• last updated 5 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
JS upstream updates

- Updated jquery-3.6.3 to jquery-3.7.1.

- Bumped version to 5.10.1b2

JS upstream updates

- Updated boostrap5 to 5.3.3

- Updated jquery-3.6.3 to jquery-3.7.1.

- Bumped version to 5.10.1b4

file jquery-3.7.1.js was initially added on branch oacs-5-10.

file jquery-3.7.1.min.js was initially added on branch oacs-5-10.

Untangle if logics

Reject URLs displaying multiple protocols

Test further improvement of injection attempt by penetration tests

Harden page contract

Strenghten validation against smarter attempts to disguise the javascript: protocol

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Add new extension mjs, for Javascript modules, to the Javascript mime type

file upgrade-5.10.1b3-5.10.1b4.sql was initially added on branch oacs-5-10.

file upgrade-0.6.2d6-0.6.2d7.sql was initially added on branch oacs-5-10.

added missing function args

reduce verbosity

Harden page contracts

Prefer more robust colon notation to quote database values

    • -1
    • +1
    /openacs-4/packages/xowf/tcl/xowf-procs.tcl
We replace spaces with "&nbsp" for Safari, but then convert will fail in the test... clean up the entities before trying to convert

Fix variable name

Calculate the width before quoting is applied and refine the heuristic

Fix capctha rendering on iOS devices, where apparently spaces need to be translated to entities

    • -3
    • +10
    /openacs-4/packages/captcha/tcl/captcha-procs.tcl
Fix captcha responsiveness

Update italian localization

    • -2
    • +2
    /openacs-4/packages/xowiki/xowiki.info
Introduce server-side validation for HTML5 date and time formfields

A "formats" parameter can be specified on the formfields indicating one or more formats that we want to enforce. The syntax for any of such format is that of the Tcl clock command.

Default values have been set according to the expected behavior of each form field type.

Empty values are always considered valid. If a field is required, this will be enforced in its own validator.

    • -2
    • +2
    /openacs-4/packages/xowiki/xowiki.info
Test behavior of HTML5 date and time formfields when invalid values are submitted

Quote error message to better protect against XSS attacks

Added default dbn to database drivers (acs::dc)

Align behavior with recent change in the xo::db inteface

Added parameter to define a default dbn to a database connection

By this change, one can now define a default dbn at the creation time

of a database connection object. Before, it was necessary to pass

the "-dbn" value to every single command. The parameter can still be

used for particular queries as before to overrule the default.

Example for defining a connection context to a pool named "legacy"

using the PostgreSQL database interface

::xo::db::DB-postgresql create ::xo::dc1 -dialect postgresql -dbn legacy

lappend _ [::xo::dc1 get_value . {select count(*) from acs_objects}]

lappend _ [::xo::dc get_value . {select count(*) from acs_objects}]

#> 660 51606

"An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing"

See e.g. https://cloud.google.com/blog/products/data-analytics/iframe-sandbox-tutorial

We set in xooauth/tcl/lti-procs.tcl a restrictive default (all sandboxing restrictions are applied by default). Users should relax it according to their embedded application.

xooauth/www/admin/lti-test.tcl is not really a productive file, so we set the already hardcoded value to no-sandboxing and note that this would be appropriate.

Remove duplicated entry