[jira] [Commented] (OFBIZ-10639) Cookie Consent In E-Commerce
[ https://issues.apache.org/jira/browse/OFBIZ-10639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16865319#comment-16865319 ] Swapnil M Mane commented on OFBIZ-10639: Thanks Deepak for your contribution, and everyone for participating in the discussion. Dear [~deepak.nigam], I have applied the patch and everything is working as expected. As the above comments and suggestions resolved, we are good to commit it. I am unassigning this ticket and would like to see your commits in action. Once again, many congratulations on your new role, happy committing :-) Thanks! > Cookie Consent In E-Commerce > > > Key: OFBIZ-10639 > URL: https://issues.apache.org/jira/browse/OFBIZ-10639 > Project: OFBiz > Issue Type: New Feature > Components: ecommerce >Affects Versions: Trunk >Reporter: Deepak Nigam >Assignee: Swapnil M Mane >Priority: Minor > Attachments: OFBIZ-10639.patch, OFBIZ-10639.patch > > > As per discussion on Dev ML [https://markmail.org/message/rcatehtckz6vlvuv] > The Cookie Law is a piece of privacy legislation that requires websites to > get consent from visitors to store or retrieve any information on their > computer, smartphone or tablet. It was designed to protect online privacy, by > making consumers aware of how information about them is collected and used > online, and give them a choice to allow it or not. > > The EU Cookie Legislation began as a directive from the European Union. Some > variation on the policy has since been adopted by all countries within the EU. > > The EU Cookie Legislation requires 4 actions from website owners who use > cookies: > 1. When someone visits your website, you need to let them know that your > site uses cookies. > 2. You need to provide detailed information regarding how that cookie data > will be utilized. > 3. You need to provide visitors with some means of accepting or refusing the > use of cookies in your site. > 4. If they refuse, you need to ensure that cookies will not be placed on > their machine. > > For more information about EU cookie policy, please visit > [here|http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm]. > > As this crucial feature is missing in OFBiz E-Commerce application, we > should work towards its implementation. There are numerous open-source jQuery > plugins available which we can use. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10639) Cookie Consent In E-Commerce
[ https://issues.apache.org/jira/browse/OFBIZ-10639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Swapnil M Mane reassigned OFBIZ-10639: -- Assignee: (was: Swapnil M Mane) > Cookie Consent In E-Commerce > > > Key: OFBIZ-10639 > URL: https://issues.apache.org/jira/browse/OFBIZ-10639 > Project: OFBiz > Issue Type: New Feature > Components: ecommerce >Affects Versions: Trunk >Reporter: Deepak Nigam >Priority: Minor > Attachments: OFBIZ-10639.patch, OFBIZ-10639.patch > > > As per discussion on Dev ML [https://markmail.org/message/rcatehtckz6vlvuv] > The Cookie Law is a piece of privacy legislation that requires websites to > get consent from visitors to store or retrieve any information on their > computer, smartphone or tablet. It was designed to protect online privacy, by > making consumers aware of how information about them is collected and used > online, and give them a choice to allow it or not. > > The EU Cookie Legislation began as a directive from the European Union. Some > variation on the policy has since been adopted by all countries within the EU. > > The EU Cookie Legislation requires 4 actions from website owners who use > cookies: > 1. When someone visits your website, you need to let them know that your > site uses cookies. > 2. You need to provide detailed information regarding how that cookie data > will be utilized. > 3. You need to provide visitors with some means of accepting or refusing the > use of cookies in your site. > 4. If they refuse, you need to ensure that cookies will not be placed on > their machine. > > For more information about EU cookie policy, please visit > [here|http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm]. > > As this crucial feature is missing in OFBiz E-Commerce application, we > should work towards its implementation. There are numerous open-source jQuery > plugins available which we can use. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[
https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16865307#comment-16865307
]
Aditya Sharma edited comment on OFBIZ-10678 at 6/17/19 5:11 AM:
Thanks Jacques :)
I just observed a quirk, the screen flickers with Flat Grey theme (for a very
small duration) but it can be regenerated on [demo
stable|https://demo-stable.ofbiz.apache.org/webtools/control/main] instance too.
was (Author: aditya.sharma):
Thanks Jacques :)
I just observed a quirk, the screen flickers with Flat Grey theme (for a very
small duration) which can regenerated on [demo
stable|https://demo-stable.ofbiz.apache.org/webtools/control/main] instance too.
