Description: Enhance privacy and security on external ressources
 The help tab now shows a warning before opening external ressources in iframes.
 These iframe ressources are now sandboxed.
Forwarded: no
Author: Jean-Michel Vourgère <nirgal@debian.org>
Last-Update: 2015-08-13

Index: ocsinventory-server/ocsreports/plugins/main_sections/ms_help/ms_help.php
===================================================================
--- ocsinventory-server.orig/ocsreports/plugins/main_sections/ms_help/ms_help.php
+++ ocsinventory-server/ocsreports/plugins/main_sections/ms_help/ms_help.php
@@ -18,29 +18,34 @@ $protectedPost['onglet']=$protectedGet['
 
 
 if ($protectedPost['onglet'] == "" or !isset($protectedPost['onglet']))
-$protectedPost['onglet']=1;
+$protectedPost['onglet']=0;
 
 $form_name="help";
 
-if ($protectedPost['onglet'] == "" or !isset($protectedPost['onglet']))
-$protectedPost['onglet']=1;
 //d�finition des onglets
 //$data_on['ABOUT']='A propos';
 
 echo open_form($form_name);
 onglet($data_on,$form_name,"onglet",7);
 echo '<div class="mlt_bordure" >';
-if ($protectedPost['onglet'] == 2){
-	echo "<iframe width=\"647\" height=\"400\" src=\"http://webchat.freenode.net/?channels=ocsinventory-ng&uio=d4\">
+if ($protectedPost['onglet'] == 0){
+	echo "<div>
+		<p>This page contains external ressources:
+		<p>Using it may cause disclosure of this server address, the presence of OcsInventory software, and the address to access it, to freenode.net, ocsinventory-ng.org, and factorfx.com. This information will be sent over unencrypted connections.
+		<p>Click in a tab above to proceed.
+		<p>-- Your friendly and paranoid deb packager.
+		</div>";
+}elseif ($protectedPost['onglet'] == 2){
+	echo "<iframe width=\"647\" height=\"400\" src=\"http://webchat.freenode.net/?channels=ocsinventory-ng&uio=d4\" sandbox=\"allow-forms allow-same-origin allow-scripts\">
 		</iframe>";
 }elseif($protectedPost['onglet'] == 1){
-	echo "<iframe  width=\"100%\" height=\"100%\" src=\"http://wiki.ocsinventory-ng.org\">
+	echo "<iframe  width=\"100%\" height=\"100%\" src=\"http://wiki.ocsinventory-ng.org\" sandbox=\"allow-forms allow-same-origin allow-scripts\">
 	</iframe>";
 }elseif($protectedPost['onglet'] == 3){
-		echo "<iframe  width=\"100%\" height=\"100%\" src=\"http://forums.ocsinventory-ng.org\">
+		echo "<iframe  width=\"100%\" height=\"100%\" src=\"http://forums.ocsinventory-ng.org\" sandbox=\"allow-forms allow-same-origin allow-scripts\">
 	</iframe>";
 }elseif($protectedPost['onglet'] == 4){
-		echo "<iframe  width=\"100%\" height=\"100%\" src=\"http://ocsinventory-ng.factorfx.com\">
+		echo "<iframe  width=\"100%\" height=\"100%\" src=\"http://ocsinventory-ng.factorfx.com\" sandbox=\"allow-forms allow-same-origin allow-scripts\">
 	</iframe>";
 }
 echo "</div>";
