Fix UI CSP interactions and media sizing

Author: SecAI-Hub

services/ui/ui/app.py

@@ -168,7 +168,9 @@ def add_security_headers(response):
     response.headers["Content-Security-Policy"] = (
         "default-src 'self'; "
         f"script-src 'self' 'nonce-{nonce}'; "
-        f"style-src 'self' 'nonce-{nonce}' 'unsafe-inline'; "
+        "style-src 'self' 'unsafe-inline'; "
+        f"style-src-elem 'self' 'nonce-{nonce}'; "
+        "style-src-attr 'unsafe-inline'; "
         "img-src 'self' data:; "
         "media-src 'self' data:; "
         "font-src 'self'; "

services/ui/ui/templates/base.html

@@ -6,7 +6,7 @@
     <meta name="referrer" content="no-referrer">
     <meta name="csrf-token" content="{{ csrf_token }}">
     <title>{% block title %}SecAI OS{% endblock %}</title>
-    <style>
+    <style nonce="{{ csp_nonce }}">
         /* -- Reset & Variables -- */
         :root {
             --bg: #0f1117;
@@ -41,6 +41,15 @@
             overflow: hidden;
             display: flex;
         }
+        img,
+        video,
+        canvas {
+            max-width: 100%;
+            height: auto;
+        }
+        svg {
+            flex-shrink: 0;
+        }
 
         /* -- Sidebar -- */
         .sidebar {
@@ -596,7 +605,7 @@
     <main class="main">
         <header class="topbar">
             <div class="topbar-left">
-                <button class="mobile-toggle" onclick="document.getElementById('sidebar').classList.toggle('open')">
+                <button class="mobile-toggle" id="mobile-toggle" type="button" aria-label="Toggle navigation">
                     <svg viewBox="0 0 24 24" width="18" height="18" fill="none" stroke="currentColor" stroke-width="2"><line x1="3" y1="12" x2="21" y2="12"/><line x1="3" y1="6" x2="21" y2="6"/><line x1="3" y1="18" x2="21" y2="18"/></svg>
                 </button>
                 <h1>{% block page_title %}{% endblock %}</h1>
@@ -622,8 +631,8 @@ <h1>{% block page_title %}{% endblock %}</h1>
             <h3 id="modal-title"></h3>
             <p id="modal-body"></p>
             <div class="modal-actions">
-                <button class="btn" id="modal-cancel" onclick="closeModal(false)">Cancel</button>
-                <button class="btn btn-danger" id="modal-confirm" onclick="closeModal(true)">Confirm</button>
+                <button class="btn" id="modal-cancel" type="button">Cancel</button>
+                <button class="btn btn-danger" id="modal-confirm" type="button">Confirm</button>
             </div>
         </div>
     </div>
@@ -679,6 +688,16 @@ <h3 id="modal-title"></h3>
             document.getElementById('modal-overlay').classList.add('hidden');
             if (_modalResolve) { _modalResolve(result); _modalResolve = null; }
         }
+        document.getElementById('mobile-toggle').addEventListener('click', function(e) {
+            e.stopPropagation();
+            document.getElementById('sidebar').classList.toggle('open');
+        });
+        document.getElementById('modal-cancel').addEventListener('click', function() {
+            closeModal(false);
+        });
+        document.getElementById('modal-confirm').addEventListener('click', function() {
+            closeModal(true);
+        });
         document.getElementById('modal-overlay').addEventListener('click', function(e) {
             if (e.target === e.currentTarget) closeModal(false);
         });

services/ui/ui/templates/generate.html

@@ -2,12 +2,30 @@
 {% block title %}SecAI OS - Generate{% endblock %}
 {% block page_title %}Image & Video Generation{% endblock %}
 {% block content_class %}content-wide{% endblock %}
+{% block extra_css %}
+<style nonce="{{ csp_nonce }}">
+    .generation-result {
+        margin-top: 1.5rem;
+        text-align: center;
+    }
+    .generated-media {
+        display: block;
+        max-width: min(100%, 640px);
+        max-height: 60vh;
+        width: auto;
+        height: auto;
+        margin: 0 auto 1rem;
+        border-radius: var(--radius-lg);
+        object-fit: contain;
+    }
+</style>
+{% endblock %}
 
