bug fixes and csp updates

Author: [email protected]

server/pom.xml

@@ -322,7 +322,7 @@
         <dependency>
             <groupId>com.github.ziplet</groupId>
             <artifactId>ziplet</artifactId>
-            <version>2.3.0</version>
+            <version>2.4.1</version>
             <exclusions>
                 <exclusion>
                     <groupId>com.google.googlejavaformat</groupId>

server/src/main/java/password/pwm/config/stored/StoredConfigurationImpl.java

@@ -246,13 +246,13 @@ public void writeConfigProperty(
             // remove existing element
             {
                 final XmlElement propertyElement  = xmlHelper.xpathForConfigProperty( propertyName );
-                propertyElement.detach();
+                if ( propertyElement != null )
+                {
+                    propertyElement.detach();
+                }
             }
 
             // add new property
-            {
-
-            }
             final XmlElement propertyElement = xmlHelper.getXmlFactory().newElement( XML_ELEMENT_PROPERTY );
             propertyElement.setAttribute( XML_ATTRIBUTE_KEY, propertyName.getKey() );
             propertyElement.addText( value );

server/src/main/resources/password/pwm/config/PwmSetting.xml

@@ -1627,8 +1627,7 @@
     </setting>
     <setting hidden="false" key="security.cspHeader" level="2">
         <default>
-            <!--<value><![CDATA[]]></value>-->
-            <value><![CDATA[default-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self'; script-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'self' 'nonce-%NONCE%' ; frame-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; report-uri /sspr/public/command/cspReport]]></value>
+            <value><![CDATA[default-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'self' 'unsafe-eval' 'nonce-%NONCE%'; frame-src https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; report-uri /sspr/public/command/cspReport]]></value>
         </default>
     </setting>
     <setting hidden="false" key="email.adminAlert.toAddress" level="1">

webapp/src/main/webapp/WEB-INF/jsp/fragment/footer.jsp

@@ -68,7 +68,7 @@
 </pwm:if>
 <pwm:script>
     <script type="text/javascript">
-        var dojoConfig = { has: { "csp-restrictions":false }, async:true }
+        var dojoConfig = { has: { "csp-restrictions":true }, async:true}
     </script>
 </pwm:script>
 <pwm:if test="<%=PwmIfTest.hasCustomJavascript%>">

webapp/src/main/webapp/WEB-INF/jsp/fragment/ldap-selector.jsp

@@ -65,7 +65,7 @@
     </select>
 </div>
 <% } %>
-<div style="display: <%=showContextSelector?"inherit":"none"%>" id="contextSelectorWrapper">
+<div <%=showContextSelector?"":"class=\"display-none\" "%>" id="contextSelectorWrapper">
     <h2 class="loginFieldLabel"><label for="<%=PwmConstants.PARAM_CONTEXT%>"><pwm:display key="Field_Location"/></label></h2>
     <div class="formFieldWrapper">
         <select name="<%=PwmConstants.PARAM_CONTEXT%>" id="<%=PwmConstants.PARAM_CONTEXT%>" class="selectfield" title="<pwm:display key="Field_Location"/>">

webapp/src/main/webapp/WEB-INF/jsp/fragment/message.jsp

@@ -35,7 +35,7 @@
     <span id="errorCode" style="display: none"><%=requestError.getError().getErrorCode()%></span>
     <span id="errorName" style="display: none"><%=requestError.getError().toString()%></span>
 <% } else { %>
-    <span style="display:none" id="message" class="message">&nbsp;</span>
+    <span id="message" class="message display-none">&nbsp;</span>
 <% } %>
-    <div id="capslockwarning" style="display:none;"><pwm:display key="Display_CapsLockIsOn"/></div>
+    <div id="capslockwarning" class="display-none"><pwm:display key="Display_CapsLockIsOn"/></div>
 </div>

webapp/src/main/webapp/public/resources/js/main.js

@@ -474,27 +474,27 @@ PWM_MAIN.checkForCapsLock = function(e) {
 
         if(dojo.isIE){
             if (capsLockKeyDetected) {
-                capsLockWarningElement.style.display = 'block';
+                PWM_MAIN.removeCssClass('capslockwarning','display-none');
                 PWM_GLOBAL['lastCapsLockErrorTime'] = (new Date().getTime());
                 setTimeout(function(){
                     if ((new Date().getTime() - PWM_GLOBAL['lastCapsLockErrorTime'] > displayDuration)) {
-                        capsLockWarningElement.style.display = 'none';
+                        PWM_MAIN.addCssClass('capslockwarning','display-none');
                     }
                 },displayDuration + 500);
             } else {
-                capsLockWarningElement.style.display = 'none';
+                PWM_MAIN.addCssClass('capslockwarning','display-none');
             }
         } else {
             if (capsLockKeyDetected) {
-                capsLockWarningElement.style.display = null;
+                PWM_MAIN.removeCssClass('capslockwarning','display-none');
                 fx.fadeIn(fadeInArgs).play();
                 PWM_GLOBAL['lastCapsLockErrorTime'] = (new Date().getTime());
                 setTimeout(function(){
                     if ((new Date().getTime() - PWM_GLOBAL['lastCapsLockErrorTime'] > displayDuration)) {
                         dojo.fadeOut(fadeOutArgs).play();
                         setTimeout(function(){
                             if ((new Date().getTime() - PWM_GLOBAL['lastCapsLockErrorTime'] > displayDuration)) {
-                                capsLockWarningElement.style.display = 'none';
+                                PWM_MAIN.addCssClass('capslockwarning','display-none');
                             }
                         },5 * 1000);
                     }
@@ -1392,10 +1392,10 @@ PWM_MAIN.updateLoginContexts = function() {
         var selectedProfile = ldapProfileElement.options[ldapProfileElement.selectedIndex].value;
         var contextList = PWM_GLOBAL['ldapProfiles'][selectedProfile];
         if (PWM_MAIN.JSLibrary.isEmpty(contextList)) {
-            PWM_MAIN.getObject('contextSelectorWrapper').style.display = 'none';
+            PWM_MAIN.addCssClass( 'contentSelectorWrapper', 'display-none' );
         } else {
             contextElement.innerHTML = '';
-            PWM_MAIN.getObject('contextSelectorWrapper').style.display = 'inherit';
+            PWM_MAIN.removeCssClass( 'contentSelectorWrapper', 'display-none' );
             for (var iter in contextList) {
                 (function (key) {
                     var display = contextList[key];