Corrected issue with csp by removing eval(). Corrected issue with issue image referencing.

Author: bkraul

BBCodePlus/BBCodePlus.php

@@ -124,7 +124,6 @@ function csp_headers() {
          if ( (ON == plugin_config_get( 'process_markitup' )) && function_exists( 'http_csp_add' ) ) {
             http_csp_add( 'img-src', "*" );
             http_csp_add( 'frame-ancestors', "'self'" );
-            http_csp_add( 'script', "'self'" );
             http_csp_add( 'script-src', "'nonce-$this->t_nonceToken'");
          }
       }

BBCodePlus/files/markitup/jquery_markitup.js

@@ -220,9 +220,7 @@
 						}).bind("focusin.markItUp", function(){
                             $$.focus();
 						}).bind('mouseup', function(e) {
-							if (button.call) {
-								eval(button.call)(e); // Pass the mouseup event to custom delegate
-							}
+							if (button.call == 'preview') { preview(); }
 							setTimeout(function() { markup(button) },1);
 							return false;
 						}).bind('mouseenter.markItUp', function() {

BBCodePlus/files/markitup/sets/mantis/set.js

@@ -199,8 +199,7 @@ mySettings = {
                     list.attr("class", "bbcodeplus image-picker");
 
                     $(".bug-attachment-preview-image a img").each(function(index, value) {
-                        var imgUrl = this.src;
-                        
+                        var imgUrl = $(this).parent().prop('href');
                         var img = $("<li><a href=\"#\"><img src=\"" + imgUrl + "\"></a></li>");
                         var link = img.children('a');
                         link.click(function() {
@@ -256,4 +255,16 @@ mySettings = {
         {name:'Clean', className:"clean", replaceWith:function(markitup) { return markitup.selection.replace(/\[(.*?)\]/g, "") } },
         {name:'Preview', className:'preview',  call:'preview'},
     ]
+}
+
+function getQueryVariable(variable) {
+    var query = window.location.search.substring(1);
+    var vars = query.split('&');
+    for (var i = 0; i < vars.length; i++) {
+        var pair = vars[i].split('=');
+        if (decodeURIComponent(pair[0]) == variable) {
+            return decodeURIComponent(pair[1]);
+        }
+    }
+    console.log('Query variable %s not found', variable);
 }

README.md

@@ -29,6 +29,7 @@ If you would like to contribute to BBCode plus, please [read this guide first](h
 ### 2.1.18
 
 - Added `nonce` random token and directives for included js scripts in order to hopefully address CSP restrictions.
+- Corrected issue with referencing issue images (removed volatile token, now using only file id and type).
 
 ### 2.1.17