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> --
>
> Key: OFBIZ-10678
> URL: https://issues.apache.org/jira/browse/OFBIZ-10678
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Labels: Javascript, retire.js, vulnerabilities
> Attachments: OFBIZ-10678.patch
>
>
> 3 years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and
> here are the results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary:
> XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
>
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[
https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16865307#comment-16865307
]
Aditya Sharma commented on OFBIZ-10678:
---
Thanks Jacques :)
I just observed a quirk, the screen flickers with Flat Grey theme (for a very
small duration) which can regenerated on [demo
stable|https://demo-stable.ofbiz.apache.org/webtools/control/main] instance too.
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> --
>
> Key: OFBIZ-10678
> URL: https://issues.apache.org/jira/browse/OFBIZ-10678
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Labels: Javascript, retire.js, vulnerabilities
> Attachments: OFBIZ-10678.patch
>
>
> 3 years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and
> here are the results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary:
> XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
> ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
>
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[
https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16865145#comment-16865145
]
Jacques Le Roux commented on OFBIZ-10678:
-
Thanks a bunch Aditya,
Much appreciated! I'll have a look tomorrow...
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> --
>
> Key: OFBIZ-10678
> URL: https://issues.apache.org/jira/browse/OFBIZ-10678
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Labels: Javascript, retire.js, vulnerabilities
> Attachments: OFBIZ-10678.patch
>
>
> 3 years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and
> here are the results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary:
> XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
> ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-
> 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>
[jira] [Comment Edited] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16865033#comment-16865033 ] Aditya Sharma edited comment on OFBIZ-10678 at 6/16/19 2:57 PM: Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the inferences based on following verifications: Validations Verify: [https://localhost:8443/catalog/control/CreateProductFeature] [https://localhost:8443/catalog/control/EditProduct] Query Timepicker [https://localhost:8443/ordermgr/control/ListQuoteRoles?quoteId=CQ0001] jGrowl Success and Error Messages on all the pages jsTree [https://localhost:8443/humanres/control/main] Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=10007] jQuery UI Used throughout OFBiz Elrte Steps: 1. Go to Content component ([https://localhost:8443/content/control/main] ). 2. Click on Forum from submenu ([https://localhost:8443/content/control/findForumGroups] ). 3. Click on forums link under Select column ([https://localhost:8443/content/control/findForums?forumGroupId=WebStoreFORUM] ) 4. Click on messages link under Select column ([https://localhost:8443/content/control/findForumMessages?forumGroupId=WebStoreFORUM=ASK] ) Asm Select [https://localhost:8443/example/control/FormWidgetExamples] (Multiple drop-downs) Jquery hotkeys [https://localhost:8443/webpos/control/main] Jeditable [https://localhost:8443/example/control/authview/findExampleAjax] (Name field is click and edit) Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples] (Datetimepicker Field) Jquery flot [https://localhost:8443/example/control/ExampleBarChart] Fancybox Verify: [https://localhost:8443/example/control/ListVisualThemes] Click on image Fancybox TypeError: j.get(...).style.removeAttribute is not a function All the plugins are working fine except the Fancybox. We have to replace it with some alternative. Fancybox is now available at Fancyapps under the GPLv3 license for all open source applications. A commercial license is required for all commercial applications (including sites, themes and apps you plan to sell). I have found a alternative Lightbox for it. [http://fancybox.net/] [http://fancyapps.com/fancybox/3/#license] Alternative: Lightbox under MIT license (Though I am still looking at some other options)[http://ashleydw.github.io/lightbox/] was (Author: aditya.sharma): Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the inferences based on following verifications: Validations Verify: [https://localhost:8443/catalog/control/CreateProductFeature] [https://localhost:8443/catalog/control/EditProduct] Query Timepicker [https://localhost:8443/ordermgr/control/ListQuoteRoles?quoteId=CQ0001] jGrowl Success and Error Messages on all the pages jsTree [https://localhost:8443/humanres/control/main] Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=10007] jQuery UI Used throughout OFBiz Elrte Steps: 1. Go to Content component ([https://localhost:8443/content/control/main] ). 