diff options
author | Yorhel <git@yorhel.nl> | 2014-12-01 17:25:10 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2014-12-01 17:25:10 +0100 |
commit | 0d191b5cd8c79eef3cef63c40ded96506a40382a (patch) | |
tree | 8feeb96f65f9a399adf8534b0661898bce9a986f /lib/VNDB/Util/LayoutHTML.pm | |
parent | 00cd3dbfa11a4556cf32cd3790f043737b226506 (diff) |
Don't use inline script tag to pass pref_code to JS
This also simplifies the code a bit, as the value of the preference data
was never used so doesn't need to be included now. Primary reason for
this change is to work towards disabling inline JS with a CSP header.
There's still more stuff to fix before the CSP header can be applied,
though.
Diffstat (limited to 'lib/VNDB/Util/LayoutHTML.pm')
-rw-r--r-- | lib/VNDB/Util/LayoutHTML.pm | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/lib/VNDB/Util/LayoutHTML.pm b/lib/VNDB/Util/LayoutHTML.pm index fc7ec8ad..7de7f709 100644 --- a/lib/VNDB/Util/LayoutHTML.pm +++ b/lib/VNDB/Util/LayoutHTML.pm @@ -133,7 +133,7 @@ sub _menu { } -sub htmlFooter { # %options => { prefs => [pref1,..] } +sub htmlFooter { # %options => { pref_code => 1 } my($self, %o) = @_; div id => 'footer'; @@ -156,16 +156,9 @@ sub htmlFooter { # %options => { prefs => [pref1,..] } end; end 'div'; # /maincontent - # insert users' preference data when required by JS - if($o{prefs}) { - script type => 'text/javascript'; - txt sprintf "PREF_CODE='%s';", $self->authInfo->{id} ? $self->authGetCode('/xml/prefs.xml') : ''; - txt 'PREFS={'; - # assumes the preference value doesn't contain a ' - txt join ',', map sprintf("'%s':'%s'", $_, $self->authPref($_)), @{$o{prefs}}; - txt '};'; - end; - } + # Abuse an empty noscript tag for the formcode to update a preference setting, if the page requires one. + noscript id => 'pref_code', title => $self->authGetCode('/xml/prefs.xml'), '' + if $o{pref_code} && $self->authInfo->{id}; script type => 'text/javascript', src => $self->{url_static}.'/f/js/'.$self->{l10n}->language_tag().'.js?'.$self->{version}, ''; end 'body'; end 'html'; |