From 7aa17b3d37ee8219f4b0af86bee33a0fec4521b1 Mon Sep 17 00:00:00 2001
From: Hystepik <hystepik@gmail.com>
Date: Fri, 7 Feb 2025 15:27:00 +0100
Subject: [PATCH] add all sources + modification for some

---
 htdocs/website/index.php           | 67 +++++++++++++++++---------
 htdocs/website/lib/website.lib.php | 77 +++++++++++++++++++-----------
 2 files changed, 94 insertions(+), 50 deletions(-)

diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index ae94a5b920e..98d69d63d5a 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -1950,7 +1950,10 @@ if ($action == "updatesecurity" && $usercanedit && GETPOST("btn_WEBSITE_SECURITY
 	$forceCSPArr = websiteGetContentPolicyToArray($forceCSP);
 	$directivesarray = websiteGetContentPolicyDirectives();
 	$sourcesarray = websiteGetContentPolicySources();
-	if (empty($sourcecsp) || empty($directivecsp)) {
+	if (empty($directivecsp)) {
+		$error++;
+	}
+	if ($error || (isset($sourcecsp) && $directivesarray[$directivecsp]["data-directivetype"] != "none")) {
 		$error++;
 	}
 	if (!$error) {
@@ -1962,8 +1965,13 @@ if ($action == "updatesecurity" && $usercanedit && GETPOST("btn_WEBSITE_SECURITY
 			}
 			$forceCSPArr[$directivecsp]["data"][] = $sourcedatacsp;
 			
+		} else if($sourcetype == "input") {
+			if (empty($forceCSPArr[$directivecsp])) {
+				$forceCSPArr[$directivecsp] = array();
+			}
+			$forceCSPArr[$directivecsp] = array_merge(explode(" ", $sourcedatacsp), $forceCSPArr[$directivecsp]);
 		} else {
-			$forceCSPArr[$directivecsp][] = $sourcecsp;
+			array_unshift($forceCSPArr[$directivecsp], $sourcecsp);
 		}
 
 		foreach ($forceCSPArr as $directive => $sourcekeys) {
@@ -1979,7 +1987,7 @@ if ($action == "updatesecurity" && $usercanedit && GETPOST("btn_WEBSITE_SECURITY
 					$sourcetype = $sourcesarray[$directivetype][$source]["data-sourcetype"];
 					if ($sourcetype == "quoted") {
 						$sourcestring .= " '".$source."'";
-					} else {
+					} else if ($directivetype != "none") {
 						$sourcestring .= " ".$source;
 					}
 				} 
@@ -2976,16 +2984,21 @@ if ($action == 'removecspsource' && $usercanedit) {
 	$forceCSPArr = websiteGetContentPolicyToArray($forceCSP);
 	$directivesarray = websiteGetContentPolicyDirectives();
 	$sourcesarray = websiteGetContentPolicySources();
-	if (!isset($directive) || !isset($sourcekey)) {
+	if (empty($directive)) {
+		$error++;
+	}
+	if ($error || (!isset($sourcekey) && $directivesarray[$directive]["data-directivetype"] != "none")) {
 		$error++;
 	}
 	
 	$directivetype = $directivesarray[$directive]["data-directivetype"];
-	$sourcetype = $sourcesarray[$directivetype][$sourcekey]["data-sourcetype"];
+	if (!isset($sourcekey)) {
+		$sourcetype = $sourcesarray[$directivetype][$sourcekey]["data-sourcetype"];
+	}
 
