cmason3 · cmason3 · Jan 7, 2025 · Jan 7, 2025 · Jan 7, 2025 · Jan 7, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## CHANGELOG
 
+### [25.2.2] - Jan 7, 2025
+- Don't send sensitive metadata in fetched DataTemplates as it isn't needed
+- Fixed an issue where we broke CSP due to our use of `javascript:void(0)` to stop hashes appearing within the URL
+
 ### [25.2.1] - Jan 6, 2025
 - Fixed a regression when adding support for "Delete Link"
 
@@ -377,6 +381,7 @@
 - Initial release
 
 
+[25.2.2]: https://github.com/cmason3/jinjafx_server/compare/25.2.1...25.2.2
 [25.2.1]: https://github.com/cmason3/jinjafx_server/compare/25.2.0...25.2.1
 [25.2.0]: https://github.com/cmason3/jinjafx_server/compare/25.1.1...25.2.0
 [25.1.1]: https://github.com/cmason3/jinjafx_server/compare/25.1.0...25.1.1

diff --git a/jinjafx_server.py b/jinjafx_server.py
@@ -26,7 +26,7 @@
 import re, argparse, hashlib, traceback, glob, hmac, uuid, struct, binascii, gzip, requests, ctypes, subprocess
 import cmarkgfm, emoji
 
-__version__ = '25.2.1'
+__version__ = '25.2.2'
 
 llock = threading.RLock()
 rlock = threading.RLock()
@@ -258,13 +258,18 @@ def do_GET(self, head=False, cache=True, versioned=False):
           dt = ''
           self.critical = True
 
+          def sanitise_dt(dt):
+            fields = ('dt_password:', 'dt_mpassword:', 'remote_addr:')
+            dt = '\n'.join([ln for ln in dt.splitlines() if not ln.startswith(fields)])
+            return dt.encode('utf-8')
+
           if aws_s3_url or github_url or repository:
             if not self.ratelimit(remote_addr, 2, False):
               if aws_s3_url:
                 rr = aws_s3_get(aws_s3_url, 'jfx_' + fpath[8:] + '.yml')
 
                 if rr.status_code == 200:
-                  r = [ 'application/json', 200, json.dumps({ 'dt': self.e(rr.text.encode('utf-8')).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
+                  r = [ 'application/json', 200, json.dumps({ 'dt': self.e(sanitise_dt(rr.text)).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
 
                   dt = rr.text
 
@@ -284,7 +289,7 @@ def do_GET(self, head=False, cache=True, versioned=False):
                   if jobj.get('encoding') and jobj.get('encoding') == 'base64':
                     content = base64.b64decode(content).decode('utf-8')
 
-                  r = [ 'application/json', 200, json.dumps({ 'dt': self.e(content.encode('utf-8')).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
+                  r = [ 'application/json', 200, json.dumps({ 'dt': self.e(sanitise_dt(content)).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
 
                   dt = content
 
@@ -299,10 +304,9 @@ def do_GET(self, head=False, cache=True, versioned=False):
 
                 if os.path.isfile(fpath):
                   with open(fpath, 'rb') as f:
-                    rr = f.read()
-                    dt = rr.decode('utf-8')
+                    dt = f.read().decode('utf-8')
 
-                    r = [ 'application/json', 200, json.dumps({ 'dt': self.e(rr).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
+                    r = [ 'application/json', 200, json.dumps({ 'dt': self.e(sanitise_dt(dt)).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
 
                 else:
                   r = [ 'text/plain', 404, '404 Not Found\r\n'.encode('utf-8'), sys._getframe().f_lineno ]
@@ -312,7 +316,7 @@ def do_GET(self, head=False, cache=True, versioned=False):
                   if 'X-Dt-Password' in self.headers:
                     try:
                       dt = jinjafx.Vaulty().decrypt(dt, self.headers['X-Dt-Password'])
-                      r = [ 'application/json', 200, json.dumps({ 'dt': self.e(dt.encode('utf-8')).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
+                      r = [ 'application/json', 200, json.dumps({ 'dt': self.e(sanitise_dt(dt)).decode('utf-8') }).encode('utf-8'), sys._getframe().f_lineno ]
 
                     except Exception:
                       cheaders['X-Dt-Authentication'] = 'Open'
@@ -752,6 +756,9 @@ def authenticate_dt(rdt, r):
                       if dt_encrypted:
                         dt_yml += 'encrypted: 1\n'
 