 {% block content %}
 <div class="tabs">
-    <button class="tab active" onclick="switchTab('image', this)">Text to Image</button>
-    <button class="tab" onclick="switchTab('video', this)">Text to Video</button>
-    <button class="tab" onclick="switchTab('img2img', this)">Image to Image</button>
+    <button class="tab active" type="button" data-tab="image">Text to Image</button>
+    <button class="tab" type="button" data-tab="video">Text to Video</button>
+    <button class="tab" type="button" data-tab="img2img">Image to Image</button>
 </div>
 
 <div id="panel-image">
@@ -25,7 +43,7 @@
         <div class="form-group"><label class="form-label">Steps</label><input class="form-input" id="img-steps" type="number" value="30"></div>
         <div class="form-group"><label class="form-label">Seed</label><input class="form-input" id="img-seed" type="number" placeholder="Random"></div>
     </div>
-    <button class="btn btn-primary btn-lg" id="btn-image" onclick="generateImage()">Generate Image</button>
+    <button class="btn btn-primary btn-lg" id="btn-image" type="button">Generate Image</button>
 </div>
 
 <div id="panel-video" class="hidden">
@@ -39,7 +57,7 @@
         <div class="form-group"><label class="form-label">Frames</label><input class="form-input" id="vid-frames" type="number" value="25"></div>
         <div class="form-group"><label class="form-label">Steps</label><input class="form-input" id="vid-steps" type="number" value="25"></div>
     </div>
-    <button class="btn btn-primary btn-lg" id="btn-video" onclick="generateVideo()">Generate Video</button>
+    <button class="btn btn-primary btn-lg" id="btn-video" type="button">Generate Video</button>
 </div>
 
 <div id="panel-img2img" class="hidden">
@@ -55,10 +73,10 @@
         <div class="form-group"><label class="form-label">Strength</label><input class="form-input" id="i2i-strength" type="number" value="0.75" step="0.05" min="0" max="1"></div>
         <div class="form-group"><label class="form-label">Steps</label><input class="form-input" id="i2i-steps" type="number" value="30"></div>
     </div>
-    <button class="btn btn-primary btn-lg" id="btn-img2img" onclick="generateImg2Img()">Generate</button>
+    <button class="btn btn-primary btn-lg" id="btn-img2img" type="button">Generate</button>
 </div>
 
-<div id="result" style="margin-top:1.5rem;text-align:center"></div>
+<div id="result" class="generation-result"></div>
 <div id="gen-status" class="hidden" style="margin-top:1rem;padding:1rem;background:var(--surface);border:1px solid var(--border);border-radius:var(--radius);font-size:0.85rem;color:var(--text-muted)"></div>
 {% endblock %}
 
