• last updated 11 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
added URL for version checking to see, if a newer version is available from the CDN

Extend test suite

when testing FormPage validation, make sure two distinct behaviors are respected:

1) Rejected values that were part of the request are kept into their original form fields so the user can rework them and resubmit

2) Other parts of the page, such as the page title, are NOT influenced by data that faild to validate

Rationale: displaying unvalidated information as part of the response can be interpreted as a page injection.

In current codebase, that the title was changed indicates, that rejected information made its way into the :title object member of the FormPage.

The potential consequences of the FormPage setting unvalidated information into its members depends on a number of factors such as formfield logics, callbacks and proper page quoting (to name a few).

Reduced attack vectors for query and form variables while keeping semantics

- improve form_parameter and query variable validation

- revert partly change: it is intentional that in case of validation errors, the

instances variables of the in-memory object contain invalid data in order

to be able to show the use the invalid data in the form.

- prefer "string first" idiom over regular expression

fix typo

Fix typo

removed obsolete code

update CDN source

The previous CDN site stopped working

generalized handling of error pages in disconnected stage

Cleanup leftover library: latest javascript assumes XMLHttpRequest is supported

Chat reform

The goal of these changes is to reduce the "mode" specific javascript code in the chat implementation and reduce server-side guessing of browser capabilities.

- In the MessageRelay class from xotcl-core, we rework the javascript code sent to the connection when doing scripted streaming to make less assumptions about the functions defined in the parent scope

- In the chat code from xowiki, we move most of the logics to guess the mode into javascript, where we can test the actual capabilities of the browser without relying on the user agent

- The previously 4 javascript files dependant on the chat mode have been made into one

    • -20
    • +0
    ./www/resources/scripted-streaming-chat.js
  1. … 2 more files in changeset.
When the mode is "streaming", use Server Sent Events instead of a "plain" endless request

This has the advantage of a clearer, less hacky api, which, for instance, does not require manual parsing of the partial response.

    • -42
    • +16
    ./www/resources/streaming-chat.js
  1. … 2 more files in changeset.
Cleanup leftover method: its logics were moved to the MessageRelay class

Cleanup commented code

Revert to an approach that will not change the [self] object, which has unexpected consequences

Use a better idiom to revert changes on the object, that e.g. will handle the same arrays and variables

Ensure we are still connected before we try to render the error to the user

For instance, the error may have beeen triggered by unexpected lack of connection, e.g. when we try to return content after a redirect has already been issued.

Extend test: edit a different component of repeated compound 3 to also test that old and new values are stored as expected

Extend and fix xowiki.create_form_with_form_instance automated test with respect to checkbox behavior

- simple checkboxes (normal and repeated): as we do not specify a value for those, the default should be expected, not the last option

- checkboxes in repeated compound fields: upon triavial re-editing, the values should stay the same

This change exposes a bug in acs::test::xpath::get_form_values

Port of downstream modification:

do not restrict the format the user can supply. Sanitize the filename later and complain only if this is made exclusively of invalid characters.

get_form_data reform:

when validation fails, revert all changes performed on the object while filling up the form fields.

Rationale: when validation fails, we do not persist the data. The same we should not let unvalidated data sneak into the object, as this may be e.g. displayed on the page or be otherwise used by the system.

Do not retrieve extra_css from query_parameters, as this is vulnerable to injections

Many thanks to Markus Moser

reduced verbosity

Fix syntax of new oneof value checker

  1. … 1 more file in changeset.
Validate nls_language so that the only values allowed are existing enabled locales

Fix parenthesys in bulk actions

Many thanks to Sebastian Scheder

Get the preferred css toolkit via api, as this will introduce additional fallback logics with respect to the plain parameter

Ensure scripts and internal use information are not rendered together with the content, in particular for dumber HTML renderer

Make sure method variable exists, fixes automated tests

Whitespace cleanup

improve bootstrap3/bootstrap5 handling of personal notification messages

Many thanks for Monika Andergassen for providing the patch.

    • -3
    • +12
    ./tcl/personal-notification-procs.tcl