Skip to content
This repository has been archived by the owner on Aug 12, 2024. It is now read-only.

Commit

Permalink
fix: Add 'integrity' & 'crossorigin' attributes to <script> - security (
Browse files Browse the repository at this point in the history
  • Loading branch information
nfreear committed May 25, 2021
1 parent fcb25a7 commit efb84e5
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 14 deletions.
3 changes: 2 additions & 1 deletion application/config/oup_constants.php
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@
// Fix jQuery XSS vulnerability (IT notify) [Bug: #8]
define('OUP_JS_CDN_JQUERY_MIN',
'https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js' );
define('OUP_JS_CDN_JQUERY_INTEGRITY',
'sha384-nvAa0+6Qg9clwYCGGPpDQLVpLNn0fRaROjHqs13t4Ggj3Ez50XnGQqc/r8MhnRDZ' );
define('OUP_JS_CDN_JQUERY',
'https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.js' );

Expand All @@ -95,4 +97,3 @@
// Note, the Player implements a JS fallback for the jQuery CDN.

// End.

5 changes: 3 additions & 2 deletions application/themes/ouplayer_base/views/oup-mep-head.php
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@

<meta name="robots" content="noindex,nofollow" />
<meta name="generator" content="OU Player by IET" />
<link rel="license" title="©2012 The Open University" href="http://www.open.ac.uk/copyright" />
<link rel="license" title="© 2011-<?= date('Y')?> The Open University (IET)." href="http://www.open.ac.uk/copyright" />

<!--
CDN + fallback: jQuery / Ender
Expand All @@ -27,7 +27,8 @@
http://stackoverflow.com/questions/1014203/best-way-to-use-googles-hosted-jquery-but-fall-back-to-my- ..
*/
?>
<script src="<?php echo OUP_JS_CDN_JQUERY_MIN ?>"></script>
<script src="<?php echo OUP_JS_CDN_JQUERY_MIN ?>"
integrity="<?php echo OUP_JS_CDN_JQUERY_INTEGRITY ?>" crossorigin="anonymous"></script>
<script>
if(typeof jQuery=='undefined'){
document.write(unescape("%3Cscript src='<?php player_res_url($this->theme->plugin_path .'jquery.js') ?>' %3E%3C/script%3E"));
Expand Down
4 changes: 1 addition & 3 deletions application/views/ouplayer/oup_settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
$embed_code = <<<EOF
<!--$copy_text--><a class="embed" href="$meta->_short_url">$em_title</a>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js" crossorigin="anonymous"></script>
<script src="$jq_plugin_url"></script>
<script>
$(document).ready(function(){
Expand Down Expand Up @@ -136,5 +136,3 @@
<a class="short-url" rel="bookmark" href="<?php echo $meta->_short_url ?>" target="_blank" title="<?php echo t('New window: %s', t('perma-link')) ?>"><span><?php echo t('View on Podcasts site') ?></span></a>
<?php endif; ?>
</div>


5 changes: 3 additions & 2 deletions application/views/site_layout/layout_bare.php
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
<meta name="ROBOTS" content="noindex,nofollow" />

<link rel="stylesheet" href="<?php echo base_url() ?>assets/client/site-embed.css" />
<script src="<?php echo OUP_JS_CDN_JQUERY_MIN ?>"></script>
<script src="<?php echo OUP_JS_CDN_JQUERY_MIN ?>"
integrity="<?php echo OUP_JS_CDN_JQUERY_INTEGRITY ?>" crossorigin="anonymous"></script>

<?php if($google_analytics): ?>
<script>
Expand Down Expand Up @@ -54,4 +55,4 @@
});
</script>

</html>
</html>
12 changes: 7 additions & 5 deletions application/views/site_layout/layout_oueep_2019.php
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,8 @@
<!-- End Google Tag Manager Generic Data Layer -->


<script src="<?= $resource_url ?>/ouheaders/js/headerfooter.min.js?1.1.1.69"></script>
<script src="<?= $resource_url ?>/ouheaders/js/headerfooter.min.js?1.1.1.69"
integrity="sha384-UR7J1ENs7E5+aTmwFaH4NtZDUEe5wLPs5DURUl0vP4xoO00z8ovUsarKDLtorbVQ" crossorigin="anonymous"></script>

<!-- Stylesheets -->
<link rel="stylesheet" href="<?= $resource_url ?>/ouheaders/gui/headerfooter.css?1.1.1.69" media="screen, projection" />
Expand All @@ -118,7 +119,8 @@
** -->
<link rel="stylesheet" href="<?php echo $local_res_url ?>ou-embed.css" title="OU Embed styles" />

<script src="<?= OUP_JS_CDN_JQUERY_MIN ?>"></script>
<script src="<?= OUP_JS_CDN_JQUERY_MIN ?>"
integrity="<?= OUP_JS_CDN_JQUERY_INTEGRITY ?>" crossorigin="anonymous"></script>

<?php if($google_analytics): ?>
<!-- Google Analytics -->
Expand Down Expand Up @@ -265,7 +267,7 @@
<?= $message ?>
</div>
<?php endif; ?>


<h1><?= $page_title ?></h1>

Expand Down Expand Up @@ -338,7 +340,8 @@
<?php /*
<script src="<?= $resource_url ?>/oudigital/v4/eep/js/vendor/jquery-1.10.2.min.js"></script>
*/ ?>
<script src="<?= $resource_url ?>/oudigital/v4/eep/js/ou.menu.nav.js?"></script>
<script src="<?= $resource_url ?>/oudigital/v4/eep/js/ou.menu.nav.js?"
integrity="sha384-5s3TXPFIwMGLRfawO3atWlK2mPsL3vwETDUSdqZnMoCypIhjU8L7v8t3g9f7FVqg" crossorigin="anonymous"></script>

<?php /*
Expand Down Expand Up @@ -376,4 +379,3 @@

</body>
</html>

3 changes: 2 additions & 1 deletion application/views/site_layout/layout_ouice_2.php
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,8 @@
<style media="screen">@import "/study/stylesheets/student-services-phone.css";</style>
*/ ?>

<script src="<?php echo OUP_JS_CDN_JQUERY_MIN ?>"></script>
<script src="<?php echo OUP_JS_CDN_JQUERY_MIN ?>"
integrity="<?php echo OUP_JS_CDN_JQUERY_INTEGRITY ?>" crossorigin="anonymous"></script>


<?php if($google_analytics): ?>
Expand Down

0 comments on commit efb84e5

Please sign in to comment.