Added CSP via nonce and removed jQuery dependency in the web installer

Author: elcreator

install/.htaccess

@@ -0,0 +1,3 @@
+<IfModule mod_headers.c>
+    Header always unset Content-Security-Policy
+</IfModule>

install/cli-install.php

@@ -332,7 +332,7 @@ public function checkConnectToDatabaseWithBase()
             try {
                 $this->dbh->query('CREATE DATABASE "' . $this->database . '" ENCODING \'' . $this->database_charset . '\';');
                 if ($this->dbh->errorCode() > 0) {
-                    echo '<span id="database_fail" style="color:#FF0000;">' . print_r($this->dbh->errorInfo(), true) . '</span>';
+                    echo '<span id="database_fail">' . print_r($this->dbh->errorInfo(), true) . '</span>';
                 }
                 $error = -1;
             } catch (Exception $exception) {

install/index.php

@@ -28,6 +28,11 @@
 require_once 'src/lang.php';
 require_once 'src/functions.php';
 
+$nonce = csrfNonce();
+header("content-security-policy: default-src 'self' 'nonce-$nonce';"
+    . " script-src 'self' 'nonce-$nonce'; style-src 'self' 'nonce-$nonce';"
+    . " frame-ancestors 'none';");
+
 if (empty($_GET['s'])) {
     require_once '../' . MGR_DIR . '/includes/version.inc.php';
 

install/src/controllers/connection.php

@@ -68,9 +68,9 @@
 $ph['tableprefix'] = isset($_POST['tableprefix']) ? strip_tags($_POST['tableprefix']) : $table_prefix;
 $ph['selected_set_character_set'] = isset($database_connection_method) && $database_connection_method === 'SET CHARACTER SET' ? 'selected' : '';
 $ph['selected_set_names'] = isset($database_connection_method) && $database_connection_method === 'SET NAMES' ? 'selected' : '';
-$ph['show#connection_method'] = (($installMode == 0) || ($installMode == 2)) ? 'block' : 'none';
+$ph['show#connection_method'] = (($installMode == 0) || ($installMode == 2)) ? '' : 'hidden';
 $ph['database_collation'] = isset($_POST['database_collation']) ? $_POST['database_collation'] : $database_collation;
-$ph['show#AUH'] = ($installMode == 0) ? 'block' : 'none';
+$ph['show#AUH'] = ($installMode == 0) ? '' : 'hidden';
 $ph['cmsadmin'] = isset($_POST['cmsadmin']) ? strip_tags($_POST['cmsadmin']) : 'admin';
 $ph['cmsadminemail'] = isset($_POST['cmsadminemail']) ? strip_tags($_POST['cmsadminemail']) : '';
 $ph['cmspassword'] = isset($_POST['cmspassword']) ? strip_tags($_POST['cmspassword']) : '';

install/src/controllers/connection/collation.php

@@ -55,7 +55,7 @@
     echo $output;
     exit();
 } catch (Exception $e) {
-    echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+    echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
     exit();
 }
 echo $output;

install/src/controllers/connection/databasetest.php

@@ -25,17 +25,17 @@
             if ($result->errorCode() == 0) {
                 $data = $result->fetch();
                 if ($data['setting'] != $database_charset) {
-                    echo $output . '<span id="database_fail" style="color:#FF0000;">' . sprintf($_lang['status_failed_database_collation_does_not_match'], $data['setting']) . '</span>';
+                    echo $output . '<span id="database_fail">' . sprintf($_lang['status_failed_database_collation_does_not_match'], $data['setting']) . '</span>';
                     exit();
                 }
                 $result = $dbh->query("SELECT COUNT(*) FROM {$tableprefix}site_content");
 
                 if ($dbh->errorCode() == 0) {
-                    echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed_table_prefix_already_in_use'] . '</span>';
+                    echo $output . '<span id="database_fail">' . $_lang['status_failed_table_prefix_already_in_use'] . '</span>';
                     exit();
                 }
             } else {
-                echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . print_r($result->errorInfo(), true) . '</span>';
+                echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . print_r($result->errorInfo(), true) . '</span>';
                 exit();
             }
             break;
@@ -44,14 +44,14 @@
             if ($result->errorCode() == 0) {
                 $data = $result->fetch();
                 if ($data['Value'] != $database_collation) {
-                    echo $output . '<span id="database_fail" style="color:#FF0000;">' . sprintf($_lang['status_failed_database_collation_does_not_match'], $data['1']) . '</span>';
+                    echo $output . '<span id="database_fail">' . sprintf($_lang['status_failed_database_collation_does_not_match'], $data['1']) . '</span>';
                     exit();
                 }
 
                 $result = $dbh->query("SELECT COUNT(*) FROM {$tableprefix}site_content");
 
                 if ($dbh->errorCode() == 0) {
-                    echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed_table_prefix_already_in_use'] . '</span>';
+                    echo $output . '<span id="database_fail">' . $_lang['status_failed_table_prefix_already_in_use'] . '</span>';
                     exit();
                 }
                 $result = $dbh->query("SELECT SCHEMA_NAME
@@ -60,20 +60,20 @@
                 if ($dbh->errorCode() == 0) {
                     $data = $result->fetch();
                     if (isset($data['SCHEMA_NAME']) && $data['SCHEMA_NAME'] == $pwd) {
-                        echo $output . '<span id="database_pass" style="color:#80c000;"> ' . $_lang['status_passed'] . '</span>';
+                        echo $output . '<span id="database_pass"> ' . $_lang['status_passed'] . '</span>';
                         exit();
                     }
                 }
             } else {
-                echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . print_r($result->errorInfo(), true) . '</span>';
+                echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . print_r($result->errorInfo(), true) . '</span>';
                 exit();
             }
             break;
     }
 
