From 5b0b30d69c5794178f8bcdaa0b58642cb9bf8592 Mon Sep 17 00:00:00 2001
From: Tanishq Dubey <dubey@dws.rip>
Date: Sun, 8 Dec 2024 18:03:44 -0500
Subject: [PATCH] Fix CSP Error

Getting rid of inline onclick calls and registering the handler in the
primary script ensure securty (XSS).
---
 templates/admin.html | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/templates/admin.html b/templates/admin.html
index 739ddc0..2feb59d 100644
--- a/templates/admin.html
+++ b/templates/admin.html
@@ -203,8 +203,8 @@
                     <td class="editable" data-field="iso">{{ photo.iso }}</td>
                     <td>{{ photo.width }}x{{ photo.height }}</td>
                     <td>
-                        <button onclick="saveChanges(this)">Save</button>
-                        <button onclick="deletePhoto(this)" class="delete-btn">Delete</button>
+                        <button id="save-btn">Save</button>
+                        <button class="delete-btn" id="delete-btn">Delete</button>
                     </td>
                 </tr>
                 {% endfor %}
@@ -241,8 +241,11 @@
                             <input type="text" id="about.location" name="about.location" value="{{ config.about.location }}">
                         </div>
                         <div class="form-group">
-                            <label for="about.profile_image">Profile Image Path:</label>
-                            <input type="text" id="about.profile_image" name="about.profile_image" value="{{ config.about.profile_image }}">
+                            <label for="about.profile_image">Profile Image:</label>
+                            <div style="display: flex; align-items: center; gap: 1rem;">
+                                <img id="profile-preview" src="/static/profile.jpeg" alt="Profile" style="width: 100px; height: 100px; object-fit: cover; border-radius: 50%;">
+                                <input type="file" id="profile_image_upload" accept="image/jpeg,image/png" style="flex: 1;">
+                            </div>
                         </div>
                         <div class="form-group">
                             <label for="about.bio">Bio (Markdown):</label>
@@ -335,11 +338,38 @@
             }
         }
 
+        document.getElementById('delete-btn').addEventListener('click', deletePhoto);
+        document.getElementById('save-btn').addEventListener('click', saveChanges);
+
+        document.getElementById('profile_image_upload').addEventListener('change', async (e) => {
+            const file = e.target.files[0];
+            if (!file) return;
+
+            const formData = new FormData();
+            formData.append('profile_image', file);
+
+            try {
+                const response = await fetch('/admin/upload_profile', {
+                    method: 'POST',
+                    body: formData
+                });
+                
+                const result = await response.json();
+                if (result.success) {
+                    document.getElementById('profile-preview').src = '/static/profile.jpeg?' + new Date().getTime();
+                } else {
+                    alert('Error uploading profile image: ' + result.error);
+                }
+            } catch (error) {
+                alert('Error uploading profile image: ' + error);
+            }
+        });
+
         document.getElementById('configForm').addEventListener('submit', async (e) => {
             e.preventDefault();
             
             const formData = {};
-            const inputs = e.target.querySelectorAll('input, textarea');
+            const inputs = e.target.querySelectorAll('input:not([type="file"]), textarea');
             
             inputs.forEach(input => {
                 formData[input.name] = input.value;