CSP: Disable the indexCustomInlineScripts hook

doc/api/hooks_server-side.md

@@ -118,7 +118,6 @@ Available blocks in `pad.html` are:
  * `indexCustomStyles` - contains the `index.css` `<link>` tag, allows you to add your own or to customize the one provided by the active skin
  * `indexWrapper` - contains the form for creating new pads
  * `indexCustomScripts` - contains the `index.js` `<script>` tag, allows you to add your own or to customize the one provided by the active skin
- * `indexCustomInlineScripts` - contains the inline `<script>` of home page, allows you to customize `go2Name()`, `go2Random()` or `randomPadName()` functions
 
 ## padInitToolbar
 Called from: src/node/hooks/express/specialpages.js

src/static/js/pluginfw/shared.js

@@ -1,6 +1,13 @@
 var _ = require("underscore");
 var defs = require('./plugin_defs');
 
+const disabledHookReasons = {
+  hooks: {
+    indexCustomInlineScripts: 'The hook makes it impossible to use a Content Security Policy ' +
+        'that prohibits inline code. Permitting inline code makes XSS vulnerabilities more likely',
+  },
+};
+
 function loadFn(path, hookName) {
   var functionName
     , parts = path.split(":");
@@ -31,8 +38,6 @@ function extractHooks(parts, hook_set_name, normalizer) {
     _.chain(part[hook_set_name] || {})
     .keys()
     .each(function (hook_name) {
-      if (hooks[hook_name] === undefined) hooks[hook_name] = [];
-
       var hook_fn_name = part[hook_set_name][hook_name];
 
       /* On the server side, you can't just
@@ -43,6 +48,15 @@ function extractHooks(parts, hook_set_name, normalizer) {
         hook_fn_name = normalizer(part, hook_fn_name, hook_name);
       }
 
+      const disabledReason = (disabledHookReasons[hook_set_name] || {})[hook_name];
+      if (disabledReason) {
+        console.error(`Hook ${hook_set_name}/${hook_name} is disabled. Reason: ${disabledReason}`);
+        console.error(`The hook function ${hook_fn_name} from plugin ${part.name} ` +
+                      'will never be called, which may cause the plugin to fail');
+        console.error(`Please update the ${part.name} plugin to not use the ${hook_name} hook`);
+        return;
+      }
+
       try {
         var hook_fn = loadFn(hook_fn_name, hook_name);
         if (!hook_fn) {
@@ -52,6 +66,7 @@ function extractHooks(parts, hook_set_name, normalizer) {
         console.error("Failed to load '" + hook_fn_name + "' for '" + part.full_name + "/" + hook_set_name + "/" + hook_name + "': " + exc.toString())
       }
       if (hook_fn) {
+        if (hooks[hook_name] == null) hooks[hook_name] = [];
         hooks[hook_name].push({"hook_name": hook_name, "hook_fn": hook_fn, "hook_fn_name": hook_fn_name, "part": part});
       }
     });

src/templates/index.html

@@ -184,7 +184,6 @@
         <% e.end_block(); %>
         <script>
             // @license magnet:?xt=urn:btih:8e4f440f4c65981c5bf93c76d35135ba5064d8b7&dn=apache-2.0.txt
-            <% e.begin_block("indexCustomInlineScripts"); %>
             function go2Name()
             {
                 var padname = document.getElementById("padname").value;
@@ -219,7 +218,6 @@
                 }
                 return randomstring;
             }
-            <% e.end_block(); %>
 
             // start the custom js
             if (typeof customStart == "function") customStart();