From b83f11e80a9866eeb49588a918938f4570a26a9f Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sat, 3 Oct 2015 23:58:56 -0700
Subject: [PATCH 1/9] remove inline js on pastebin pages

---
 static/js/bin.js           |  7 ++++++-
 static/js/bin_hljs.js      |  2 ++
 templates/display/bin.html | 17 ++++-------------
 3 files changed, 12 insertions(+), 14 deletions(-)
 mode change 100755 => 100644 static/js/bin.js
 create mode 100644 static/js/bin_hljs.js

diff --git a/static/js/bin.js b/static/js/bin.js
old mode 100755
new mode 100644
index 4d26afc..b610083
--- a/static/js/bin.js
+++ b/static/js/bin.js
@@ -14,6 +14,11 @@ function init() {
     navlist.insertBefore(editA, navlist.firstChild);
     navlist.insertBefore(separator, navlist.children[1]);
 
+    var lang = document.getElementById('editor').getAttribute('data-lang');
+    var editor = ace.edit("editor");
+    editor.getSession().setMode("ace/mode/" + lang);
+    editor.setTheme("ace/theme/tomorrow");
+
 }
 
 
@@ -25,7 +30,7 @@ function edit() {
 
     var normalcontent = document.getElementById("normal-content");
     normalcontent.removeChild(document.getElementById("normal-code"));
-    
+
     var editordiv = document.getElementById("editor");
     editordiv.style.display = "block";
 
diff --git a/static/js/bin_hljs.js b/static/js/bin_hljs.js
new file mode 100644
index 0000000..ff8ef6e
--- /dev/null
+++ b/static/js/bin_hljs.js
@@ -0,0 +1,2 @@
+hljs.tabReplace = '    ';
+hljs.initHighlightingOnLoad();
diff --git a/templates/display/bin.html b/templates/display/bin.html
index 433cbb2..9c77584 100644
--- a/templates/display/bin.html
+++ b/templates/display/bin.html
@@ -46,25 +46,16 @@
 
 {% block main %}
 <div id="normal-content" class="normal {% if extra.lang_hl != "story" %}fixed{% endif %}">
-    <pre id="normal-code"><code id="codeb" style="white-space: pre-wrap;" class="{{ extra.lang_hl }}">{{ extra.contents }}</pre></code>
-    <div id="editor" style="display: none; height: 800px; font-size: 11px;">{{ extra.contents }}</div>
+    <pre id="normal-code"><code id="codeb" style="white-space: pre-wrap;" class="{{ extra.lang_hl }}">{{ extra.contents }}</code></pre>
+    <div id="editor" style="display: none; height: 800px; font-size: 11px;" data-lang="{{ extra.lang_ace }}">{{ extra.contents }}</div>
 </div>
 
 
 {% if extra.lang_hl != "text" %}
 <script src="/static/js/highlight/highlight.pack.js"></script>
-<script>
-    hljs.tabReplace = '    ';
-    hljs.initHighlightingOnLoad();
-</script>
+<script src="/static/js/bin_hljs.js"></script>
 {% endif %}
 
-<script type="text/javascript" src="/static/js/bin.js"></script>
 <script src="/static/js/ace/ace.js"></script>
-<script type="text/javascript">
-        var editor = ace.edit("editor");
-        editor.getSession().setMode("ace/mode/{{ extra.lang_ace }}");
-        editor.setTheme("ace/theme/tomorrow");
-</script>
-
+<script src="/static/js/bin.js"></script>
 {% endblock %}

From 84f38026eb8fd1cad99a76b4ee88ff149c4dc379 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 00:14:21 -0700
Subject: [PATCH 2/9] do some more HTML and JS cleanup

---
 static/js/bin.js     |  5 ++-
 static/js/upload.js  | 89 ++++++++++++++++++++++++++------------------
 templates/index.html |  4 +-
 3 files changed, 58 insertions(+), 40 deletions(-)

diff --git a/static/js/bin.js b/static/js/bin.js
index b610083..4e86edf 100644
--- a/static/js/bin.js
+++ b/static/js/bin.js
@@ -7,7 +7,10 @@ function init() {
     var editA = document.createElement('a');
 
     editA.setAttribute("href", "#");
-    editA.setAttribute("onclick", "edit();return false;");
+    editA.addEventListener('click', function(ev) {
+        edit();
+        return false;
+    });
     editA.innerHTML = "edit";
 
     var separator = document.createTextNode(" | ");
diff --git a/static/js/upload.js b/static/js/upload.js
index 44afffc..cba6324 100644
--- a/static/js/upload.js
+++ b/static/js/upload.js
@@ -5,33 +5,36 @@ Dropzone.options.dropzone = {
 		var upload = document.createElement("div");
 		upload.className = "upload";
 