@@ -99,7 +117,7 @@
             if (data.error) { showGenStatus('Error: ' + data.error); return; }
             var html = '';
             (data.images || []).forEach(function(b64) {
-                html += '<img src="data:image/png;base64,' + b64 + '" style="max-width:100%;border-radius:var(--radius-lg);margin-bottom:1rem">';
+                html += '<img class="generated-media" src="data:image/png;base64,' + b64 + '" alt="Generated image">';
             });
             document.getElementById('result').innerHTML = html;
             showGenStatus('Generated in ' + data.elapsed_seconds + 's');
@@ -126,7 +144,7 @@
             var data = await resp.json();
             if (data.error) { showGenStatus('Error: ' + data.error); return; }
             document.getElementById('result').innerHTML =
-                '<video controls autoplay style="max-width:100%;border-radius:var(--radius-lg)"><source src="data:video/mp4;base64,' + data.video + '" type="video/mp4"></video>';
+                '<video class="generated-media" controls autoplay><source src="data:video/mp4;base64,' + data.video + '" type="video/mp4"></video>';
             showGenStatus('Generated in ' + data.elapsed_seconds + 's');
         } catch(e) { showGenStatus('Error: ' + e.message); }
         finally { btn.disabled = false; }
@@ -155,12 +173,21 @@
                 var data = await resp.json();
                 if (data.error) { showGenStatus('Error: ' + data.error); return; }
                 document.getElementById('result').innerHTML =
-                    '<img src="data:image/png;base64,' + data.image + '" style="max-width:100%;border-radius:var(--radius-lg)">';
+                    '<img class="generated-media" src="data:image/png;base64,' + data.image + '" alt="Generated image">';
                 showGenStatus('Generated in ' + data.elapsed_seconds + 's');
             } catch(e) { showGenStatus('Error: ' + e.message); }
             finally { btn.disabled = false; }
         };
         reader.readAsDataURL(file);
     }
+
+    document.querySelectorAll('.tab[data-tab]').forEach(function(button) {
+        button.addEventListener('click', function() {
+            switchTab(button.getAttribute('data-tab'), button);
+        });
+    });
+    document.getElementById('btn-image').addEventListener('click', generateImage);
+    document.getElementById('btn-video').addEventListener('click', generateVideo);
+    document.getElementById('btn-img2img').addEventListener('click', generateImg2Img);
 </script>
 {% endblock %}

services/ui/ui/templates/index.html

@@ -3,7 +3,7 @@
 {% block page_title %}Chat{% endblock %}
 
 {% block extra_css %}
-<style>
+<style nonce="{{ csp_nonce }}">
     .content { padding: 0 !important; display: flex; flex-direction: column; }
     .chat-container {
         flex: 1;
@@ -116,11 +116,11 @@ <h3>Local-first. Private by default.</h3>
     </div>
 </div>
 <div class="chat-input-area">
-    <button class="btn btn-sm" id="search-toggle" onclick="toggleSearch()" title="Toggle web search (Tor-routed)" style="min-height:44px;padding:0 0.65rem;opacity:0.4">
+    <button class="btn btn-sm" id="search-toggle" type="button" title="Toggle web search (Tor-routed)" style="min-height:44px;padding:0 0.65rem;opacity:0.4">
         <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="11" cy="11" r="8"/><line x1="21" y1="21" x2="16.65" y2="16.65"/></svg>
     </button>
     <textarea id="user-input" rows="1" placeholder="Type a message... (Enter to send, Shift+Enter for newline)" autofocus></textarea>
-    <button class="btn btn-primary" id="send-btn" onclick="sendMessage()">Send</button>
+    <button class="btn btn-primary" id="send-btn" type="button">Send</button>
 </div>
 {% endblock %}
 
@@ -184,6 +184,8 @@ <h3>Local-first. Private by default.</h3>
         userInput.style.height = 'auto';
         userInput.style.height = Math.min(userInput.scrollHeight, 160) + 'px';
     });
+    searchToggle.addEventListener('click', toggleSearch);
+    sendBtn.addEventListener('click', sendMessage);
 
     async function sendMessage() {
         var text = userInput.value.trim();

services/ui/ui/templates/login.html

@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="referrer" content="no-referrer">
     <title>SecAI OS - Login</title>
-    <style>
+    <style nonce="{{ csp_nonce }}">
         :root {
             --bg: #0f1117;
             --surface: #1a1b26;
@@ -144,7 +144,7 @@ <h1 id="title">Unlock Appliance</h1>
 
             <div class="error-msg" id="error-msg"></div>
 
-            <form id="auth-form" onsubmit="handleSubmit(event)">
+            <form id="auth-form">
                 <div class="form-group">
                     <label class="form-label" for="passphrase">Passphrase</label>
                     <input class="form-input" type="password" id="passphrase" name="passphrase"
@@ -265,6 +265,7 @@ <h1 id="title">Unlock Appliance</h1>
             }
         }
 
