From 8679a8ea6bdaabb13bf36da31e187eb1d9815d90 Mon Sep 17 00:00:00 2001
From: James Tate II <jtate@odu.edu>
Date: Wed, 8 Jul 2020 16:57:00 -0400
Subject: [PATCH 1/3] Fix path to jquery-idletimer JS file in HTML

---
 weathermap-cacti-plugin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/weathermap-cacti-plugin.php b/weathermap-cacti-plugin.php
index f71195c..81cfeaf 100644
--- a/weathermap-cacti-plugin.php
+++ b/weathermap-cacti-plugin.php
@@ -526,7 +526,7 @@ function weathermap_fullview( $cycle = FALSE, $firstonly = FALSE, $limit_to_grou
         if ( $fullscreen ) {
             print "<script src='" . $config[ 'url_path' ] . "plugins/weathermap/vendor/jquery/dist/jquery.min.js'></script>";
         }
-        print "<script src='" . $config[ 'url_path' ] . "plugins/weathermap/vendor/jquery-/dist/idle-timer.min.js'></script>";
+        print "<script src='" . $config[ 'url_path' ] . "plugins/weathermap/vendor/jquery-idletimer/dist/idle-timer.min.js'></script>";
         $extra = "";
         if ( $limit_to_group > 0 ) $extra = " in this group";
         ?>

From 8b789dac10aea23ea289f41a1da644c72905862c Mon Sep 17 00:00:00 2001
From: James Tate II <jtate@odu.edu>
Date: Thu, 9 Jul 2020 09:53:37 -0400
Subject: [PATCH 2/3] Fix some of the archaic usages of eval() and setTimeout()

There were 87 calls to eval() which is generally considered bad
practice and current Cacti CSP instructs browsers to block
these calls.

There were also multiple legacy-insecure calls to setTimeout()
using strings instead of functions with the same security problem.

In this commit, some of these insecure funciton calls have been fixed to
pass the current default Cacti CSP for 'script-src' which is 'self'.
This is defined in an HTTP header in Cacti version 1.2.10 at
<Cacti Root>/include/global.php:409
---
 overlib.js | 64 +++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 44 insertions(+), 20 deletions(-)

diff --git a/overlib.js b/overlib.js
index b0ca8ac..d88f1a7 100644
--- a/overlib.js
+++ b/overlib.js
@@ -327,7 +327,8 @@ function overlib() {
 	if (o3_delay == 0) {
 		return runHook("olMain", FREPLACE);
  	} else {
-		o3_delayid = setTimeout("runHook('olMain', FREPLACE)", o3_delay);
+		// o3_delayid = setTimeout("runHook('olMain', FREPLACE)", o3_delay);
+		o3_delayid = setTimeout(runHook, o3_delay, 'olMain', FREPLACE);
 		return false;
 	}
 }
@@ -522,7 +523,8 @@ function disp(statustext) {
 	
 	if (o3_allowmove == 0) {
 		runHook("placeLayer", FREPLACE);
-		(olNs6&&olShowId<0) ? olShowId=setTimeout("runHook('showObject', FREPLACE, over)", 1) : runHook("showObject", FREPLACE, over);
+		// (olNs6&&olShowId<0) ? olShowId=setTimeout("runHook('showObject', FREPLACE, over)", 1) : runHook("showObject", FREPLACE, over);
+		(olNs6&&olShowId<0) ? olShowId=setTimeout(runHook, 1 ,'showObject', FREPLACE, over) : runHook("showObject", FREPLACE, over);
 		o3_allowmove = (o3_sticky || o3_followmouse==0) ? 0 : 1;
 	}
 	