-		var left = document.createElement("span");
-		left.innerHTML = file.name;
-		file.leftElement = left;
-		upload.appendChild(left);
+		var fileLabel = document.createElement("span");
+		fileLabel.innerHTML = file.name;
+		file.fileLabel = fileLabel;
+		upload.appendChild(fileLabel);
 
-		var right = document.createElement("div");
-		right.className = "right";
-		var rightleft = document.createElement("span");
-		rightleft.className = "cancel";
-		rightleft.innerHTML = "Cancel";
-		rightleft.onclick = function(ev) {
-			this.removeFile(file);
-		}.bind(this);
+		var fileActions = document.createElement("div");
+		fileActions.className = "right";
+		file.fileActions = fileActions;
+		upload.appendChild(fileActions);
+
+		var cancelAction = document.createElement("span");
+		cancelAction.className = "cancel";
+		cancelAction.innerHTML = "Cancel";
+		cancelAction.addEventListener('click', function(ev) {
+		    this.removeFile(file);
+		}.bind(this));
+		file.cancelActionElement = cancelAction;
+		fileActions.appendChild(cancelAction);
+
+		var progress = document.createElement("span");
+		file.progressElement = progress;
+		fileActions.appendChild(progress);
 
-		var rightright = document.createElement("span");
-		right.appendChild(rightleft);
-		file.rightLeftElement = rightleft;
-		right.appendChild(rightright);
-		file.rightRightElement = rightright;
-		file.rightElement = right;
-		upload.appendChild(right);
 		file.uploadElement = upload;
+
 		document.getElementById("uploads").appendChild(upload);
 	},
 	uploadprogress: function(file, p, bytesSent) {
 		p = parseInt(p);
-		file.rightRightElement.innerHTML = p + "%";
+		file.progressElement.innerHTML = p + "%";
 		file.uploadElement.setAttribute("style", 'background-image: -webkit-linear-gradient(left, #F2F4F7 ' + p + '%, #E2E2E2 ' + p + '%); background-image: -moz-linear-gradient(left, #F2F4F7 ' + p + '%, #E2E2E2 ' + p + '%); background-image: -ms-linear-gradient(left, #F2F4F7 ' + p + '%, #E2E2E2 ' + p + '%); background-image: -o-linear-gradient(left, #F2F4F7 ' + p + '%, #E2E2E2 ' + p + '%); background-image: linear-gradient(left, #F2F4F7 ' + p + '%, #E2E2E2 ' + p + '%)');
 	},
 	sending: function(file, xhr, formData) {
@@ -39,36 +42,48 @@ Dropzone.options.dropzone = {
 		formData.append("expires", document.getElementById("expires").selectedOptions[0].value);
 	},
 	success: function(file, resp) {
-		file.rightLeftElement.innerHTML = "";
-		file.leftElement.innerHTML = '<a target="_blank" href="' + resp.url + '">' + resp.url + '</a>';
-		file.rightRightElement.innerHTML = "Delete";
-		file.rightRightElement.className = "cancel";
-		file.rightRightElement.onclick = function(ev) {
+        file.fileActions.removeChild(file.progressElement);
+
+        var fileLabelLink = document.createElement("a");
+        fileLabelLink.href = resp.url;
+        fileLabelLink.target = "_blank";
+        fileLabelLink.innerHTML = resp.url;
+        file.fileLabel.innerHTML = "";
+        file.fileLabelLink = fileLabelLink;
+        file.fileLabel.appendChild(fileLabelLink);
+
+        var deleteAction = document.createElement("span");
+        deleteAction.innerHTML = "Delete";
+        deleteAction.className = "cancel";
+		deleteAction.addEventListener('click', function(ev) {
 		    xhr = new XMLHttpRequest();
 			xhr.open("DELETE", resp.url, true);
 			xhr.setRequestHeader("X-Delete-Key", resp.delete_key);
 			xhr.onreadystatechange = function(file) {
-				if (xhr.status === 200) {
-					file.leftElement.innerHTML = 'Deleted <a target="_blank" href="' + resp.url + '">' + resp.url + '</a>';
-					file.leftElement.className = "deleted";
-					file.rightRightElement.onclick = null;
-					file.rightRightElement.innerHTML = "";					
+				if (xhr.readyState == 4 && xhr.status === 200) {
+				    var text = document.createTextNode("Deleted ");
+				    file.fileLabel.insertBefore(text, file.fileLabelLink);
+					file.fileLabel.className = "deleted";
+					file.fileActions.removeChild(file.cancelActionElement);
 				}
 			}.bind(this, file);
 			xhr.send();
-		}.bind(this);
+		});
+		file.fileActions.removeChild(file.cancelActionElement);
+		file.cancelActionElement = deleteAction;
+		file.fileActions.appendChild(deleteAction);
 	},
 	error: function(file, errMsg, xhrO) {
-		file.rightLeftElement.onclick = null;
-		file.rightLeftElement.innerHTML = "";
-		file.rightRightElement.innerHTML = "";
+        file.fileActions.removeChild(file.cancelActionElement);
+        file.fileActions.removeChild(file.progressElement);
+
 		if (file.status === "canceled") {
-			file.leftElement.innerHTML = "Canceled " + file.name;			
+			file.fileLabel.innerHTML = "Canceled " + file.name;			
 		}
 		else {
-			file.leftElement.innerHTML = "Could not upload " + file.name;
+			file.fileLabel.innerHTML = "Could not upload " + file.name;
 		}
-		file.leftElement.className = "error";
+		file.fileLabel.className = "error";
 	},
 
