From 024431808e688b7daa6c40dd956ec9f015499513 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Sat, 4 Apr 2020 16:57:24 -0400
Subject: [PATCH 1/2] fix onchange to data-on-change-this in
 width,height,scale, layout dropdowns

---
 web/skins/classic/views/montage.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/web/skins/classic/views/montage.php b/web/skins/classic/views/montage.php
index 0009b9929..9bb394db2 100644
--- a/web/skins/classic/views/montage.php
+++ b/web/skins/classic/views/montage.php
@@ -176,19 +176,19 @@ if ( $showZones ) {
 
           <span id="widthControl">
             <label><?php echo translate('Width') ?></label>
-            <?php echo htmlSelect('width', $widths, $options['width'], 'changeSize(this);'); ?>
+            <?php echo htmlSelect('width', $widths, $options['width'], array('data-on-change-this'=>'changeSize')); ?>
           </span>
           <span id="heightControl">
             <label><?php echo translate('Height') ?></label>
-            <?php echo htmlSelect('height', $heights, $options['height'], 'changeSize(this);'); ?>
+            <?php echo htmlSelect('height', $heights, $options['height'], array('data-on-change-this'=>'changeSize')); ?>
           </span>
           <span id="scaleControl">
             <label><?php echo translate('Scale') ?></label>
-            <?php echo htmlSelect('scale', $scales, $scale, 'changeScale(this);'); ?>
+            <?php echo htmlSelect('scale', $scales, $scale, array('data-on-change-this'=>'changeScale')); ?>
           </span> 
           <span id="layoutControl">
             <label for="layout"><?php echo translate('Layout') ?></label>
-            <?php echo htmlSelect('zmMontageLayout', $layoutsById, $layout_id, array('onchange'=>'selectLayout(this);')); ?>
+            <?php echo htmlSelect('zmMontageLayout', $layoutsById, $layout_id, array('data-on-change-this'=>'selectLayout')); ?>
           </span>
           <input type="hidden" name="Positions"/>
           <button type="button" id="EditLayout" data-on-click-this="edit_layout"><?php echo translate('EditLayout') ?></button>

From 210d380029a03b38e93342fe04a271152f5ea397 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Sat, 4 Apr 2020 16:57:52 -0400
Subject: [PATCH 2/2] CSP must include all Servers.

---
 web/includes/functions.php | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/web/includes/functions.php b/web/includes/functions.php
index 537a9fa8e..e8adbdb5c 100644
--- a/web/includes/functions.php
+++ b/web/includes/functions.php
@@ -36,14 +36,18 @@ function noCacheHeaders() {
 }
 
 function CSPHeaders($view, $nonce) {
-  $additionalScriptSrc = '';
+  global $Servers;
+  if ( ! $Servers )
+    $Servers = ZM\Server::find();
+
+  $additionalScriptSrc = implode(' ', array_map(function($S){return $S->Url();}, $Servers));
   switch ($view) {
     case 'login': {
       if (defined('ZM_OPT_USE_GOOG_RECAPTCHA')
           && defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
           && defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
           && ZM_OPT_USE_GOOG_RECAPTCHA && ZM_OPT_GOOG_RECAPTCHA_SITEKEY && ZM_OPT_GOOG_RECAPTCHA_SECRETKEY) {
-        $additionalScriptSrc = "https://www.google.com";
+        $additionalScriptSrc .= ' https://www.google.com';
       }
       // fall through
     }
@@ -92,7 +96,9 @@ function CORSHeaders() {
 
 # The following is left for future reference/use.
     $valid = false;
-    $Servers = ZM\Server::find();
+    global $Servers;
+    if ( ! $Servers )
+      $Servers = ZM\Server::find();
     if ( sizeof($Servers) < 1 ) {
 # Only need CORSHeaders in the event that there are multiple servers in use.
       # ICON: Might not be true. multi-port?
@@ -2172,7 +2178,7 @@ function ajaxError($message, $code=HTTP_STATUS_OK) {
     ajaxCleanup();
   if ( $code == HTTP_STATUS_OK ) {
     $response = array('result'=>'Error', 'message'=>$message);
-    header('Content-type: text/plain');
+    header('Content-type: application/json');
     exit(jsonEncode($response));
   }
   header("HTTP/1.0 $code $message");
@@ -2188,7 +2194,7 @@ function ajaxResponse($result=false) {
   } else if ( !empty($result) ) {
     $response['message'] = $result;
   }
-  header('Content-type: text/plain');
+  header('Content-type: application/json');
   exit(jsonEncode($response));
 }