+                      if dt_protected:
+                        dt_yml += 'protected: 1\n'
+
                       def update_dt(rdt, dt_yml, r):
                         mm, mo, r = authenticate_dt(rdt, r)
 

diff --git a/www/index.html b/www/index.html
@@ -32,7 +32,7 @@
     <script src="https://cdnjs.cloudflare.com/ajax/libs/js-yaml/4.1.0/js-yaml.min.js" integrity="sha512-CSBhVREyzHAjAFfBlIBakjoRUKp5h7VSweP0InR/pAJyptH7peuhCsqAI/snV+TwZmXZqoUklpXp6R6wMnYf5Q==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
     <script src="https://cdnjs.cloudflare.com/ajax/libs/dayjs/1.11.13/dayjs.min.js" integrity="sha512-FwNWaxyfy2XlEINoSnZh1JQ5TRRtGow0D6XcmAWmYCRgvqOUTnzCxPc9uF35u5ZEpirk1uhlPVA19tflhvnW1g==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
     <script src="https://cdnjs.cloudflare.com/ajax/libs/dayjs/1.11.13/plugin/relativeTime.min.js" integrity="sha512-MVzDPmm7QZ8PhEiqJXKz/zw2HJuv61waxb8XXuZMMs9b+an3LoqOqhOEt5Nq3LY1e4Ipbbd/e+AWgERdHlVgaA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-    <script src="/9d2cdb4b/jinjafx_m.js"></script>
+    <script src="/3bcdde1f/jinjafx_m.js"></script>
   </head>
   <body>
     <div id="overlay"></div>
@@ -100,25 +100,25 @@ <h5 id="title">
                 </svg>
               </button>
               <div id="menu_items" class="dropdown-menu">
-                <a id="get2" class="dropdown-item text-decoration-none" href="javascript:void(0)">
+                <button id="get2" class="dropdown-item text-decoration-none">
                   <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                     <path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" />
                     <path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" />
                   </svg>&nbsp;Get New Link
-                </a>
-                <a id="protect" class="dropdown-item text-decoration-none" href="javascript:void(0)">
+                </button>
+                <button id="protect" class="dropdown-item text-decoration-none">
                   <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                     <path d="M21 2l-2 2m-7.61 7.61a5.5 5.5 0 1 1-7.778 7.778 5.5 5.5 0 0 1 7.777-7.777zm0 0L15.5 7.5m0 0l3 3L22 7l-3-3m-3.5 3.5L19 4" />
                   </svg>&nbsp;<span id="protect_text">Protect Link</span>
-                </a>
-                <a id="delete" class="dropdown-item text-decoration-none" href="javascript:void(0)">
+                </button>
+                <button id="delete" class="dropdown-item text-decoration-none">
                   <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
                     <polyline points="3 6 5 6 21 6"></polyline>
                     <path d="M19 6v14a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2V6m3 0V4a2 2 0 0 1 2-2h4a2 2 0 0 1 2 2v2"></path>
                     <line x1="10" y1="11" x2="10" y2="17"></line>
                     <line x1="14" y1="11" x2="14" y2="17"></line>
                   </svg>&nbsp;<span id="delete_text">Delete Link</span>
-                </a>
+                </button>
               </div>
             </div>
           </div>

diff --git a/www/jinjafx_m.js b/www/jinjafx_m.js
@@ -197,13 +197,12 @@ function getStatusText(code) {
     document.getElementById('datasets').innerHTML = '';
 
     Object.keys(datasets).sort(default_on_top).forEach(function(ds) {
-      var a = document.createElement('a');
-      a.classList.add('dropdown-item', 'text-decoration-none');
-      a.addEventListener('click', select_dataset, false);
-      a.href = 'javascript:void(0)';
-      a.ds_name = ds;
-      a.innerHTML = ds;
-      document.getElementById('datasets').appendChild(a);
+      var e = document.createElement('button');
+      e.classList.add('dropdown-item', 'text-decoration-none');
+      e.addEventListener('click', select_dataset, false);
+      e.ds_name = ds;
+      e.innerHTML = ds;
+      document.getElementById('datasets').appendChild(e);
     });
 
     if (Object.keys(datasets).length > 1) {
@@ -250,13 +249,12 @@ function getStatusText(code) {
     document.getElementById('templates').innerHTML = '';
 
     Object.keys(templates).sort(default_on_top).forEach(function(t) {
-      var a = document.createElement('a');
-      a.classList.add('dropdown-item', 'text-decoration-none');
-      a.addEventListener('click', select_template, false);
-      a.href = 'javascript:void(0)';
-      a.t_name = t;
-      a.innerHTML = t;
-      document.getElementById('templates').appendChild(a);
+      var e = document.createElement('button');
+      e.classList.add('dropdown-item', 'text-decoration-none');
+      e.addEventListener('click', select_template, false);
+      e.t_name = t;
+      e.innerHTML = t;
+      document.getElementById('templates').appendChild(e);
     });
 
     if (Object.keys(templates).length > 1) {
@@ -909,7 +907,7 @@ function getStatusText(code) {
               document.getElementById('get').classList.add('d-none');
               document.getElementById('mdd').disabled = false;
 
-              if (dt.hasOwnProperty('dt_password') || dt.hasOwnProperty('dt_mpassword')) {
+              if (dt.hasOwnProperty('protected') && (dt['protected'] === 1)) {
                 document.getElementById('protect_text').innerHTML = 'Update Protection';
                 dt_protected = true;
               }