2. Click on Forum from submenu ([https://localhost:8443/content/control/findForumGroups] ). 3. Click on forums link under Select column ([https://localhost:8443/content/control/findForums?forumGroupId=WebStoreFORUM] ) 4. Click on messages link under Select column ([https://localhost:8443/content/control/findForumMessages?forumGroupId=WebStoreFORUM=ASK] ) Asm Select [https://localhost:8443/example/control/FormWidgetExamples] (Multiple drop-downs) Jquery hotkeys [https://localhost:8443/webpos/control/main] Jeditable [https://localhost:8443/example/control/authview/findExampleAjax] (Name field is click and edit) Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples] (Datetimepicker Field) Jquery flot [https://localhost:8443/example/control/ExampleBarChart] Fancybox Verify: [https://localhost:8443/example/control/ListVisualThemes] Click on image Fancybox TypeError: j.get(...).style.removeAttribute is not a function All the plugins are working fine except the Fancybox. We have to replace it with some alternative. Fancybox is now available at Fancyapps under the GPLv3 license for all open source applications. A commercial license is required for all commercial applications (including sites, themes and apps you plan to sell). I have found a alternative Lightcase for it. [http://fancybox.net/] [http://fancyapps.com/fancybox/3/#license] Alternative: Lightbox under MIT license (Though I am still looking at some other options)[http://ashleydw.github.io/lightbox/] > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > -- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task >
[jira] [Updated] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[
https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aditya Sharma updated OFBIZ-10678:
--
Attachment: OFBIZ-10678.patch
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> --
>
> Key: OFBIZ-10678
> URL: https://issues.apache.org/jira/browse/OFBIZ-10678
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Labels: Javascript, retire.js, vulnerabilities
> Attachments: OFBIZ-10678.patch
>
>
> 3 years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and
> here are the results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary:
> XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://
> nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js
> ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The
> attribute usemap can be used as a security exploit;
> https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21
> severit
> y: medium; summary: Universal CSP bypass via add-on in Firefox;
> https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435
> http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize;
> https://github.com/
> angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in
> $sanitize in Safari/Firefox;
> https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js
> ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-
> 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251,
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[
https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16865033#comment-16865033
]
Aditya Sharma commented on OFBIZ-10678:
---
Here is a patch with jQuery 3.4.1 replacing jQuery 1.11.0. Here are the
inferences based on following verifications:
Validations
Verify:
[https://localhost:8443/catalog/control/CreateProductFeature]
[https://localhost:8443/catalog/control/EditProduct]
Query Timepicker
[https://localhost:8443/ordermgr/control/ListQuoteRoles?quoteId=CQ0001]
jGrowl Success and Error Messages on all the pages
jsTree [https://localhost:8443/humanres/control/main]
Readmore [https://localhost:8443/ordermgr/control/returnMain?returnId=10007]
jQuery UI Used throughout OFBiz
Elrte
Steps:
1. Go to Content component ([https://localhost:8443/content/control/main] ).
2. Click on Forum from submenu
([https://localhost:8443/content/control/findForumGroups] ).
3. Click on forums link under Select column
([https://localhost:8443/content/control/findForums?forumGroupId=WebStoreFORUM]
)
4. Click on messages link under Select column
([https://localhost:8443/content/control/findForumMessages?forumGroupId=WebStoreFORUM=ASK]
)
Asm Select [https://localhost:8443/example/control/FormWidgetExamples]
(Multiple drop-downs)
Jquery hotkeys [https://localhost:8443/webpos/control/main]
Jeditable [https://localhost:8443/example/control/authview/findExampleAjax]
(Name field is click and edit)
Jquery Mask [https://localhost:8443/example/control/FormWidgetExamples]
(Datetimepicker Field)
Jquery flot [https://localhost:8443/example/control/ExampleBarChart]
Fancybox
Verify:
[https://localhost:8443/example/control/ListVisualThemes] Click on image
Fancybox TypeError: j.get(...).style.removeAttribute is not a function
All the plugins are working fine except the Fancybox. We have to replace it
with some alternative. Fancybox is now available at Fancyapps under the GPLv3
license for all open source applications. A commercial license is required for
all commercial applications (including sites, themes and apps you plan to
sell). I have found a alternative Lightcase for it.
