• last updated 11 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Update italian localization

  1. … 4 more files in changeset.
Introduce server-side validation for HTML5 date and time formfields

A "formats" parameter can be specified on the formfields indicating one or more formats that we want to enforce. The syntax for any of such format is that of the Tcl clock command.

Default values have been set according to the expected behavior of each form field type.

Empty values are always considered valid. If a field is required, this will be enforced in its own validator.

Test behavior of HTML5 date and time formfields when invalid values are submitted

    • -0
    • +186
    ./tcl/test/xowiki-test-procs.tcl
removed code, which was commented out since ages.

Cleanup of external binaries: always use "util::which" to resolve binaries

    • -1
    • +3
    ./www/ckeditor-images/upload_image.tcl
  1. … 5 more files in changeset.
Fixed unreviewed commit, which might lead to hard-to-spot errors

The last change assumed that "nls_language" can be hard-wired to

contain most 5 characters. While this not backed by the OpenACS data

model, the standard (RFC 5646) explicitly states that there is no

upper limit on the size of language tags. The tree letter language

codes have been standard since 2001 (RFC 4646).

The change accepts now all defined locales. When the specified locale

is not enabled, it provides a log notice, when the locale is not

defined at all, it provides a warning and falls back to "en_US".

  1. … 2 more files in changeset.
Validate as a token also the default coming from _nls_language, ensure the resulting language key is at most 5 chars long (many thanks to Markus Moser for this)

improved bootstrap5 compatibility for personal notifications

This change improves the appearance of personal notifications

for bootstrap5. It still works with bootstrap3.

Many thanks to Sebastian Scheder for this contribution!

    • -11
    • +24
    ./tcl/personal-notification-procs.tcl
Close the connection to the EventSource before leaving the page

Some browsers such as current Firefox may complain otherwise

Many thanks to Sebastian Scheder

Improve visualization of test info

Relax test condition:

make sure potential injections are not rendered on the page response.

Improved consistency of appearance, when multiple CSS toolkits are in use

- This change makes sure that consistently [::xowiki::CSS toolkit] is

used instead of accessing the package parameter

"PreferredCSSToolkit" directly. This change is necessary for

handling e.g. of the parameter setting "default"

consistently. Previously, a "default" value could result in loading

the obsolete YUI .js and .css files.

- When "menu_entries" have multiple "config" entries, use the last one.

Extended site-wide admin page to include link for site-wide pages

Adding a link to site-wide admin pages makes it easier for admins to locate

the site-wide pages (pages, which can be used in all xowiki instances)

Added link to parameter page in xowiki/admin page if it exists

This is a change to ease usage for novices. The "admin" pages should be replaced

in the future, but for the time being, it helps for site-admins to understand,

how to change which parameter value to obtain the desired results.

Extended "Page.copy_content_vars" with a "-except" parameter

This change makes it possible to use values from template pages

without changing the name of the target page. This change also

introduces a small modernization to use dicts instead of arrays.

added URL for version checking to see, if a newer version is available from the CDN

Extend test suite

when testing FormPage validation, make sure two distinct behaviors are respected:

1) Rejected values that were part of the request are kept into their original form fields so the user can rework them and resubmit

2) Other parts of the page, such as the page title, are NOT influenced by data that faild to validate

Rationale: displaying unvalidated information as part of the response can be interpreted as a page injection.

In current codebase, that the title was changed indicates, that rejected information made its way into the :title object member of the FormPage.

The potential consequences of the FormPage setting unvalidated information into its members depends on a number of factors such as formfield logics, callbacks and proper page quoting (to name a few).

Reduced attack vectors for query and form variables while keeping semantics

- improve form_parameter and query variable validation

- revert partly change: it is intentional that in case of validation errors, the

instances variables of the in-memory object contain invalid data in order

to be able to show the use the invalid data in the form.

- prefer "string first" idiom over regular expression

fix typo

Fix typo

removed obsolete code

update CDN source

The previous CDN site stopped working

generalized handling of error pages in disconnected stage

Cleanup leftover library: latest javascript assumes XMLHttpRequest is supported

Chat reform

The goal of these changes is to reduce the "mode" specific javascript code in the chat implementation and reduce server-side guessing of browser capabilities.

- In the MessageRelay class from xotcl-core, we rework the javascript code sent to the connection when doing scripted streaming to make less assumptions about the functions defined in the parent scope

- In the chat code from xowiki, we move most of the logics to guess the mode into javascript, where we can test the actual capabilities of the browser without relying on the user agent

- The previously 4 javascript files dependant on the chat mode have been made into one

    • -20
    • +0
    ./www/resources/scripted-streaming-chat.js
  1. … 2 more files in changeset.
When the mode is "streaming", use Server Sent Events instead of a "plain" endless request

This has the advantage of a clearer, less hacky api, which, for instance, does not require manual parsing of the partial response.

    • -42
    • +16
    ./www/resources/streaming-chat.js
  1. … 2 more files in changeset.
Cleanup leftover method: its logics were moved to the MessageRelay class

Cleanup commented code

Revert to an approach that will not change the [self] object, which has unexpected consequences

Use a better idiom to revert changes on the object, that e.g. will handle the same arrays and variables