+        document.getElementById('auth-form').addEventListener('submit', handleSubmit);
         checkSetup();
     </script>
 </body>

services/ui/ui/templates/models.html

@@ -9,7 +9,7 @@
 <div id="integrity-banner" class="alert alert-info mb-lg">
     <span class="status-dot gray" id="integrity-dot" style="width:8px;height:8px"></span>
     <span id="integrity-text">Checking model integrity...</span>
-    <button class="btn btn-sm" id="verify-all-btn" onclick="verifyAll()" style="margin-left:auto">Verify All</button>
+    <button class="btn btn-sm" id="verify-all-btn" type="button" style="margin-left:auto">Verify All</button>
 </div>
 
 <div class="section-title">Model Catalog</div>
@@ -19,7 +19,7 @@
 </div>
 
 <div class="section-title">Import Model</div>
-<div class="upload-zone" id="upload-zone" onclick="document.getElementById('file-input').click()">
+<div class="upload-zone" id="upload-zone" role="button" tabindex="0">
     <p style="font-size:0.9rem;margin-bottom:0.35rem">Drag and drop a model file here</p>
     <p style="font-size:0.8rem">.gguf or .safetensors &mdash; or click to browse</p>
     <input type="file" id="file-input" accept=".gguf,.safetensors">
@@ -126,7 +126,7 @@
                 }
                 var manifestBtn = '';
                 if (m.gguf_guard_manifest) {
-                    manifestBtn = '<button class="btn btn-sm btn-accent" onclick="verifyManifest(\'' + esc(m.name) + '\')">Verify Tensors</button>';
+                    manifestBtn = '<button class="btn btn-sm btn-accent" type="button" data-action="verify-manifest" data-name="' + encodeURIComponent(m.name) + '">Verify Tensors</button>';
                 }
                 return '<div class="card">' +
                     '<div class="card-header">' +
@@ -140,9 +140,9 @@
                     '</div>' +
                     guardInfo +
                     '<div class="btn-group mt-md">' +
-                        '<button class="btn btn-sm btn-success" onclick="verifyModel(\'' + esc(m.name) + '\')">Verify Hash</button>' +
+                        '<button class="btn btn-sm btn-success" type="button" data-action="verify-model" data-name="' + encodeURIComponent(m.name) + '">Verify Hash</button>' +
                         manifestBtn +
-                        '<button class="btn btn-sm btn-danger" onclick="deleteModel(\'' + esc(m.name) + '\')">Delete</button>' +
+                        '<button class="btn btn-sm btn-danger" type="button" data-action="delete-model" data-name="' + encodeURIComponent(m.name) + '">Delete</button>' +
                     '</div>' +
                 '</div>';
             }).join('');
@@ -315,9 +315,9 @@
                     btnHtml = '<span class="badge badge-warning">Scanning...</span>';
                 } else if (dl && dl.status === 'failed') {
                     btnHtml = '<span class="badge badge-danger">Failed</span>' +
-                        '<button class="btn btn-sm" onclick="downloadCatalogModel(\'' + esc(m.url) + '\',\'' + esc(m.filename) + '\',\'' + esc(m.type) + '\')">Retry</button>';
+                        '<button class="btn btn-sm" type="button" data-action="catalog-download" data-url="' + encodeURIComponent(m.url) + '" data-filename="' + encodeURIComponent(m.filename) + '" data-type="' + encodeURIComponent(m.type) + '">Retry</button>';
                 } else {
-                    btnHtml = '<button class="btn btn-sm btn-primary" onclick="downloadCatalogModel(\'' + esc(m.url) + '\',\'' + esc(m.filename) + '\',\'' + esc(m.type) + '\')">Download</button>';
+                    btnHtml = '<button class="btn btn-sm btn-primary" type="button" data-action="catalog-download" data-url="' + encodeURIComponent(m.url) + '" data-filename="' + encodeURIComponent(m.filename) + '" data-type="' + encodeURIComponent(m.type) + '">Download</button>';
                 }
 
