[jira] [Closed] (OFBIZ-12356) Try to reduce "Incomplete string escaping or encoding branch" issues reported by CodeQL

Sun, 31 Oct 2021 09:24:05 -0700 


     [ 
https://issues.apache.org/jira/browse/OFBIZ-12356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-12356.
-----------------------------------
    Fix Version/s: Upcoming Branch
       Resolution: Implemented

I did not help much, from 588 to 585 at all :/ At least it fixed few (4) CVEs

I have 2 options remove js check from CodeQL or only remove the "Incomplete 
string escaping or encoding" issues. I'll do the later, in case we have other 
kind of issues in our code.

> Try to reduce "Incomplete string escaping or encoding branch" issues reported 
> by CodeQL
> ---------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12356
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12356
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: themes
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>
> At 
> https://github.com/apache/ofbiz-framework/security/code-scanning?query=is%3AIncomplete+string+escaping+or+encoding+branch%3Atrunk+severity%3Ahigh
> GH CodeQL reports 556 "Incomplete string escaping or encoding branch" issues 
> (there are 588 issues at all). 
> Most of them are in jQuery-UI but not only:
> {quote}
> Incomplete string escaping or encoding
> (Library) 
> themes/common-theme/webapp/common/js/jquery/ui/jquery-ui-1.12.1.js:17591 • 
> {quote}
> Some are reported inside jQuery itself:
> {quote}
> Incomplete string escaping or encoding
> themes/common-theme/webapp/common/js/jquery/plugins/jsTree/jquery.jstree.js:2961
>  • 
> {quote}
> So this only an attempt to clarify among the 23 pages(!) reported by 
> upgrading jQuery-UI to 1.13.0. 
> While working on this I crossed an issue related to element.form() that is 
> now [element._form() in jQuery-UI 
> 1.13.0|https://jqueryui.com/changelog/1.13.0/#ui-core]. I think it appears 
> only in OfbizUtil.js because it's loaded after jQuery-UI.
> I also tried to load jQuery-UI with npmInstall but unfortunately 
> https://jqueryui.com/upgrade-guide/1.12/#official-package-on-npm (ie 
> jquery-ui.js & jquery-ui-min.js)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to