• last updated 11 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improve visualization of test info

Relax test condition:

make sure potential injections are not rendered on the page response.

Improved consistency of appearance, when multiple CSS toolkits are in use

- This change makes sure that consistently [::xowiki::CSS toolkit] is

used instead of accessing the package parameter

"PreferredCSSToolkit" directly. This change is necessary for

handling e.g. of the parameter setting "default"

consistently. Previously, a "default" value could result in loading

the obsolete YUI .js and .css files.

- When "menu_entries" have multiple "config" entries, use the last one.

Extended site-wide admin page to include link for site-wide pages

Adding a link to site-wide admin pages makes it easier for admins to locate

the site-wide pages (pages, which can be used in all xowiki instances)

Added link to parameter page in xowiki/admin page if it exists

This is a change to ease usage for novices. The "admin" pages should be replaced

in the future, but for the time being, it helps for site-admins to understand,

how to change which parameter value to obtain the desired results.

Extended "Page.copy_content_vars" with a "-except" parameter

This change makes it possible to use values from template pages

without changing the name of the target page. This change also

introduces a small modernization to use dicts instead of arrays.

added URL for version checking to see, if a newer version is available from the CDN

Extend test suite

when testing FormPage validation, make sure two distinct behaviors are respected:

1) Rejected values that were part of the request are kept into their original form fields so the user can rework them and resubmit

2) Other parts of the page, such as the page title, are NOT influenced by data that faild to validate

Rationale: displaying unvalidated information as part of the response can be interpreted as a page injection.

In current codebase, that the title was changed indicates, that rejected information made its way into the :title object member of the FormPage.

The potential consequences of the FormPage setting unvalidated information into its members depends on a number of factors such as formfield logics, callbacks and proper page quoting (to name a few).

Reduced attack vectors for query and form variables while keeping semantics

- improve form_parameter and query variable validation

- revert partly change: it is intentional that in case of validation errors, the

instances variables of the in-memory object contain invalid data in order

to be able to show the use the invalid data in the form.

- prefer "string first" idiom over regular expression

fix typo

Fix typo

removed obsolete code

update CDN source

The previous CDN site stopped working

generalized handling of error pages in disconnected stage

Cleanup leftover library: latest javascript assumes XMLHttpRequest is supported

Chat reform

The goal of these changes is to reduce the "mode" specific javascript code in the chat implementation and reduce server-side guessing of browser capabilities.

- In the MessageRelay class from xotcl-core, we rework the javascript code sent to the connection when doing scripted streaming to make less assumptions about the functions defined in the parent scope

- In the chat code from xowiki, we move most of the logics to guess the mode into javascript, where we can test the actual capabilities of the browser without relying on the user agent

- The previously 4 javascript files dependant on the chat mode have been made into one

    • -20
    • +0
    ./www/resources/scripted-streaming-chat.js
  1. … 2 more files in changeset.
When the mode is "streaming", use Server Sent Events instead of a "plain" endless request

This has the advantage of a clearer, less hacky api, which, for instance, does not require manual parsing of the partial response.

    • -42
    • +16
    ./www/resources/streaming-chat.js
  1. … 2 more files in changeset.
Cleanup leftover method: its logics were moved to the MessageRelay class

Cleanup commented code

Revert to an approach that will not change the [self] object, which has unexpected consequences

Use a better idiom to revert changes on the object, that e.g. will handle the same arrays and variables

Ensure we are still connected before we try to render the error to the user

For instance, the error may have beeen triggered by unexpected lack of connection, e.g. when we try to return content after a redirect has already been issued.

Extend test: edit a different component of repeated compound 3 to also test that old and new values are stored as expected

Extend and fix xowiki.create_form_with_form_instance automated test with respect to checkbox behavior

- simple checkboxes (normal and repeated): as we do not specify a value for those, the default should be expected, not the last option

- checkboxes in repeated compound fields: upon triavial re-editing, the values should stay the same

This change exposes a bug in acs::test::xpath::get_form_values

Port of downstream modification:

do not restrict the format the user can supply. Sanitize the filename later and complain only if this is made exclusively of invalid characters.

get_form_data reform:

when validation fails, revert all changes performed on the object while filling up the form fields.

Rationale: when validation fails, we do not persist the data. The same we should not let unvalidated data sneak into the object, as this may be e.g. displayed on the page or be otherwise used by the system.

Do not retrieve extra_css from query_parameters, as this is vulnerable to injections

Many thanks to Markus Moser

reduced verbosity

Fix syntax of new oneof value checker

  1. … 1 more file in changeset.
Validate nls_language so that the only values allowed are existing enabled locales