 	$securityspstring = "";
 	if (!$error && !empty($forceCSPArr)) {
-		if (!empty($forceCSPArr[$directive][$sourcekey])) {
+		if (isset($sourcekey) && !empty($forceCSPArr[$directive][$sourcekey])) {
 			if ($sourcetype == "data") {
 				$keydata = array_search($sourcedata, $forceCSPArr[$directive][$sourcekey]);
 				if ($keydata !== false) {
@@ -4406,21 +4419,25 @@ if ($action == 'editsecurity') {
 	print '<ul>';
 	foreach ($forceCSPArr as $directive => $sources) {
 		print '<li><span>'.$directive.'</span>';
-		print '<ul>';
-		foreach ($sources as $key => $source) {
-			if (is_array($source)){
-				print '<li><span>'.$key.'</span>';
-				print '<ul>';
-				foreach ($source as $keysource => $sourcedata) {
-					print '<li><span>'.$sourcedata.'</span>&nbsp;<a href="'.$_SERVER["PHP_SELF"].'?websiteid='.$websiteid.'&action=removecspsource&sourcecsp='.$directive.'_'.$key.'_'.$sourcedata.'&token='.newToken().'">'.img_delete().'</a></li>';
+		if (!empty($sources)) {
+			print '<ul>';
+			foreach ($sources as $key => $source) {
+				if (is_array($source)){
+					print '<li><span>'.$key.'</span>';
+					print '<ul>';
+					foreach ($source as $keysource => $sourcedata) {
+						print '<li><span>'.$sourcedata.'</span>&nbsp;<a href="'.$_SERVER["PHP_SELF"].'?websiteid='.$websiteid.'&action=removecspsource&sourcecsp='.$directive.'_'.$key.'_'.$sourcedata.'&token='.newToken().'">'.img_delete().'</a></li>';
+					}
+					print '</ul>';
+					print '</li>';
+				} else {
+					print '<li><span>'.$source.'</span>&nbsp;<a href="'.$_SERVER["PHP_SELF"].'?websiteid='.$websiteid.'&action=removecspsource&sourcecsp='.$directive.'_'.$key.'&token='.newToken().'">'.img_delete().'</a></li>';
 				}
-				print '</ul>';
-				print '</li>';
-			} else {
-				print '<li><span>'.$source.'</span>&nbsp;<a href="'.$_SERVER["PHP_SELF"].'?websiteid='.$websiteid.'&action=removecspsource&sourcecsp='.$directive.'_'.$key.'&token='.newToken().'">'.img_delete().'</a></li>';
-			}
+			}	
+			print '</ul>';
+		} else {
+			print '&nbsp;<a href="'.$_SERVER["PHP_SELF"].'?websiteid='.$websiteid.'&action=removecspsource&sourcecsp='.$directive.'&token='.newToken().'">'.img_delete().'</a>';
 		}
-		print '</ul>';
 		print '</li>';
 	}
 	print '</ul>';
@@ -4433,15 +4450,21 @@ if ($action == 'editsecurity') {
 				console.log("We hide all select div");
 				$(".div_WEBSITE_SECURITY_FORCECSP").hide();
 				$(".select_WEBSITE_SECURITY_FORCECSP").val(null).trigger("change");
-				console.log("We show div select with key "+key);
-				$("#div_"+key+"_WEBSITE_SECURITY_FORCECSP").show();
+				$(".div_input_data_WEBSITE_SECURITY_FORCECSP").hide();
+				$(".div_btn_class_WEBSITE_SECURITY_FORCECSP").hide();
+				if (key == "none"){
+					$(".div_btn_class_WEBSITE_SECURITY_FORCECSP").show();
+				} else {
+					console.log("We show div select with key "+key);
+					$("#div_"+key+"_WEBSITE_SECURITY_FORCECSP").show();
+				}
 			});
 
 			$(".select_WEBSITE_SECURITY_FORCECSP").on("change", function() {
 				keysource = $(this).find(":selected").data("sourcetype");
 				$("#select_source_WEBSITE_SECURITY_FORCECSP").val($(this).val());
 				console.log("We hide and show fields");
-				if (keysource == "data") {
+				if (keysource == "data" || keysource == "input") {
 					$(".div_input_data_WEBSITE_SECURITY_FORCECSP").show();
 				} else {
 				 	$("#input_data_WEBSITE_SECURITY_FORCECSP").val("");
diff --git a/htdocs/website/lib/website.lib.php b/htdocs/website/lib/website.lib.php
index ba6039683ca..4bc815e6f85 100644
--- a/htdocs/website/lib/website.lib.php
+++ b/htdocs/website/lib/website.lib.php
@@ -127,9 +127,9 @@ function websiteGetContentPolicyDirectives()
 		// Reporting directives
 		"report-to" => array("label" => "report-to", "data-directivetype" => "reporting"),
 		// Other directives
-		"require-trusted-types-for" => array("label" => "require-trusted-types-for", "data-directivetype" => "other"),
-		"othertrusted-types" => array("label" => "othertrusted-types", "data-directivetype" => "other"),
-		"upgrade-insecure-requests" => array("label" => "upgrade-insecure-requests", "data-directivetype" => "other"),
+		"require-trusted-types-for" => array("label" => "require-trusted-types-for", "data-directivetype" => "require-trusted-types-for"),
+		"trusted-types" => array("label" => "trusted-types", "data-directivetype" => "trusted-types"),
+		"upgrade-insecure-requests" => array("label" => "upgrade-insecure-requests", "data-directivetype" => "none"),
 	);
 }
 
