Added Content-Security-Policy header to prevent XSS attacks

add-domain.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
 ?>
 <html>

domains.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
 ?>
 <html>

edit-master.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
 ?>
 <html>
@@ -150,7 +151,7 @@ limitations under the License.
                     <tfoot>
                         <td>New</td>
                         <td><input id="addName" type="text" class="form-control input-sm" data-regex="^([^.]+\.)*[^.]+$"></td>
-                        <td><select id="addType" class="form-control" style="width: 70%;"></select></td>
+                        <td><select id="addType" class="form-control select-narrow-70"></select></td>
                         <td><input id="addContent" type="text" class="form-control input-sm" data-regex="^.+$"></td>
                         <td><input id="addPrio" type="text" class="form-control input-sm" size="1" data-regex="^[0-9]+$"></td>
                         <td><input id="addTtl" type="text" class="form-control input-sm" size="3" data-regex="^[0-9]+$"></td>

edit-user.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
 ?>
 <html>

include/custom.css

@@ -20,4 +20,6 @@
 
 .cell-vertical-bottom { vertical-align: bottom !important; }
 .cell-vertical-middle { vertical-align: middle !important; }
-.cell-vertical-top { vertical-align: top !important; }
+.cell-vertical-top { vertical-align: top !important; }
+
+.select-narrow-70 { width: 70%; }

index.php

@@ -14,6 +14,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->
+<?php
+    require_once 'lib/headers.php';
+?>
 <html>
     <head>
         <title>PDNS Manager</title>

install.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     if(file_exists("config/config-user.php")) {
         Header("Location: index.php");
     }

js/edit-master.js

@@ -230,7 +230,7 @@ function editClicked() {
     
     var valueType = tableCells.eq(2).text();
     tableCells.eq(2).empty();
-    $('<select class="form-control" style="width: 70%;"></select>').appendTo(tableCells.eq(2)).select2({
+    $('<select class="form-control select-narrow-70"></select>').appendTo(tableCells.eq(2)).select2({
         data: recordTypes
     }).val(valueType).trigger("change");
    

lib/headers.php

@@ -0,0 +1,19 @@
+<?php
+
+/* 
+ * Copyright 2016 Lukas Metzger <developer@lukas-metzger.com>.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+Header("Content-Security-Policy: default-src 'self';");

logout.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
     session_destroy();
     setcookie("authSecret", "", 1, "/", "", false, true);

password.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
 ?>
 <html>

users.php

@@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
     require_once 'lib/session.php';
 ?>
 <html>