Fix various issues in forms.

2025-09-23 04:46:44 +00:00 · 2021-04-08 17:41:19 +02:00
parent 3e12d26afd
commit f2073a4494
11 changed files with 23 additions and 22 deletions
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -51,17 +51,17 @@ class SecureHeaders
        $response          = $next($request);
        $trackingScriptSrc = $this->getTrackingScriptSource();
        $csp               = [
-//            "default-src 'none'",
-//            "object-src 'none'",
-//            "require-trusted-types-for 'script'",
+            "default-src 'none'",
+            "object-src 'none'",
+            "require-trusted-types-for 'script'",
            //sprintf("script-src 'unsafe-inline' 'strict-dynamic' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),
-//            "style-src 'unsafe-inline' 'self'",
-//            "frame-ancestors 'none'",
-//            "base-uri 'self'",
-//            "font-src 'self' data:",
-//            "connect-src 'self'",
-//            sprintf("img-src 'self' data: https://a.tile.openstreetmap.org https://b.tile.openstreetmap.org https://c.tile.openstreetmap.org https://api.tiles.mapbox.com %s", $trackingScriptSrc),
-//            "manifest-src 'self'",
+            sprintf("script-src 'unsafe-eval' 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),
+            "style-src 'unsafe-inline' 'self'",
+            "base-uri 'self'",
+            "font-src 'self' data:",
+            "connect-src 'self'",
+            sprintf("img-src data: 'strict-dynamic' 'self' *.tile.openstreetmap.org %s", $trackingScriptSrc),
+            "manifest-src 'self'",
        ];

        $route = $request->route();
@@ -79,7 +79,7 @@ class SecureHeaders
            "camera 'none'",
            "magnetometer 'none'",
            "gyroscope 'none'",
-            "speaker 'none'",
+            //"speaker 'none'",
            //"vibrate 'none'",
            "fullscreen 'self'",
            "payment 'none'",
--- a/frontend/src/components/transactions/TransactionAccount.vue
+++ b/frontend/src/components/transactions/TransactionAccount.vue
@@ -22,8 +22,8 @@
  <div class="form-group">
    <div v-if="visible" class="text-xs d-none d-lg-block d-xl-block">
      <span v-if="0 === this.index">{{ $t('firefly.' + this.direction + '_account') }}</span>
-      <span v-if="this.index > 0" class="text-warning">{{ $t('firefly.first_split_overrules_' + this.direction) }}</span><br>
-      <span>{{ selectedAccount }}</span>
+      <span v-if="this.index > 0" class="text-warning">{{ $t('firefly.first_split_overrules_' + this.direction) }}</span>
+      <!--<br><span>{{ selectedAccount }}</span> -->
    </div>
    <div v-if="!visible" class="text-xs d-none d-lg-block d-xl-block">
      &nbsp;
--- a/frontend/src/components/transactions/TransactionAmount.vue
+++ b/frontend/src/components/transactions/TransactionAmount.vue
@@ -33,6 +33,7 @@
          autocomplete="off"
          name="amount[]"
          type="number"
+          step="any"
      >
    </div>
    <span v-if="errors.length > 0">
--- a/public/v2/js/transactions/create.js
+++ b/public/v2/js/transactions/create.js
--- a/public/v2/js/transactions/create.js.map
+++ b/public/v2/js/transactions/create.js.map
--- a/public/v2/js/transactions/edit.js
+++ b/public/v2/js/transactions/edit.js
--- a/public/v2/js/transactions/edit.js.map
+++ b/public/v2/js/transactions/edit.js.map
--- a/resources/views/v2/accounts/create.twig
+++ b/resources/views/v2/accounts/create.twig
@@ -6,7 +6,7 @@
 <div id="accounts_create"></div>
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        // this is a terrible hack.
        var previousURL = '{{ Session.get('accounts.create.uri') }}';
    </script>
--- a/resources/views/v2/accounts/delete.twig
+++ b/resources/views/v2/accounts/delete.twig
@@ -6,7 +6,7 @@
 <div id="accounts_delete"></div>
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        // this is a terrible hack.
        var previousURL = '{{ Session.get('accounts.delete.uri') }}';
    </script>
--- a/resources/views/v2/transactions/create.twig
+++ b/resources/views/v2/transactions/create.twig
@@ -15,7 +15,7 @@
 {% endblock %}

 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        // this is a terrible hack.
        var previousURL = '{{ previousUri }}';
    </script>
--- a/resources/views/v2/transactions/edit.twig
+++ b/resources/views/v2/transactions/edit.twig
@@ -15,7 +15,7 @@
 {% endblock %}

 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        // this is a terrible hack.
        var previousURL = '{{ previousUri }}';
    </script>