From 3cb5896316885e9caaf533e5228f850118096508 Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Mon, 4 Mar 2019 16:43:07 +1000
Subject: [PATCH] Tighten the content security policies for profiles. Use
 template variables instead of CSS variables in Nox for better browser
 backwards compatibility. Emit a local error instead of an internal error when
 submitting an activation token as a guest or invalid user. Moved the inline
 profile scripts into profile_member.js

---
 public/profile_member.js   | 18 ++++++++++++++++++
 routes/account.go          |  2 +-
 routes/profile.go          |  2 +-
 templates/profile.html     | 24 +-----------------------
 themes/nox/public/main.css | 21 +++++++++------------
 5 files changed, 30 insertions(+), 37 deletions(-)
 create mode 100644 public/profile_member.js

diff --git a/public/profile_member.js b/public/profile_member.js
new file mode 100644
index 00000000..fa940987
--- /dev/null
+++ b/public/profile_member.js
@@ -0,0 +1,18 @@
+function handle_profile_hashbit() {
+	var hash_class = "";
+	switch(window.location.hash.substr(1)) {
+		case "ban_user":
+			hash_class = "ban_user_hash";
+			break;
+		default:
+			console.log("Unknown hashbit");
+			return;
+	}
+	$(".hash_hide").hide();
+	$("." + hash_class).show();
+}
+
+$(document).ready(() => {
+	if(window.location.hash) handle_profile_hashbit();
+	window.addEventListener("hashchange", handle_profile_hashbit, false);
+});
\ No newline at end of file
diff --git a/routes/account.go b/routes/account.go
index 7d0f1345..25e49536 100644
--- a/routes/account.go
+++ b/routes/account.go
@@ -673,7 +673,7 @@ func AccountEditEmailTokenSubmit(w http.ResponseWriter, r *http.Request, user co
 	targetEmail := common.Email{UserID: user.ID}
 	emails, err := common.Emails.GetEmailsByUser(&user)
 	if err != nil {
-		return common.InternalError(err, w, r)
+		return common.LocalError("You are not logged in", w, r, user)
 	}
 	for _, email := range emails {
 		if email.Token == token {
diff --git a/routes/profile.go b/routes/profile.go
index 89cdb21c..a59e6db6 100644
--- a/routes/profile.go
+++ b/routes/profile.go
@@ -31,7 +31,7 @@ func init() {
 func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User, header *common.Header) common.RouteError {
 	// TODO: Preload this?
 	header.AddSheet(header.Theme.Name + "/profile.css")
-	header.LooseCSP = true
+	header.AddScript("profile_member.js")
 
 	var err error
 	var replyCreatedAt time.Time
diff --git a/templates/profile.html b/templates/profile.html
index 23b5b136..9fbdbc44 100644
--- a/templates/profile.html
+++ b/templates/profile.html
@@ -114,26 +114,4 @@
 
 </div>
 
-{{if .CurrentUser.Loggedin}}
-{{/** Quick subpage switcher **/}}
-{{/** TODO: Stop inlining this **/}}
-<script type="text/javascript">
-function handle_profile_hashbit() {
-	var hash_class = ""
-	switch(window.location.hash.substr(1)) {
-		case "ban_user":
-			hash_class = "ban_user_hash"
-			break
-		default:
-			console.log("Unknown hashbit")
-			return
-	}
-	$(".hash_hide").hide()
-	$("." + hash_class).show()
-}
-if(window.location.hash) handle_profile_hashbit()
-window.addEventListener("hashchange", handle_profile_hashbit, false)
-</script>
-{{end}}
-
-{{template "footer.html" . }}
+{{template "footer.html" . }}
\ No newline at end of file
diff --git a/themes/nox/public/main.css b/themes/nox/public/main.css
index adfbbb2f..17dc6684 100644
--- a/themes/nox/public/main.css
+++ b/themes/nox/public/main.css
@@ -1,9 +1,6 @@
-:root {
-	--darkest-background: #222222;
-	--second-dark-background: #292929;
-	--third-dark-background: #333333;
-}
-
+{{$darkest_bg := "#222222"}}
+{{$second_dark_bg := "#292929"}}
+{{$third_dark_bg := "#333333"}}
 * {
 	box-sizing: border-box;
 }
@@ -11,7 +8,7 @@ body {
 	margin: 0px;
 	padding: 0px;
 	color: #AAAAAA;
-	background-color: var(--darkest-background);
+	background-color: {{$darkest_bg}};
 	font-family: "Segoe UI";
 }
 a {
@@ -20,7 +17,7 @@ a {
 }
 
 nav.nav {
-	background: var(--darkest-background);
+	background: {{$darkest_bg}};
 	width: calc(100% - 200px);
 	float: left;
 }
@@ -103,7 +100,7 @@ li a {
 .right_of_nav {
 	float: left;
 	width: 200px;
-	background-color: var(--darkest-background);
+	background-color: {{$darkest_bg}};
 	padding-top: 12px;
 	padding-bottom: 12px;
 	padding-right: 12px;
@@ -112,7 +109,7 @@ li a {
 	display: flex;
 	flex-direction: row;
 	border-radius: 3px;
-	background-color: var(--third-dark-background);
+	background-color: {{$third_dark_bg}};
 	padding-top: 11px;
 	padding-bottom: 11px;
 	padding-left: 12px;
@@ -143,7 +140,7 @@ li a {
 	clear: both;
 }
 #back {
-	background: var(--third-dark-background);
+	background: {{$third_dark_bg}};
 	padding: 24px;
 	padding-top: 12px;
 	clear: both;
@@ -1294,7 +1291,7 @@ input[type=checkbox]:checked + label .sel {
 
 @media(min-width: 1010px) {
 	.container {
-		background-color: var(--second-dark-background);
+		background-color: {{$second_dark_bg}};
 	}
 	#back, .footer {
 		width: 1000px;