[TASK] Extract Indexed Search inline event handling

Indexed Search pagination still uses `onclick="..."` inline event handlers. For being compatible with content security policy, the corresponding handlers are added as inline JavaScript, embedded with a CSP nonce value. Resolves: #101271 Releases: main, 12.4 Change-Id: Ic1202faf8be2d1d9e84b599f62e8c9a53aeef2fa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79857 Tested-by: core-ci <typo3@b13.com> Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

[TASK] Extract Indexed Search inline event handling
Indexed Search pagination still uses `onclick="..."` inline event handlers. For being compatible with content security policy, the corresponding handlers are added as inline JavaScript, embedded with a CSP nonce value. Resolves: #101271 Releases: main, 12.4 Change-Id: Ic1202faf8be2d1d9e84b599f62e8c9a53aeef2fa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79857 Tested-by: core-ci <typo3@b13.com> Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
72bbfb36 · Oliver Hader · Andreas Fernandez · a40a4d21 · 72bbfb36 · 72bbfb36
Commit 72bbfb36 authored 1 year ago by Oliver Hader Committed by Andreas Fernandez 1 year ago
--- a/typo3/sysext/indexed_search/Classes/ViewHelpers/PageBrowsingViewHelper.php
+++ b/typo3/sysext/indexed_search/Classes/ViewHelpers/PageBrowsingViewHelper.php
@@ -17,6 +17,7 @@ declare(strict_types=1);

 namespace TYPO3\CMS\IndexedSearch\ViewHelpers;

+use TYPO3\CMS\Core\Page\AssetCollector;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
 use TYPO3\CMS\Extbase\Utility\LocalizationUtility;
@@ -30,16 +31,18 @@ use TYPO3Fluid\Fluid\Core\ViewHelper\AbstractTagBasedViewHelper;
 */
 final class PageBrowsingViewHelper extends AbstractTagBasedViewHelper
 {
-    /**
-     * @var string
-     */
-    protected static $prefixId = 'tx_indexedsearch';
+    protected static string $prefixId = 'tx_indexedsearch';

    /**
     * @var string
     */
    protected $tagName = 'ul';

+    public function __construct(private readonly AssetCollector $assetCollector)
+    {
+        parent::__construct();
+    }
+
    public function initializeArguments(): void
    {
        $this->registerArgument('maximumNumberOfResultPages', 'int', '', true);
@@ -124,11 +127,41 @@ final class PageBrowsingViewHelper extends AbstractTagBasedViewHelper
     */
    protected function makecurrentPageSelector_link($str, $p, $freeIndexUid)
    {
-        $onclick = 'document.getElementById(' . GeneralUtility::quoteJSvalue(self::$prefixId . '_pointer') . ').value=' . GeneralUtility::quoteJSvalue((string)$p) . ';';
-        if ($freeIndexUid !== null) {
-            $onclick .= 'document.getElementById(' . GeneralUtility::quoteJSvalue(self::$prefixId . '_freeIndexUid') . ').value=' . GeneralUtility::quoteJSvalue($freeIndexUid) . ';';
+        $this->providePageSelectorJavaScript();
+        return sprintf(
+            '<a %s>%s</a>',
+            GeneralUtility::implodeAttributes([
+                'href' => '#',
+                'class' => 'tx-indexedsearch-page-selector',
+                'data-prefix' => self::$prefixId,
+                'data-pointer' => $p,
+                'data-freeIndexUid' => $freeIndexUid,
+            ], true),
+            htmlspecialchars($str)
+        );
+    }
+
+    private function providePageSelectorJavaScript(): void
+    {
+        if ($this->assetCollector->hasInlineJavaScript(self::class)) {
+            return;
        }
-        $onclick .= 'document.getElementById(' . GeneralUtility::quoteJSvalue(self::$prefixId) . ').submit();return false;';
-        return '<a href="#" onclick="' . htmlspecialchars($onclick) . '">' . htmlspecialchars($str) . '</a>';
+        $this->assetCollector->addInlineJavaScript(
+            self::class,
+            implode(' ', [
+                "document.addEventListener('click', (evt) => {",
+                    'evt.preventDefault();',
+                    "if (!evt.target.classList.contains('tx-indexedsearch-page-selector')) {",
+                        'return;',
+                    '}',
+                    'var data = evt.target.dataset;',
+                    "document.getElementById(data.prefix + '_pointer').value = data.pointer;",
+                    "document.getElementById(data.prefix + '_freeIndexUid').value = data.freeIndexUid;",
+                    'document.getElementById(data.prefix).submit();',
+                '});',
+            ]),
+            [],
+            ['useNonce' => true],
+        );
    }
 }
--- a/typo3/sysext/indexed_search/Configuration/ContentSecurityPolicies.php
+++ b/typo3/sysext/indexed_search/Configuration/ContentSecurityPolicies.php
+<?php
+
+declare(strict_types=1);
+
+namespace TYPO3\CMS\Backend;
+
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Directive;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Mutation;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\MutationCollection;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\MutationMode;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\Scope;
+use TYPO3\CMS\Core\Security\ContentSecurityPolicy\SourceKeyword;
+use TYPO3\CMS\Core\Type\Map;
+
+/**
+ * \TYPO3\CMS\IndexedSearch\ViewHelpers\PageBrowsingViewHelper::providePageSelectorJavaScript
+ * adds inline JavaScript for the corresponding pagination feature - this configuration adds
+ * the required CSP `nonce-proxy` for the frontend scope.
+ */
+return Map::fromEntries([
+    Scope::frontend(),
+    new MutationCollection(
+        new Mutation(MutationMode::Extend, Directive::ScriptSrc, SourceKeyword::nonceProxy),
+    ),
+]);