gernst in OpenACS

Quote error message to better protect against XSS attacks

Added proc "membership_rel::expire" so that all membership states are now covered. Note: The Oracle part is best effort only!

    • -2
    • +2
    /openacs-4/packages/acs-tcl/acs-tcl.info
file upgrade-5.10.1d16-5.10.1d17.sql was initially added on branch oacs-5-10.

Improve validation

Quote user provided value in error message to eliminate potential XSS attack vector

Allow only one format for the 'date' query parameter, bringing the page contract in line with the "Go to date"-form on this page from which this value is supplied.

    • -2
    • +2
    /openacs-4/packages/calendar/www/view.tcl
ns_quotehtml user submitted value inside error message to prevent potential XSS attack

Fixed variable name

Harden page contract; Prefer redirect url created via "export_vars" over handcrafted one

Gradually improve usability and security of the calendar item new/edit form by adding additonal input validations. Prefer built-in input validation over custom validation. Also make sure all needed Javascript is in place.

    • -23
    • +29
    /openacs-4/packages/calendar/www/cal-item-new.tcl
Make the initial population of the request-monitor counters more robust

Use package_id instead of the package object

    • -2
    • +2
    /openacs-4/packages/xowiki/tcl/package-procs.tcl
Fix order in expression

Fix typo

Zoom LTI Interface: do not unset "lis_person_sourcedid" and "lis_person_contact_email_primary". The latter is not needed if a user should be logged in as "Student", but is required if the user should be logged in as "Instructor". "Instructor" in the Zoom context means, giving this person the permission to create/manage meetings in the context of the launch. Which roles are considered by Zoom as being an "Instructor" have to be specified in the settings of Zoom's "LTI Pro" application.

Added feature to auto lauch LTI login forms upon page loading. This is especially useful when embedding LTI content using an iframe.

Refine regular expression used for the detection of Includelets

    • -2
    • +2
    /openacs-4/packages/xowiki/tcl/xowiki-procs.tcl
Bring the implementation of the "Search" operation of the "auth_search" service contract in line with the operation's definition by correcting the returned value ("username" instead of "user_id") and restricting the search to the local authority.

Remove non-functional "double click protection" in order to remove a potential attack vector

Added constraint site_nodes_parent_id_ck to table "site_nodes" to avoid certain simple loops on parent_ids

file upgrade-5.10.0d31-5.10.0d32.sql was initially added on branch oacs-5-10.

Use "latest_revision" as revision_id for the newly created news-item when it is created with "is_live_p" set to false

file upgrade-5.10.0d3-5.10.0d4.sql was initially added on branch oacs-5-10.

Package new-portal: additional database indices for tables "portal_element_map", "portal_element_parameters" and "portal_datasource_def_params"; bumped package version to 2.10.0d4

file upgrade-2.10.0d3-2.10.0d4.sql was initially added on branch oacs-5-10.

Removed instmixin specification from the ::xo::oauth::Package creation statement as the to-be-mixed-in classes no longer exist; Fixed varname

Change from ad_page_contract to ad_include_contract; removed unused arguments

Remove Hinweise zum Datenschutz bei Googleparameter

Fix typo in message-key name

Strip of validation part before checking for the existence of query parameter