     maxFilesize: 4096,
diff --git a/templates/index.html b/templates/index.html
index 8195f6e..36bbc99 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -20,7 +20,6 @@
             <div id="expiry">
                 <label>File expiry: 
                 <select name="expires" id="expires">
-                </label>
                     <option value="0">never</option>
                     <option value="60">a minute</option>
                     <option value="300">5 minutes</option>
@@ -30,6 +29,7 @@
                     <option value="2419200">a month</option>
                     <option value="29030400">a year</option>
                 </select>
+                </label>
             </div>
             <label><input name="randomize" id="randomize" type="checkbox" checked /> Randomize filename</label>
         </div>
@@ -41,4 +41,4 @@
 
 <script src="/static/js/dropzone.js"></script>
 <script src="/static/js/upload.js"></script>
-{% endblock %}
\ No newline at end of file
+{% endblock %}

From 44172ec98a8033803f578288ddd03702504980a0 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 14:13:29 -0700
Subject: [PATCH 3/9] clean up HTML, CSS, and JavaScript for CSP

In order to implement Content-Security-Policy, the inlined style, event
handlers, and scripts all have to go. This commit completes this work.
---
 static/css/linx.css          | 73 +++++++++++++++++++++++++++++++++++-
 static/js/bin.js             | 14 +++----
 templates/404.html           |  2 +-
 templates/display/audio.html |  6 +--
 templates/display/bin.html   | 32 ++++++++--------
 templates/display/file.html  |  4 +-
 templates/display/image.html |  2 +-
 templates/display/pdf.html   |  5 +--
 templates/display/video.html | 10 ++---
 templates/index.html         |  2 +-
 templates/oops.html          |  2 +-
 templates/paste.html         |  6 +--
 12 files changed, 110 insertions(+), 48 deletions(-)

diff --git a/static/css/linx.css b/static/css/linx.css
index cf83032..e365826 100644
--- a/static/css/linx.css
+++ b/static/css/linx.css
@@ -80,6 +80,16 @@ body {
   padding: 5px 5px 5px 5px;
 }
 
+#info #filename,
+#editform #filename {
+    width: 232px;
+}
+
+#info #extension,
+#editform #extension {
+    width: 40px;
+}
+
 #info .float-left {
 	margin-top: 2px;
 	margin-right: 20px;
@@ -181,7 +191,7 @@ body {
 }
 
 .clear {
-	clear:both;
+	clear: both;
 }
 
 #upload_header {
@@ -248,6 +258,65 @@ body {
   padding-top: 1px;
 }
 
+.oopscontent {
+    width: 400px;
+}
+
+.oopscontent img {
+    width: 400px;
+    border: 0;
+}
+
+.editor {
+    width: 705px;
+    height: 450px;
+    border-color: #cccccc;
+}
+
+/* Content display {{{ */
+.display-audio,
+.display-file {
+    width: 500px;
+}
+
+.display-image {
+    margin-bottom: -6px;
+    max-width: 800px;
+}
+
+.display-pdf {
+    width: 910px;
+    height: 800px;
+}
+
+.display-video {
+    width: 800px;
+}
+
+.scrollable {
+    overflow: auto;
+}
+
+.storycontent {
+    background-color: #f0e0d6;
+}
+
+#editform,
+#editform .editor {
+    display: none;
+}
+
+#codeb {
+    white-space: pre-wrap;
+}
+
+#editor {
+    display: none;
+    height: 800px;
+    font-size: 11px;
+}
+/* }}} */
+
 /* cat.js */
 .qq-uploader { position:relative; width: 100%;}
 
