[jira] [Commented] (OFBIZ-12356) Try to reduce "Incomplete string escaping or encoding branch" issues reported by CodeQL

Mon, 01 Nov 2021 00:49:07 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17436658#comment-17436658
 ] 

Jacques Le Roux commented on OFBIZ-12356:
-----------------------------------------

Ha, actually I filtered by using "Incomplete string escaping or encoding" (ie 
with quotes) I saw only 181 such remaining (still 8 pages). It's only 3rd party 
libs, mostly (if not all) jQuery. I have closed almost all (577) the reporting 
of 3rd party libs issues. We can't do anything about them anyway. Note that 
they are closed so can still be reviewed.

Remains 12 cases that we need to look at closer: 
https://github.com/apache/ofbiz-framework/security/code-scanning. As you can 
see only 3 are in OFBiz js code.

> Try to reduce "Incomplete string escaping or encoding branch" issues reported 
> by CodeQL
> ---------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12356
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12356
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: themes
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: Upcoming Branch
>
>
> At 
> https://github.com/apache/ofbiz-framework/security/code-scanning?query=is%3AIncomplete+string+escaping+or+encoding+branch%3Atrunk+severity%3Ahigh
> GH CodeQL reports 556 "Incomplete string escaping or encoding branch" issues 
> (there are 588 issues at all). 
> Most of them are in jQuery-UI but not only:
> {quote}
> Incomplete string escaping or encoding
> (Library) 
> themes/common-theme/webapp/common/js/jquery/ui/jquery-ui-1.12.1.js:17591 • 
> {quote}
> Some are reported inside jQuery itself:
> {quote}
> Incomplete string escaping or encoding
> themes/common-theme/webapp/common/js/jquery/plugins/jsTree/jquery.jstree.js:2961
>  • 
> {quote}
> So this only an attempt to clarify among the 23 pages(!) reported by 
> upgrading jQuery-UI to 1.13.0. 
> While working on this I crossed an issue related to element.form() that is 
> now [element._form() in jQuery-UI 
> 1.13.0|https://jqueryui.com/changelog/1.13.0/#ui-core]. I think it appears 
> only in OfbizUtil.js because it's loaded after jQuery-UI.
> I also tried to load jQuery-UI with npmInstall but unfortunately 
> https://jqueryui.com/upgrade-guide/1.12/#official-package-on-npm (ie 
> jquery-ui.js & jquery-ui-min.js)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to