@@ -146,25 +146,42 @@ function websiteGetContentPolicySources()
 			"*" => array("label" => "*", "data-sourcetype" => "select"),
 			"data" => array("label" => "data", "data-sourcetype" => "data"),
 			"self" => array("label" => "self", "data-sourcetype" => "quoted"),
+			"unsafe-eval" => array("label" => "unsafe-eval", "data-sourcetype" => "quoted"),
+			"wasm-unsafe-eval" => array("label" => "wasm-unsafe-eval", "data-sourcetype" => "quoted"),
+			"unsafe-inline" => array("label" => "unsafe-inline", "data-sourcetype" => "quoted"),
+			"unsafe-hashes" => array("label" => "unsafe-hashes", "data-sourcetype" => "quoted"),
+			"inline-speculation-rules" => array("label" => "inline-speculation-rules", "data-sourcetype" => "quoted"),
+			"strict-dynamic" => array("label" => "strict-dynamic", "data-sourcetype" => "quoted"),
+			"report-sample" => array("label" => "report-sample", "data-sourcetype" => "quoted"),
+			"host-source" => array("label" => "host-source", "data-sourcetype" => "input"),
+			"scheme-source" => array("label" => "scheme-source", "data-sourcetype" => "input"),
 		),
 		// Document directives
 		"document" => array(
-			"base-uri" => array("label" => "base-uri", "data-sourcetype" => "select"),
-			"sandbox" => array("label" => "sandbox", "data-sourcetype" => "select"),
+			"none" => array("label" => "self", "data-sourcetype" => "quoted"),
+			"self" => array("label" => "self", "data-sourcetype" => "quoted"),
+			"host-source" => array("label" => "host-source", "data-sourcetype" => "input"),
+			"scheme-source" => array("label" => "scheme-source", "data-sourcetype" => "input"),
 		),
 		// Navigation directives
 		"navigation" => array(
+			"none" => array("label" => "self", "data-sourcetype" => "quoted"),
 			"self" => array("label" => "self", "data-sourcetype" => "quoted"),
+			"host-source" => array("label" => "host-source", "data-sourcetype" => "input"),
+			"scheme-source" => array("label" => "scheme-source", "data-sourcetype" => "input"),
 		),
 		// Reporting directives
 		"reporting" => array(
-			"report-to" => array("label" => "report-to", "data-sourcetype" => "select"),
+			"report-to" => array("label" => "report-to", "data-sourcetype" => "input"),
 		),
 		// Other directives
-		"other" => array(
-			"require-trusted-types-for" => array("label" => "require-trusted-types-for", "data-sourcetype" => "select"),
-			"trusted-types" => array("label" => "trusted-types", "data-sourcetype" => "select"),
-			"upgrade-insecure-requests" => array("label" => "upgrade-insecure-requests", "data-sourcetype" => "select"),
+		"require-trusted-types-for" => array(
+			"script" => array("label" => "script", "data-sourcetype" => "select"),
+		),
+		"trusted-types" => array(
+			"policyName" => array("label" => "policyName", "data-sourcetype" => "input"),
+			"none" => array("label" => "none", "data-sourcetype" => "quoted"),
+			"allow-duplicates" => array("label" => "allow-duplicates", "data-sourcetype" => "quoted"),
 		),
 	);
 }
@@ -195,27 +212,31 @@ function websiteGetContentPolicyToArray($forceCSP){
 		}
 		$sources = $securitypolicyarr;
 		$issourcedata = 0;
-		foreach ($sources as $key => $source) {
-			$source = str_replace(":", "", $source);
-			$source = str_replace("'", "", $source);
+		if (empty($sources)) {
+				$forceCSPArr[$directive] = array();
+		} else{
+			foreach ($sources as $key => $source) {
+				$source = str_replace(":", "", $source);
+				$source = str_replace("'", "", $source);
 
-			if ($source == "data") {
-				$issourcedata = 1;
-				if (empty($forceCSPArr[$directive])) {
-					$forceCSPArr[$directive] = array($source => array());
-				} else {
-					$forceCSPArr[$directive][$source] = array();
+				if ($source == "data") {
+					$issourcedata = 1;
+					if (empty($forceCSPArr[$directive])) {
+						$forceCSPArr[$directive] = array($source => array());
+					} else {
+						$forceCSPArr[$directive][$source] = array();
+					}
+					continue;
 				}
-				continue;
-			}
-			if ($issourcedata && !in_array($source, $sourceCSPArrflatten)) {
-				$forceCSPArr[$directive]["data"][] = $source;
-			} else {
-				$issourcedata = 0;
-				if (empty($forceCSPArr[$directive])) {
-					$forceCSPArr[$directive] = array($source);
+				if ($issourcedata && !in_array($source, $sourceCSPArrflatten)) {
+					$forceCSPArr[$directive]["data"][] = $source;
 				} else {
-					$forceCSPArr[$directive][] = $source;
+					$issourcedata = 0;
+					if (empty($forceCSPArr[$directive])) {
+						$forceCSPArr[$directive] = array($source);
+					} else {
+						$forceCSPArr[$directive][] = $source;
+					}
 				}
 			}
 		}