@@ -694,4 +763,4 @@ THE SOFTWARE.
 .hint--bounce:before, .hint--bounce:after {
   -webkit-transition: opacity 0.3s ease, visibility 0.3s ease, -webkit-transform 0.3s cubic-bezier(0.71, 1.7, 0.77, 1.24);
   -moz-transition: opacity 0.3s ease, visibility 0.3s ease, -moz-transform 0.3s cubic-bezier(0.71, 1.7, 0.77, 1.24);
-  transition: opacity 0.3s ease, visibility 0.3s ease, transform 0.3s cubic-bezier(0.71, 1.7, 0.77, 1.24); }
\ No newline at end of file
+  transition: opacity 0.3s ease, visibility 0.3s ease, transform 0.3s cubic-bezier(0.71, 1.7, 0.77, 1.24); }
diff --git a/static/js/bin.js b/static/js/bin.js
index 4e86edf..0fd6990 100644
--- a/static/js/bin.js
+++ b/static/js/bin.js
@@ -8,7 +8,7 @@ function init() {
 
     editA.setAttribute("href", "#");
     editA.addEventListener('click', function(ev) {
-        edit();
+        edit(ev);
         return false;
     });
     editA.innerHTML = "edit";
@@ -22,14 +22,16 @@ function init() {
     editor.getSession().setMode("ace/mode/" + lang);
     editor.setTheme("ace/theme/tomorrow");
 
+    document.getElementById('save').addEventListener('click', paste);
+    document.getElementById('wordwrap').addEventListener('click', wrap);
 }
 
 
-function edit() {
+function edit(ev) {
 
     navlist.remove();
     document.getElementById("filename").remove();
-    document.getElementById("foarm").style.display = "block";
+    document.getElementById("editform").style.display = "block";
 
     var normalcontent = document.getElementById("normal-content");
     normalcontent.removeChild(document.getElementById("normal-code"));
@@ -44,14 +46,12 @@ function edit() {
 }
 
 
-function paste() {
-
+function paste(ev) {
     document.getElementById("newcontent").value = editor.getSession().getValue();
     document.forms["reply"].submit();
-
 }
 
-function wrap() {
+function wrap(ev) {
     if (document.getElementById("wordwrap").checked) {
         document.getElementById("codeb").style.wordWrap = "break-word";
         document.getElementById("codeb").style.whiteSpace = "pre-wrap";
diff --git a/templates/404.html b/templates/404.html
index 0999393..e792bf3 100644
--- a/templates/404.html
+++ b/templates/404.html
@@ -1,5 +1,5 @@
 {% extends "base.html" %}
 
 {% block content %}
-<a href="/"><img style="border:0;" src='/static/images/404.jpg' width='400'></a>
+<a href="/"><img src='/static/images/404.jpg'></a>
 {% endblock %}
diff --git a/templates/display/audio.html b/templates/display/audio.html
index 66b36fa..a88319f 100644
--- a/templates/display/audio.html
+++ b/templates/display/audio.html
@@ -1,9 +1,9 @@
 {% extends "base.html" %}
 
 {% block main %}
-<audio controls style='width: 500px;' preload='auto'>
-	<source src='/selif/{{ filename }}'>
-  <a href='/selif/{{ filename }}'>Download it instead</a>
+<audio class="display-audio" controls preload='auto'>
+    <source src='/selif/{{ filename }}'>
+    <a href='/selif/{{ filename }}'>Download it instead</a>
 </audio>
 {% endblock %}
 
diff --git a/templates/display/bin.html b/templates/display/bin.html
index 9c77584..3f12a7f 100644
--- a/templates/display/bin.html
+++ b/templates/display/bin.html
@@ -2,20 +2,20 @@
 
 {% block head %}
     {% if extra.extension == "story" %}
-    <link href="/static/css/highlight/story.css" rel="stylesheet" type="text/css" />
+    <link href="/static/css/highlight/story.css" rel="stylesheet" type="text/css">
     {% else %}
-    <link href="/static/css/highlight/tomorrow.css" rel="stylesheet" type="text/css" />
+    <link href="/static/css/highlight/tomorrow.css" rel="stylesheet" type="text/css">
     {% endif %}
     {% endblock %}
 