                 return '<div class="card">' +
@@ -365,6 +365,34 @@
         }
     }
 
+    document.getElementById('verify-all-btn').addEventListener('click', verifyAll);
+    uploadZone.addEventListener('click', function() {
+        fileInput.click();
+    });
+    uploadZone.addEventListener('keydown', function(e) {
+        if (e.key === 'Enter' || e.key === ' ') {
+            e.preventDefault();
+            fileInput.click();
+        }
+    });
+    document.getElementById('models-list').addEventListener('click', function(e) {
+        var target = e.target.closest('[data-action]');
+        if (!target) return;
+        var name = decodeURIComponent(target.getAttribute('data-name') || '');
+        if (target.getAttribute('data-action') === 'verify-model') verifyModel(name);
+        if (target.getAttribute('data-action') === 'verify-manifest') verifyManifest(name);
+        if (target.getAttribute('data-action') === 'delete-model') deleteModel(name);
+    });
+    document.getElementById('catalog-list').addEventListener('click', function(e) {
+        var target = e.target.closest('[data-action="catalog-download"]');
+        if (!target) return;
+        downloadCatalogModel(
+            decodeURIComponent(target.getAttribute('data-url') || ''),
+            decodeURIComponent(target.getAttribute('data-filename') || ''),
+            decodeURIComponent(target.getAttribute('data-type') || '')
+        );
+    });
+
     function refreshAll() { loadModels(); loadQuarantine(); loadIntegrityStatus(); loadCatalog(); }
     refreshAll();
     setInterval(refreshAll, 10000);

services/ui/ui/templates/security.html

@@ -99,7 +99,7 @@
 <div class="card">
     <div class="card-header">
         <span class="card-title">Hash-Chained Audit Logs</span>
-        <button class="btn btn-sm" onclick="verifyAudit()">Verify Now</button>
+        <button class="btn btn-sm" id="verify-audit-btn" type="button">Verify Now</button>
     </div>
     <p class="meta" id="audit-detail">Loading audit status...</p>
 </div>
@@ -141,7 +141,7 @@
         <span class="card-title">Forensic Export</span>
     </div>
     <p class="meta mb-md">Download a signed forensic bundle containing all incidents, audit log entries, system state, and policy digest for offline analysis or external audit.</p>
-    <button class="btn btn-sm" onclick="downloadForensicBundle()">Download Bundle</button>
+    <button class="btn btn-sm" id="download-forensic-btn" type="button">Download Bundle</button>
 </div>
 
 <!-- Emergency Controls -->
@@ -156,9 +156,9 @@
     </div>
     <p class="meta mb-md" id="panic-detail">System operating normally.</p>
     <div class="btn-group">
-        <button class="btn btn-warning btn-sm" onclick="triggerPanic(1)">Level 1: Lock</button>
-        <button class="btn btn-danger btn-sm" onclick="triggerPanic(2)">Level 2: Shred Keys</button>
-        <button class="btn btn-danger btn-sm" onclick="triggerPanic(3)">Level 3: Wipe All</button>
+        <button class="btn btn-warning btn-sm" type="button" data-panic-level="1">Level 1: Lock</button>
+        <button class="btn btn-danger btn-sm" type="button" data-panic-level="2">Level 2: Shred Keys</button>
+        <button class="btn btn-danger btn-sm" type="button" data-panic-level="3">Level 3: Wipe All</button>
     </div>
     <p class="form-hint mt-sm">Level 1 is reversible. Levels 2-3 require passphrase and are irreversible.</p>
 </div>
@@ -589,6 +589,14 @@
         }
     }
 
+    document.getElementById('verify-audit-btn').addEventListener('click', verifyAudit);
+    document.getElementById('download-forensic-btn').addEventListener('click', downloadForensicBundle);
+    document.querySelectorAll('[data-panic-level]').forEach(function(button) {
+        button.addEventListener('click', function() {
+            triggerPanic(parseInt(button.getAttribute('data-panic-level'), 10));
+        });
+    });
+
     /* Load all sections */
     loadApplianceState();
     loadServiceHealth();