Index: openacs-4/packages/xowiki/xowiki.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/xowiki.info,v
diff -u -r1.153.2.16 -r1.153.2.17
--- openacs-4/packages/xowiki/xowiki.info	5 Jul 2016 15:46:07 -0000	1.153.2.16
+++ openacs-4/packages/xowiki/xowiki.info	8 Sep 2016 09:45:18 -0000	1.153.2.17
@@ -10,10 +10,10 @@
     <inherit-templates-p>t</inherit-templates-p>
     <auto-mount>xowiki</auto-mount>
 
-    <version name="5.9.1d10" url="http://openacs.org/repository/download/apm/xowiki-5.9.1d10.apm">
+    <version name="5.9.1d11" url="http://openacs.org/repository/download/apm/xowiki-5.9.1d11.apm">
         <owner url="mailto:neumann@wu-wien.ac.at">Gustaf Neumann</owner>
         <summary>A xotcl-based enterprise wiki system with multiple object types</summary>
-        <release-date>2015-10-04</release-date>
+        <release-date>2016-09-08</release-date>
         <vendor url="http://wu.ac.at">WU Vienna</vendor>
         <description format="text/html">&lt;pre&gt;
 XoWiki is a Wiki implementation for OpenACS in XOTcl. Instead of
@@ -55,10 +55,10 @@
         <license>BSD-Style</license>
         <maturity>2</maturity>
 
-        <provides url="xowiki" version="5.9.1d10"/>
+        <provides url="xowiki" version="5.9.1d11"/>
         <requires url="acs-datetime" version="5.9.0"/>
         <requires url="acs-kernel" version="5.9.0"/>
-	<requires url="acs-tcl" version="5.9.1d1"/>
+	<requires url="acs-tcl" version="5.9.1d11"/>
         <requires url="acs-subsite" version="5.9.0"/>
 	<requires url="richtext-xinha" version="0.2"/>
         <requires url="categories" version="1.0d3"/>
Index: openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl,v
diff -u -r1.3.2.8 -r1.3.2.9
--- openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl	25 May 2016 19:33:46 -0000	1.3.2.8
+++ openacs-4/packages/xowiki/tcl/bootstrap-procs.tcl	8 Sep 2016 09:45:18 -0000	1.3.2.9
@@ -453,6 +453,9 @@
 
   BootstrapTableRenderer instproc render {} {
     ::xo::Page requireCSS "//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css"
+    security::csp::require style-src netdna.bootstrapcdn.com
+    security::csp::require font-src netdna.bootstrapcdn.com
+    
     if {![my isobject [self]::__actions]} {my actions {}}
     if {![my isobject [self]::__bulkactions]} {my __bulkactions {}}
     set bulkactions [[self]::__bulkactions children]
Index: openacs-4/packages/xowiki/tcl/form-field-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/form-field-procs.tcl,v
diff -u -r1.248.2.25 -r1.248.2.26
--- openacs-4/packages/xowiki/tcl/form-field-procs.tcl	1 Sep 2016 12:01:53 -0000	1.248.2.25
+++ openacs-4/packages/xowiki/tcl/form-field-procs.tcl	8 Sep 2016 09:45:18 -0000	1.248.2.26
@@ -1707,20 +1707,24 @@
       default {error "value '[my set displayMode]' invalid: valid entries for displayMode are inplace, inline or standard (default)"}
     }
     #
-    # Don't set HTML5 attribute required, since this does not match
+    # Don't set HTML5 attribute "required", since this does not match
     # well with Richtext Editors (at least ckeditor4 has problems,
     # other probably as well).
     #
     my set booleanHTMLAttributes {readonly disabled formnovalidate}
     next
+    #ns_log notice "==== [my name] EDITOR specified? [my exists editor]"
     if {![my exists editor]} {
       my set editor [parameter::get_global_value -package_key xowiki \
                          -parameter PreferredRichtextEditor -default xinha]
       #my msg "setting default of [my name] to [my set editor]"
     }
     if {![my exists __initialized]} {
+      #
       # Mixin the editor based on the attribute 'editor' if necessary
       # and call initialize again in this case...
+      #
+      #ns_log notice "==== initializing EDITOR: [my set editor]"
       my editor [my set editor]
       my initialize
     }
@@ -1978,6 +1982,14 @@
   }
   richtext::ckeditor4 set editor_mixin 1
   richtext::ckeditor4 instproc initialize {} {
+    
+    security::csp::require script-src 'unsafe-eval'
+    security::csp::require script-src 'unsafe-inline'
+    
+    security::csp::require script-src cdn.ckeditor.com
+    security::csp::require style-src cdn.ckeditor.com
+    security::csp::require img-src cdn.ckeditor.com
+    
     switch -- [my set displayMode] {
       inplace { my append help_text " #xowiki.ckeip_help#" }
     }
@@ -2068,8 +2080,8 @@
       ::xo::Page requireJS "/resources/xowiki/jquery/jquery.min.js"
       #::xo::Page requireJS "/resources/xowiki/ckeditor4/ckeditor.js"
       #::xo::Page requireJS "/resources/xowiki/ckeditor4/adapters/jquery.js"
-      ::xo::Page requireJS "//cdn.ckeditor.com/4.5.7/standard-all/ckeditor.js"
-      ::xo::Page requireJS "//cdn.ckeditor.com/4.5.7/standard-all/adapters/jquery.js"
+      ::xo::Page requireJS "//cdn.ckeditor.com/4.5.11/standard-all/ckeditor.js"
+      ::xo::Page requireJS "//cdn.ckeditor.com/4.5.11/standard-all/adapters/jquery.js"
 
       # In contrary to the doc, ckeditor4 names instances after the id,
       # not the name.
@@ -2339,6 +2351,12 @@
     if {![my istype ::xowiki::formfield::richtext] || $disabled} {
       my render_richtext_as_div
     } else {
+      #
+      # required CSP directives for Xinha
+      #
+      security::csp::require script-src 'unsafe-eval'
+      security::csp::require script-src 'unsafe-inline'
+      
       # we use for the time being the initialization of xinha based on
       # the blank master
       set ::acs_blank_master(xinha) 1