-{% block innercontentmore %} style="overflow: auto;" {% endblock %}
-{% block mainmore %} {% if extra.extension == "story" %} style="background-color: #f0e0d6;"{% endif %} {% endblock %}
+{% block innercontentmore %} class="scrollable"{% endblock %}
+{% block mainmore %} {% if extra.extension == "story" %} class="storycontent"{% endif %} {% endblock %}
 
 {% block infoleft %}
-    <div id="foarm" style="display: none;">
+    <div id="editform">
         <form id="reply" action='/upload' method='post' >
             <div class="right">
-	            <select id="expiry" name="expires">
+                <select id="expiry" name="expires">
                     <option disabled=disabled>Expires:</option>
                     <option value="0">never</option>
                     <option value="60">a minute</option>
@@ -25,29 +25,27 @@
                     <option value="604800">a week</option>
                     <option value="2419200">a month</option>
                     <option value="29030400">a year</option>
-	            </select>
+                </select>
 
-	            <button id="save" onclick="paste()">save</button>
-	        </div>
+                <button id="save">save</button>
+            </div>
 
-            <input style ="width:232px;" class="codebox" name='filename' id="filename" type='text' value="" placeholder="filename (empty for random filename)" />.<input id="extension" class="codebox" style="width:30px;" name='extension' type='text' value="{{ extra.extension }}" placeholder="txt" />
+            <input class="codebox" name='filename' id="filename" type='text' value="" placeholder="filename (empty for random filename)">.<input id="extension" class="codebox" name='extension' type='text' value="{{ extra.extension }}" placeholder="txt">
 
 
-            <textarea name='content' id="newcontent" class="editor" style="display: none;"></textarea>
+            <textarea name='content' id="newcontent" class="editor"></textarea>
+        </form>
     </div>
-
-
-</form>
 {% endblock %}
 
 {%block infomore %}
-<label>wrap <input id="wordwrap" type="checkbox" onclick="wrap()" checked /></label> | 
+<label>wrap <input id="wordwrap" type="checkbox" checked></label> | 
 {% endblock %}
 
 {% block main %}
 <div id="normal-content" class="normal {% if extra.lang_hl != "story" %}fixed{% endif %}">
-    <pre id="normal-code"><code id="codeb" style="white-space: pre-wrap;" class="{{ extra.lang_hl }}">{{ extra.contents }}</code></pre>
-    <div id="editor" style="display: none; height: 800px; font-size: 11px;" data-lang="{{ extra.lang_ace }}">{{ extra.contents }}</div>
+    <pre id="normal-code"><code id="codeb" class="{{ extra.lang_hl }}">{{ extra.contents }}</code></pre>
+    <div id="editor" data-lang="{{ extra.lang_ace }}">{{ extra.contents }}</div>
 </div>
 
 
diff --git a/templates/display/file.html b/templates/display/file.html
index 9872298..d4f6187 100644
--- a/templates/display/file.html
+++ b/templates/display/file.html
@@ -1,7 +1,7 @@
 {% extends "base.html" %}
 
 {% block main %}
-<div class="normal" style="width: 500px;">
-	<p class="center">You are requesting <a href="/selif/{{ filename }}">{{ filename }}</a>, <a href="/selif/{{ filename }}">click here</a> to download.</p>
+<div class="normal display-file">
+    <p class="center">You are requesting <a href="/selif/{{ filename }}">{{ filename }}</a>, <a href="/selif/{{ filename }}">click here</a> to download.</p>
 </div>
 {% endblock %}
diff --git a/templates/display/image.html b/templates/display/image.html
index 20b57ef..4b265b3 100644
--- a/templates/display/image.html
+++ b/templates/display/image.html
@@ -2,6 +2,6 @@
 
 {% block main %}
 <a href="/selif/{{ filename }}">
-	<img style="margin-bottom: -6px; max-width: 800px;" src="/selif/{{ filename }}" />
+    <img class="display-image" src="/selif/{{ filename }}" />
 </a>
 {% endblock %}
diff --git a/templates/display/pdf.html b/templates/display/pdf.html
index a98d040..6726ce2 100644
--- a/templates/display/pdf.html
+++ b/templates/display/pdf.html
@@ -1,10 +1,7 @@
 {% extends "base.html" %}
 
 {% block main %}
-<object data="/selif/{{ filename }}"
-        type="application/pdf"
-        width=910 
-        height=800>
+<object class="display-pdf" data="/selif/{{ filename }}" type="application/pdf">
 