[http://fancybox.net/]
[http://fancyapps.com/fancybox/3/#license]
Alternative:
Lightbox under MIT license (Though I am still looking at some other
options)[http://ashleydw.github.io/lightbox/]
> CLONE - Check embedded Javascript libs vulnerabilities using retire.js
> --
>
> Key: OFBIZ-10678
> URL: https://issues.apache.org/jira/browse/OFBIZ-10678
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12,
> Release Branch 18.12
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Blocker
> Labels: Javascript, retire.js, vulnerabilities
>
> 3 years ago I created the page
> https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js
> After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and
> here are the results:
> h3. Trunk
> {code}
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js
> ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, s
> ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.co
> m/twbs/bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js
> ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184,
> summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary:
> XSS in collapse data-parent attribute, CVE: CVE-2018-14040;
> https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue:
> 20184, summary: XSS in data-container property of tooltip, CVE:
> CVE-2018-14042; https://github.com/twbs/
> bootstrap/issues/20184
> C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js
> ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE:
> CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML;
> http://bugs.jquery.com/ticket/11290
> https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu
> relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party
> CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
>
[jira] [Comment Edited] (OFBIZ-10639) Cookie Consent In E-Commerce
[ https://issues.apache.org/jira/browse/OFBIZ-10639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16864646#comment-16864646 ] Jacques Le Roux edited comment on OFBIZ-10639 at 6/16/19 8:28 AM: -- Hi Pierre, It seems to me you have a point. But, as you know, a such decision is not part of this issue. Please create a discussion on dev ML. For the sake of the future discussion I had a quick look. # All the *min.js are a total of 1.75 Mb (I think we have not minified OFBiz specific files but that would need to be verified) with 1.61 Mb in theme # All the *.js are a total of 14.4 Mb in cmssite docbook it's only 250 Kb, in solr it's 4.4 Mb and in theme it's 10.7 Mb As a comparaison 16.11.05 unpacked is 122 Mb (packed 29.8 Mb), 23.6 Mb for docbook in cmssite (for our "old" online help), 19.5 Mb for images as a whole (most is jQuery), 11.6 Mb for theme and 11.3 Mb for tools, which will not be part of further releases. was (Author: jacques.le.roux): Hi Pierre, It seems to me you have a point. But, as you know, a such decision is not part of this issue. Please create a discussion on dev ML. For the sake of the future discussion I had a quick look. # All the *min.js are a total of 1.75 Mb (I think we have not minified OFBiz specific files but that would need to be verified) with 1.61 Mb in theme # All the *.js are a total of 14.4 Mb (I think we have not minified OFBiz specific files but that need to be verified) in cmssite docbook it's only 250 Kb, in solr it's 4.4 Mb and in theme it's 10.7 Mb As a comparaison 16.11.05 unpacked is 122 Mb (packed 29.8 Mb), 23.6 Mb for docbook in cmssite (for our "old" online help), 19.5 Mb for images as a whole (most is jQuery), 11.6 Mb for theme and 11.3 Mb for tools, which will not be part of further releases. > Cookie Consent In E-Commerce > > > Key: OFBIZ-10639 > URL: https://issues.apache.org/jira/browse/OFBIZ-10639 > Project: OFBiz > Issue Type: New Feature > Components: ecommerce >Affects Versions: Trunk >Reporter: Deepak Nigam >Assignee: Swapnil M Mane >Priority: Minor > Attachments: OFBIZ-10639.patch, OFBIZ-10639.patch > > > As per discussion on Dev ML [https://markmail.org/message/rcatehtckz6vlvuv] > The Cookie Law is a piece of privacy legislation that requires websites to > get consent from visitors to store or retrieve any information on their > computer, smartphone or tablet. It was designed to protect online privacy, by > making consumers aware of how information about them is collected and used > online, and give them a choice to allow it or not. > > The EU Cookie Legislation began as a directive from the European Union. Some > variation on the policy has since been adopted by all countries within the EU. > > The EU Cookie Legislation requires 4 actions from website owners who use > cookies: > 1. When someone visits your website, you need to let them know that your > site uses cookies. > 2. You need to provide detailed information regarding how that cookie data > will be utilized. > 3. You need to provide visitors with some means of accepting or refusing the > use of cookies in your site. > 4. If they refuse, you need to ensure that cookies will not be placed on > their machine. > > For more information about EU cookie policy, please visit > [here|http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm]. > > As this crucial feature is missing in OFBiz E-Commerce application, we > should work towards its implementation. There are numerous open-source jQuery > plugins available which we can use. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