 } catch (PDOException $e) {
     if (!stristr($e->getMessage(), 'database "' . $pwd . '" does not exist') && !stristr($e->getMessage(), 'Unknown database \'' . $database_name . '\'') && !stristr($e->getMessage(), 'Base table or view not found')) {
-        echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+        echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
         exit();
     }
 }
@@ -86,7 +86,7 @@
                 $dbh->query('CREATE DATABASE "' . $database_name . '" ENCODING \'' . $database_charset . '\';');
                 if ($dbh->errorCode() > 0) {
                     if (stristr($dbh->errorInfo()[2], 'already exists') === false) {
-                        $output .= '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed_could_not_create_database'] . ' ' . print_r($dbh->errorInfo(), true) . '</span>';
+                        $output .= '<span id="database_fail">' . $_lang['status_failed_could_not_create_database'] . ' ' . print_r($dbh->errorInfo(), true) . '</span>';
                     }
                 }
             } catch (Exception $exception) {
@@ -97,21 +97,21 @@
         case 'mysql':
             $query = 'CREATE DATABASE IF NOT EXISTS `' . $database_name . '` CHARACTER SET ' . $database_charset . ' COLLATE ' . $database_collation . ";";
             if (!$dbh->query($query)) {
-                $output .= '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed_could_not_create_database'] . '</span>';
+                $output .= '<span id="database_fail">' . $_lang['status_failed_could_not_create_database'] . '</span>';
                 echo $output;
                 exit();
             } else {
-                $output .= '<span id="database_pass" style="color:#80c000;">' . $_lang['status_passed_database_created'] . '</span>';
+                $output .= '<span id="database_pass">' . $_lang['status_passed_database_created'] . '</span>';
                 echo $output;
                 exit();
             }
             break;
     }
 
-    echo $output . '<span id="database_pass" style="color:#80c000;"> ' . $_lang['status_passed'] . '</span>';
+    echo $output . '<span id="database_pass"> ' . $_lang['status_passed'] . '</span>';
     exit();
 } catch (PDOException $e) {
-    echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+    echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
 }
 
 echo $output;

install/src/controllers/connection/servertest.php

@@ -7,8 +7,8 @@
 $output = $_lang['status_connecting'];
 try {
     $dbh = new PDO($method . ':host=' . $host . ';', $uid, $pwd);
-    $output .= '<span id="server_pass" style="color:#80c000;"> ' . $_lang['status_passed_server'] . '</span>';
+    $output .= '<span id="server_pass"> ' . $_lang['status_passed_server'] . '</span>';
 } catch (PDOException $e) {
-    $output .= '<span id="server_fail" style="color:#FF0000;"> ' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+    $output .= '<span id="server_fail"> ' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
 }
 echo $output;

install/src/controllers/install.php

@@ -764,7 +764,7 @@
 
 } catch (PDOException $e) {
     if (!stristr($e->getMessage(), 'database "' . $_POST['database_name'] . '" does not exist') && !stristr($e->getMessage(), 'Unknown database \'' . $_POST['database_name'] . '\'')) {
-        echo $output . '<span id="database_fail" style="color:#FF0000;">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
+        echo $output . '<span id="database_fail">' . $_lang['status_failed'] . ' ' . $e->getMessage() . '</span>';
         exit();
     }
 }

install/src/controllers/language.php

@@ -1,5 +1,5 @@
 <?php
 $content = file_get_contents(dirname(__DIR__) . '/template/actions/language.tpl');
-$content = parse($content, ['langOptions' => getLangOptions($install_language)]);
+$content = parse($content, array_merge(ph(), ['langOptions' => getLangOptions($install_language)]));
 $content = parse($content, $_lang,'[%','%]');
 echo $content;

install/src/controllers/mode.php

@@ -17,15 +17,16 @@
 }
 
 $ph['moduleName'] = $moduleName;
-$ph['displayNew'] = ($upgradeable != 0) ? 'display:none;' : '';
-$ph['displayUpg'] = ($upgradeable == 0) ? 'display:none;' : '';
+$ph['displayNew'] = ($upgradeable !== 0) ? 'hidden' : '';
+$ph['displayUpg'] = ($upgradeable === 0) ? 'hidden' : '';
 $ph['displayAdvUpg'] = $ph['displayUpg'];
 $ph['checkedNew'] = !$upgradeable ? 'checked' : '';
 $ph['checkedUpg'] = (isset($_POST['installmode']) && $_POST['installmode'] == 1 || $upgradeable == 1) ? 'checked' : '';
 $ph['checkedAdvUpg'] = (isset($_POST['installmode']) && $_POST['installmode'] == 2 || $upgradeable == 2) ? 'checked' : '';
 $ph['install_language'] = $install_language;
 $ph['disabledUpg'] = ($upgradeable != 1) ? 'disabled' : '';
 $ph['disabledAdvUpg'] = ($upgradeable == 0) ? 'disabled' : '';
+$ph['csrf_nonce'] = csrfNonce();
 
 $tpl = file_get_contents(dirname(__DIR__) . '/template/actions/mode.tpl');
 $content = parse($tpl, $ph);