 <p>It appears your Web browser is not configured to display PDF files. 
 No worries, just <a href="/selif/{{ filename }}">click here to download the PDF file.</a></p>
diff --git a/templates/display/video.html b/templates/display/video.html
index 0bf5486..77c2a60 100644
--- a/templates/display/video.html
+++ b/templates/display/video.html
@@ -1,10 +1,8 @@
 {% extends "base.html" %}
 
 {% block main %}
-<div id='video'>
-    <video controls autoplay width="800">
-        <source src="/selif/{{ filename }}"/>
-    </video>
-</div>
-
+<video class="display-video" controls autoplay>
+    <source src="/selif/{{ filename }}"/>
+    <a href='/selif/{{ filename }}'>Download it instead</a>
+</video>
 {% endblock %}
diff --git a/templates/index.html b/templates/index.html
index 36bbc99..4528ae8 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -36,7 +36,7 @@
         <div class="clear"></div>
     </form>
     <div id="uploads"></div>
-    <div style="clear:both;"></div>
+    <div class="clear"></div>
 </div>
 
 <script src="/static/js/dropzone.js"></script>
diff --git a/templates/oops.html b/templates/oops.html
index 9627bba..ce3ac49 100644
--- a/templates/oops.html
+++ b/templates/oops.html
@@ -2,7 +2,7 @@
 
 {% block content %}
 <div id="main">
-    <div id='inner_content' style='width: 400px'>
+    <div id='inner_content' class='oopscontent'>
     	<p>{{ error_message|default:"Oops! Something went wrong." }}</p>
     </div>
 </div>
diff --git a/templates/paste.html b/templates/paste.html
index b1b86a4..6e7876e 100644
--- a/templates/paste.html
+++ b/templates/paste.html
@@ -4,7 +4,7 @@
     <form id="reply" action='/upload' method='post'>
     <div id="main">
         <div id="info" class="ninfo">
-            <input style ="width:232px;" class="codebox" name='filename' id="filename" type='text' value="" placeholder="filename (empty for random filename)" />.<span class="hint--top hint--bounce" data-hint="Enable syntax highlighting by adding the extension"><input id="extension" class="codebox" style="width:40px;" name='extension' type='text' value="" placeholder="txt" /></span>
+            <input class="codebox" name='filename' id="filename" type='text' value="" placeholder="filename (empty for random filename)" />.<span class="hint--top hint--bounce" data-hint="Enable syntax highlighting by adding the extension"><input id="extension" class="codebox" name='extension' type='text' value="" placeholder="txt" /></span>
 
             <div class="right">
                 <select id="expiry" name="expires">
@@ -27,7 +27,7 @@
         </div>
 
     <div id="inner_content">
-        <textarea name='content' id="content" class="editor" style="width: 705px; height: 450px; border-color: #cccccc;"></textarea>
+        <textarea name='content' id="content" class="editor"></textarea>
     </div>
 
     </div>
@@ -37,4 +37,4 @@
     </form>        
 
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}

From 70cff4431d997abda4e5e750de7ea9861394bcec Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 14:57:36 -0700
Subject: [PATCH 4/9] tweak editor textarea style

---
 static/css/linx.css | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/static/css/linx.css b/static/css/linx.css
index e365826..524f998 100644
--- a/static/css/linx.css
+++ b/static/css/linx.css
@@ -312,8 +312,9 @@ body {
 
 #editor {
     display: none;
+    border: 0;
+    width: 794px;
     height: 800px;
-    font-size: 11px;
 }
 /* }}} */
 

From 5e7e96af01ecc53547b9315765540fd3a8eaca9b Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 14:58:00 -0700
Subject: [PATCH 5/9] add support for some security headers

This commit adds support for Content-Security-Policy and
X-Frame-Options using the ContentSecurityPolicy middleware.
---
 csp.go       | 40 ++++++++++++++++++++++++++++++++++++++++
 csp_test.go  | 38 ++++++++++++++++++++++++++++++++++++++
 fileserve.go |  2 ++
 server.go    | 34 +++++++++++++++++++++++++---------
 4 files changed, 105 insertions(+), 9 deletions(-)
 create mode 100644 csp.go
 create mode 100644 csp_test.go

