {
?>
-<script>
+<script<?php echo nonce(); ?>>
addEventListener('load', function () {
var driver = qs('name="auth[driver]"');
if (isTag(driver, 'select')) {
}
?>
</ul>
-<script>
+<script<?php echo nonce(); ?>>
var tablesFilterTimeout = null;
var tablesFilterValue = '';
}
echo script_src($this->path);
?>
-<script>
+<script<?php echo nonce(); ?>>
tinyMCE.init({
mode: 'none',
theme: 'advanced',
projects / adminer.git / commitdiff