@@ -688,8 +690,10 @@ function parseTokens(pf, ar) {
 			if (ar[i]==STICKY) { if (pf!='ol_') eval(pf+'sticky=1'); continue; }
 			if (ar[i]==BACKGROUND) { eval(pf+'background="'+ar[++i]+'"'); continue; }
 			if (ar[i]==NOCLOSE) { if (pf!='ol_') opt_NOCLOSE(); continue; }
-			if (ar[i]==CAPTION) { eval(pf+"cap='"+escSglQuote(ar[++i])+"'"); continue; }
-			if (ar[i]==CENTER || ar[i]==LEFT || ar[i]==RIGHT) { eval(pf+'hpos='+ar[i]); if(pf!='ol_') olHautoFlag=1; continue; }
+			// if (ar[i]==CAPTION) { eval(pf+"cap='"+escSglQuote(ar[++i])+"'"); continue; }
+			if (ar[i]==CAPTION) { window[pf+"cap"]=escSglQuote(ar[++i]); continue; }
+			// if (ar[i]==CENTER || ar[i]==LEFT || ar[i]==RIGHT) { eval(pf+'hpos='+ar[i]); if(pf!='ol_') olHautoFlag=1; continue; }
+			if (ar[i]==CENTER || ar[i]==LEFT || ar[i]==RIGHT) { window[pf+'hpos']=ar[i]; if(pf!='ol_') olHautoFlag=1; continue; }
 			if (ar[i]==OFFSETX) { eval(pf+'offsetx='+ar[++i]); continue; }
 			if (ar[i]==OFFSETY) { eval(pf+'offsety='+ar[++i]); continue; }
 			if (ar[i]==FGCOLOR) { eval(pf+'fgcolor="'+ar[++i]+'"'); continue; }
@@ -697,13 +701,15 @@ function parseTokens(pf, ar) {
 			if (ar[i]==TEXTCOLOR) { eval(pf+'textcolor="'+ar[++i]+'"'); continue; }
 			if (ar[i]==CAPCOLOR) { eval(pf+'capcolor="'+ar[++i]+'"'); continue; }
 			if (ar[i]==CLOSECOLOR) { eval(pf+'closecolor="'+ar[++i]+'"'); continue; }
-			if (ar[i]==WIDTH) { eval(pf+'width='+ar[++i]); continue; }
+			// if (ar[i]==WIDTH) { eval(pf+'width='+ar[++i]); continue; }
+			if (ar[i]==WIDTH) { window[pf+'width']=ar[++i]; continue; }
 			if (ar[i]==BORDER) { eval(pf+'border='+ar[++i]); continue; }
 			if (ar[i]==CELLPAD) { i=opt_MULTIPLEARGS(++i,ar,(pf+'cellpad')); continue; }
 			if (ar[i]==STATUS) { eval(pf+"status='"+escSglQuote(ar[++i])+"'"); continue; }
 			if (ar[i]==AUTOSTATUS) { eval(pf +'autostatus=('+pf+'autostatus == 1) ? 0 : 1'); continue; }
 			if (ar[i]==AUTOSTATUSCAP) { eval(pf +'autostatus=('+pf+'autostatus == 2) ? 0 : 2'); continue; }
-			if (ar[i]==HEIGHT) { eval(pf+'height='+pf+'aboveheight='+ar[++i]); continue; } // Same param again.
+			// if (ar[i]==HEIGHT) { eval(pf+'height='+pf+'aboveheight='+ar[++i]); continue; } // Same param again.
+			if (ar[i]==HEIGHT) { window[pf+'height']=window[pf+'aboveheight']=ar[++i]; continue; } // Same param again.
 			if (ar[i]==CLOSETEXT) { eval(pf+"close='"+escSglQuote(ar[++i])+"'"); continue; }
 			if (ar[i]==SNAPX) { eval(pf+'snapx='+ar[++i]); continue; }
 			if (ar[i]==SNAPY) { eval(pf+'snapy='+ar[++i]); continue; }
@@ -716,7 +722,8 @@ function parseTokens(pf, ar) {
 			if (ar[i]==PADX) { eval(pf+'padxl='+ar[++i]); eval(pf+'padxr='+ar[++i]); continue; }
 			if (ar[i]==PADY) { eval(pf+'padyt='+ar[++i]); eval(pf+'padyb='+ar[++i]); continue; }
 			if (ar[i]==FULLHTML) { if (pf!='ol_') eval(pf+'fullhtml=1'); continue; }
-			if (ar[i]==BELOW || ar[i]==ABOVE) { eval(pf+'vpos='+ar[i]); if (pf!='ol_') olVautoFlag=1; continue; }