diff --git a/csp.go b/csp.go
new file mode 100644
index 0000000..ac68d1a
--- /dev/null
+++ b/csp.go
@@ -0,0 +1,40 @@
+package main
+
+import (
+	"net/http"
+)
+
+const (
+	cspHeader          = "Content-Security-Policy"
+	frameOptionsHeader = "X-Frame-Options"
+)
+
+type csp struct {
+	h    http.Handler
+	opts CSPOptions
+}
+
+type CSPOptions struct {
+	policy string
+	frame  string
+}
+
+func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// only add a CSP if one is not already set
+	if existing := w.Header().Get(cspHeader); existing == "" {
+		w.Header().Add(cspHeader, c.opts.policy)
+	}
+
+	w.Header().Set(frameOptionsHeader, c.opts.frame)
+
+	c.h.ServeHTTP(w, r)
+}
+
+func ContentSecurityPolicy(o CSPOptions) func(http.Handler) http.Handler {
+	fn := func(h http.Handler) http.Handler {
+		return csp{h, o}
+	}
+	return fn
+}
+
+// vim:set ts=8 sw=8 noet:
diff --git a/csp_test.go b/csp_test.go
new file mode 100644
index 0000000..ae4c6db
--- /dev/null
+++ b/csp_test.go
@@ -0,0 +1,38 @@
+package main
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/zenazn/goji"
+)
+
+var testCSPHeaders = map[string]string{
+	"Content-Security-Policy": "default-src 'none'; style-src 'self';",
+	"X-Frame-Options":         "SAMEORIGIN",
+}
+
+func TestContentSecurityPolicy(t *testing.T) {
+	w := httptest.NewRecorder()
+
+	req, err := http.NewRequest("GET", "/", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	goji.Use(ContentSecurityPolicy(CSPOptions{
+		policy: testCSPHeaders["Content-Security-Policy"],
+		frame:  testCSPHeaders["X-Frame-Options"],
+	}))
+
+	goji.DefaultMux.ServeHTTP(w, req)
+
+	for k, v := range testCSPHeaders {
+		if w.HeaderMap[k][0] != v {
+			t.Fatalf("%s header did not match expected value set by middleware", k)
+		}
+	}
+}
+
+// vim:set ts=8 sw=8 noet:
diff --git a/fileserve.go b/fileserve.go
index e1d2e16..e3fd5f0 100644
--- a/fileserve.go
+++ b/fileserve.go
@@ -26,6 +26,8 @@ func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	w.Header().Set("Content-Security-Policy", Config.fileContentSecurityPolicy)
+
 	http.ServeFile(w, r, filePath)
 }
 
diff --git a/server.go b/server.go
index 2f314ec..e87a3ec 100644
--- a/server.go
+++ b/server.go
@@ -19,15 +19,18 @@ import (
 )
 
 var Config struct {
-	bind          string
-	filesDir      string
-	metaDir       string
-	noLogs        bool
-	allowHotlink  bool
-	siteName      string
-	siteURL       string
-	fastcgi       bool
-	remoteUploads bool
+	bind                      string
+	filesDir                  string
+	metaDir                   string
+	noLogs                    bool
+	allowHotlink              bool
+	siteName                  string
+	siteURL                   string
+	fastcgi                   bool
+	remoteUploads             bool
+	contentSecurityPolicy     string
+	fileContentSecurityPolicy string
+	xFrameOptions             string
 }
 
 var Templates = make(map[string]*pongo2.Template)
@@ -37,6 +40,11 @@ var timeStarted time.Time
 var timeStartedStr string
 
 func setup() {
+	goji.Use(ContentSecurityPolicy(CSPOptions{
+		policy: Config.contentSecurityPolicy,
+		frame:  Config.xFrameOptions,
+	}))
+
 	if Config.noLogs {
 		goji.Abandon(middleware.Logger)
 	}
@@ -126,6 +134,14 @@ func main() {
 		"serve through fastcgi")
 	flag.BoolVar(&Config.remoteUploads, "remoteuploads", false,
 		"enable remote uploads")
+	flag.StringVar(&Config.contentSecurityPolicy, "contentSecurityPolicy",
+		"default-src 'self'; img-src 'self' data:; referrer none;",
+		"value of default Content-Security-Policy header")
+	flag.StringVar(&Config.fileContentSecurityPolicy, "fileContentSecurityPolicy",
+		"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer none;",
+		"value of Content-Security-Policy header for file access")
+	flag.StringVar(&Config.xFrameOptions, "xFrameOptions", "SAMEORIGIN",
+		"value of X-Frame-Options header")
 	flag.Parse()
 
 	setup()

From e030c07f946f61a73d4ef17724467778f44700e6 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 15:11:23 -0700
Subject: [PATCH 6/9] allow unsafe-inline for style-src for now

