• last updated 14 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Reject frames and iframes in the content

Prevent sneaking symlinks in the content repository

Many thanks to Thomas Rennner and Günter Ernst for analyzing the issue

cr_write_content reform

when serving files, do not trust the content information, as the absolute path to the file can be determined programmatically in this case.

This also reduce divergency between Oracle and Postgres

Fixed issue introduced in OpenACS 5.9.0

The old version did not insert a property value via the

sec_session_property__upsert() in PostgreSQL on the initial setting

(later updates were OK). The broken version was just adding a tuple

and left the "property_value" empty.

Many thanks to Jonathan Kelley for identifying the issue and reporting it.

file upgrade-5.10.1b4-5.10.1b5.sql was initially added on branch oacs-5-10.

Implement a new filter for inclass-exam submissions

When displayed by the print-answers method, allow to filter also for not graded.

    • -10
    • +10
    /openacs-4/packages/xowf/xowf.info
added link to cluster info to acs-admin main page when cluster is enabled

improved spelling

    • -2
    • +2
    /openacs-4/packages/xowf/www/index.vuh
    • -1
    • +1
    /openacs-4/packages/xowiki/xowiki.info
    • -2
    • +2
    /openacs-4/packages/xowiki/www/index.vuh
clean dirty editor buffer

improved spelling

Made startup more robust

- handle not-yet-defined callback procs gracefully

updated version number of jquery (introduced not long ago)

Improved readability of configuration parameter "parameterSecret"

- Switched to camelCase for better readabilty and uniformity

- NaviServer configuration parameters are case insensitive, so no danger for backward compatibility

Made .xql file more consistent by using dot notation

OpenACS for PostgreSQL uses since the release of 5.10.0 the dot

notation for the SQL function acs_permission.permission_p() to ease

portability with Oracle.

In general, one has to be careful that during an upgrade from an older

OpenACS version (e.g. 5.9.*) directly to 5.10.1 to upgrade process

does not depend on the dot notation, otherwise the upgrade will fail.

One should be safe for most UI functions in this respect.

Expand permission test suite to include definition of custom privileges in a couple of setups

Provide an automated test of "advanced" permission features: permission inheritance via group, or via the permission context

Use a simpler approach to achieve the intended result, which does not rely on events

    • -19
    • +8
    /openacs-4/packages/xowiki/tcl/chat-procs.tcl
Keep comments on the server side

    • -7
    • +10
    /openacs-4/packages/xowiki/tcl/chat-procs.tcl
JS upstream updates

- Updated highcharts to 11.4.0 (when highcharts package is not installed)

- Updated jquery-3.6.3 to jquery-3.7.1.

- Bumped version number to 5.10.1b10

    • -2
    • +2
    /openacs-4/packages/xowiki/xowiki.info
    • -2
    • +2
    /openacs-4/packages/xowiki/tcl/resource-init.tcl
Ensure chat javascript is executed only when the chat itself is actually a part of the DOM

This may not be the case at the time of rendering, e.g. because the chat is rendered inside of a <template> tag and appended to the document at a later moment.

    • -2
    • +19
    /openacs-4/packages/xowiki/tcl/chat-procs.tcl
JS upstream updates

- Updated upstream library to 11.4.0

- Bumped version to 0.5

JS upstream updates

- Updated jquery-3.6.3 to jquery-3.7.1.

- Bumped version to 5.10.1b2

JS upstream updates

- Updated boostrap5 to 5.3.3

- Updated jquery-3.6.3 to jquery-3.7.1.

- Bumped version to 5.10.1b4

file jquery-3.7.1.js was initially added on branch oacs-5-10.

file jquery-3.7.1.min.js was initially added on branch oacs-5-10.

Untangle if logics

Reject URLs displaying multiple protocols

Test further improvement of injection attempt by penetration tests

Harden page contract

Strenghten validation against smarter attempts to disguise the javascript: protocol