+			// if (ar[i]==BELOW || ar[i]==ABOVE) { eval(pf+'vpos='+ar[i]); if (pf!='ol_') olVautoFlag=1; continue; }
+			if (ar[i]==BELOW || ar[i]==ABOVE) { window[pf+'vpos']=ar[i]; if (pf!='ol_') olVautoFlag=1; continue; }
 			if (ar[i]==CAPICON) { eval(pf+'capicon="'+ar[++i]+'"'); continue; }
 			if (ar[i]==TEXTFONT) { eval(pf+"textfont='"+escSglQuote(ar[++i])+"'"); continue; }
 			if (ar[i]==CAPTIONFONT) { eval(pf+"captionfont='"+escSglQuote(ar[++i])+"'"); continue; }
@@ -726,7 +733,8 @@ function parseTokens(pf, ar) {
 			if (ar[i]==CLOSESIZE) { eval(pf+'closesize="'+ar[++i]+'"'); continue; }
 			if (ar[i]==TIMEOUT) { eval(pf+'timeout='+ar[++i]); continue; }
 			if (ar[i]==FUNCTION) { if (pf=='ol_') { if (typeof ar[i+1]!='number') { v=ar[++i]; ol_function=(typeof v=='function' ? v : null); }} else {fnMark = 0; v = null; if (typeof ar[i+1]!='number') v = ar[++i];  opt_FUNCTION(v); } continue; }
-			if (ar[i]==DELAY) { eval(pf+'delay='+ar[++i]); continue; }
+			// if (ar[i]==DELAY) { eval(pf+'delay='+ar[++i]); continue; }
+			if (ar[i]==DELAY) { window[pf+'delay']=ar[++i]; continue; }
 			if (ar[i]==HAUTO) { eval(pf+'hauto=('+pf+'hauto == 0) ? 1 : 0'); continue; }
 			if (ar[i]==VAUTO) { eval(pf+'vauto=('+pf+'vauto == 0) ? 1 : 0'); continue; }
 			if (ar[i]==CLOSECLICK) { eval(pf +'closeclick=('+pf+'closeclick == 0) ? 1 : 0'); continue; }
@@ -935,8 +943,11 @@ function wrapStr(endWrap,fontSizeStr,whichString) {
 	if (endWrap) return (hasDims&&!olNs4) ? (isClose ? '</span>' : '</div>') : '</font>';
 	else {
 		fontStr='o3_'+whichString+'font';
+		fontStrStr = window[fontStr];
 		fontColor='o3_'+((whichString=='caption')? 'cap' : whichString)+'color';
-		return (hasDims&&!olNs4) ? (isClose ? '<span style="font-family: '+quoteMultiNameFonts(eval(fontStr))+'; color: '+eval(fontColor)+'; font-size: '+fontSizeStr+';">' : '<div style="font-family: '+quoteMultiNameFonts(eval(fontStr))+'; color: '+eval(fontColor)+'; font-size: '+fontSizeStr+';">') : '<font face="'+eval(fontStr)+'" color="'+eval(fontColor)+'" size="'+(parseInt(fontSizeStr)>7 ? '7' : fontSizeStr)+'">';
+		fontColorStr = window[fontColor];
+		// return (hasDims&&!olNs4) ? (isClose ? '<span style="font-family: '+quoteMultiNameFonts(eval(fontStr))+'; color: '+eval(fontColor)+'; font-size: '+fontSizeStr+';">' : '<div style="font-family: '+quoteMultiNameFonts(eval(fontStr))+'; color: '+eval(fontColor)+'; font-size: '+fontSizeStr+';">') : '<font face="'+eval(fontStr)+'" color="'+eval(fontColor)+'" size="'+(parseInt(fontSizeStr)>7 ? '7' : fontSizeStr)+'">';
+		return (hasDims&&!olNs4) ? (isClose ? '<span style="font-family: '+quoteMultiNameFonts(fontStrStr)+'; color: '+fontColorStr+'; font-size: '+fontSizeStr+';">' : '<div style="font-family: '+quoteMultiNameFonts(fontStrStr)+'; color: '+fontColorStr+'; font-size: '+fontSizeStr+';">') : '<font face="'+fontStrStr+'" color="'+fontColorStr+'" size="'+(parseInt(fontSizeStr)>7 ? '7' : fontSizeStr)+'">';
 	}
 }
 