This is used for the upload progress bar. Hopefully we can find a better
solution in the future for this.
---
 server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server.go b/server.go
index e87a3ec..cf40fd2 100644
--- a/server.go
+++ b/server.go
@@ -135,7 +135,7 @@ func main() {
 	flag.BoolVar(&Config.remoteUploads, "remoteuploads", false,
 		"enable remote uploads")
 	flag.StringVar(&Config.contentSecurityPolicy, "contentSecurityPolicy",
-		"default-src 'self'; img-src 'self' data:; referrer none;",
+		"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer none;",
 		"value of default Content-Security-Policy header")
 	flag.StringVar(&Config.fileContentSecurityPolicy, "fileContentSecurityPolicy",
 		"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer none;",

From 42aab4dca17dee2d9e2a03c1898350f6d8814bf2 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 15:13:53 -0700
Subject: [PATCH 7/9] fix a merge conflict mistake for upload errors

---
 static/js/upload.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/static/js/upload.js b/static/js/upload.js
index 9c6b679..222332c 100644
--- a/static/js/upload.js
+++ b/static/js/upload.js
@@ -73,7 +73,7 @@ Dropzone.options.dropzone = {
 		file.cancelActionElement = deleteAction;
 		file.fileActions.appendChild(deleteAction);
 	},
-	error: function(file, errMsg, xhrO) {
+	error: function(file, resp, xhrO) {
         file.fileActions.removeChild(file.cancelActionElement);
         file.fileActions.removeChild(file.progressElement);
 

From 71d5f51ae6d4af722f0932c3374dc82ba5bb74bd Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 15:18:22 -0700
Subject: [PATCH 8/9] add X-Content-Type-Options: nosniff

---
 csp.go      | 6 ++++--
 csp_test.go | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/csp.go b/csp.go
index ac68d1a..242619e 100644
--- a/csp.go
+++ b/csp.go
@@ -5,8 +5,9 @@ import (
 )
 
 const (
-	cspHeader          = "Content-Security-Policy"
-	frameOptionsHeader = "X-Frame-Options"
+	cspHeader                = "Content-Security-Policy"
+	frameOptionsHeader       = "X-Frame-Options"
+	contentTypeOptionsHeader = "X-Content-Type-Options"
 )
 
 type csp struct {
@@ -26,6 +27,7 @@ func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set(frameOptionsHeader, c.opts.frame)
+	w.Header().Set(contentTypeOptionsHeader, "nosniff")
 
 	c.h.ServeHTTP(w, r)
 }
diff --git a/csp_test.go b/csp_test.go
index ae4c6db..636272b 100644
--- a/csp_test.go
+++ b/csp_test.go
@@ -11,6 +11,7 @@ import (
 var testCSPHeaders = map[string]string{
 	"Content-Security-Policy": "default-src 'none'; style-src 'self';",
 	"X-Frame-Options":         "SAMEORIGIN",
+	"X-Content-Type-Options":  "nosniff",
 }
 
 func TestContentSecurityPolicy(t *testing.T) {

From b96ee60c4c7427f217b27967a8bc3885b7e436b8 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 4 Oct 2015 15:21:27 -0700
Subject: [PATCH 9/9] Revert "add X-Content-Type-Options: nosniff"

This reverts commit 71d5f51ae6d4af722f0932c3374dc82ba5bb74bd.
---
 csp.go      | 6 ++----
 csp_test.go | 1 -
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/csp.go b/csp.go
index 242619e..ac68d1a 100644
--- a/csp.go
+++ b/csp.go
@@ -5,9 +5,8 @@ import (
 )
 
 const (
-	cspHeader                = "Content-Security-Policy"
-	frameOptionsHeader       = "X-Frame-Options"
-	contentTypeOptionsHeader = "X-Content-Type-Options"
+	cspHeader          = "Content-Security-Policy"
+	frameOptionsHeader = "X-Frame-Options"
 )
 
 type csp struct {
@@ -27,7 +26,6 @@ func (c csp) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set(frameOptionsHeader, c.opts.frame)
-	w.Header().Set(contentTypeOptionsHeader, "nosniff")
 
 	c.h.ServeHTTP(w, r)
 }
diff --git a/csp_test.go b/csp_test.go
index 636272b..ae4c6db 100644
--- a/csp_test.go
+++ b/csp_test.go
@@ -11,7 +11,6 @@ import (
 var testCSPHeaders = map[string]string{
 	"Content-Security-Policy": "default-src 'none'; style-src 'self';",
 	"X-Frame-Options":         "SAMEORIGIN",
-	"X-Content-Type-Options":  "nosniff",
 }
 
 func TestContentSecurityPolicy(t *testing.T) {