@@ -1307,7 +1318,8 @@ function registerCommands(cmdStr) {
 	pms = pms.concat(pM);
 
 	for (var i = 0; i< pM.length; i++) {
-		eval(pM[i].toUpperCase()+'='+pmCount++);
+		// eval(pM[i].toUpperCase()+'='+pmCount++);
+		window[pM[i].toUpperCase()] = pmCount++;
 	}
 }
 
@@ -1396,34 +1408,46 @@ function runHook(fnHookTo, hookType) {
 	var l = hookPts[fnHookTo], k, rtnVal = null, optPm, arS, ar = runHook.arguments;
 
 	if (hookType == FREPLACE) {
-		arS = argToString(ar, 2);
+		// arS = argToString(ar, 2);
+		// console.log(ar);
+		myArgs = Array.prototype.slice.call(ar).slice(2);
+		// console.log(myArgs);
 
-		if (typeof l == 'undefined' || !(l = l.ovload)) rtnVal = eval(fnHookTo+'('+arS+')');
-		else rtnVal = eval('l('+arS+')');
+		// if (typeof l == 'undefined' || !(l = l.ovload)) rtnVal = eval(fnHookTo+'('+arS+')');
+		// else rtnVal = eval('l('+arS+')');
+		if (typeof l == 'undefined' || !(l = l.ovload)) rtnVal = window[fnHookTo].apply(null, myArgs);
+		else rtnVal = l.apply(null, myArgs);
 
 	} else if (hookType == FBEFORE || hookType == FAFTER) {
 		if (typeof l != 'undefined') {
 			l=(hookType == 1 ? l.before : l.after);
 	
 			if (l.length) {
-				arS = argToString(ar, 2);
-				for (var k = 0; k < l.length; k++) eval('l[k]('+arS+')');
+				// arS = argToString(ar, 2);
+				myArgs = Array.prototype.slice.call(ar).slice(2);
+				// for (var k = 0; k < l.length; k++) eval('l[k]('+arS+')');
+				for (var k = 0; k < l.length; k++) l[k].apply(null, myArgs);
 			}
 		}
 	} else if (hookType == FALTERNATE) {
 		optPm = ar[2];
-		arS = argToString(ar, 3);
+		// arS = argToString(ar, 3);
+		myArgs = Array.prototype.slice.call(ar).slice(3);
 
 		if (typeof l == 'undefined' || (l = l.alt[pms[optPm-1-pmStart]]) == 'undefined') {
-			rtnVal = eval(fnHookTo+'('+arS+')');
+			// rtnVal = eval(fnHookTo+'('+arS+')');
+			rtnVal = window[fnHookTo].apply(null, myArgs);
 		} else {
-			rtnVal = eval('l('+arS+')');
+			// rtnVal = eval('l('+arS+')');
+			rtnVal = l.apply(null, myArgs);
 		}
 	} else if (hookType == FCHAIN) {
-		arS=argToString(ar,2);
+		// arS=argToString(ar,2);
+		myArgs = Array.prototype.slice.call(ar).slice(2);
 		l=l.chain;
 
-		for (k=l.length; k > 0; k--) if((rtnVal=eval('l[k-1]('+arS+')'))!=void(0)) break;
+		// for (k=l.length; k > 0; k--) if((rtnVal=eval('l[k-1]('+arS+')'))!=void(0)) break;
+		for (k=l.length; k > 0; k--) if((rtnVal=l[k-1].apply(null, myArgs))!=void(0)) break;
 	}
 
 	return rtnVal;

From ba2a12bef80961540021ce64815cfb29eee94d0e Mon Sep 17 00:00:00 2001
From: James Tate II <jtate@odu.edu>
Date: Thu, 9 Jul 2020 10:22:48 -0400
Subject: [PATCH 3/3] Uncomment and fix call to WMcycler.forceReload()

This is needed to make weathermap cycling work outside the
full-screen mode.
---
 cacti-resources/map-cycle.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cacti-resources/map-cycle.js b/cacti-resources/map-cycle.js
index 1e69444..9d183d1 100644
--- a/cacti-resources/map-cycle.js
+++ b/cacti-resources/map-cycle.js
@@ -86,7 +86,7 @@ var WMcycler = {
             now.hide(1, function () {
                 // now that we're done with it, force a reload on the image just
                 // passed
-                // WMcycler.forceReload();
+                WMcycler.forceReload(this);
             });
             next.show(1);
         }