[jira] [Closed] (OFBIZ-12097) Date picker not initialised in ajax-called form
[ https://issues.apache.org/jira/browse/OFBIZ-12097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Yong closed OFBIZ-12097. -- Resolution: Fixed > Date picker not initialised in ajax-called form > > > Key: OFBIZ-12097 > URL: https://issues.apache.org/jira/browse/OFBIZ-12097 > Project: OFBiz > Issue Type: Bug > Components: base >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: James Yong >Priority: Minor > Fix For: Upcoming Branch > > > The date picker icon is missing when the form is called with ajax. > To test: > 1) Go to /catalog/control/ProductStoreFacilities?productStoreId=9000 > 2) Click Add Facility button -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12097) Date picker not initialised in ajax-called form
[ https://issues.apache.org/jira/browse/OFBIZ-12097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252291#comment-17252291 ] ASF subversion and git services commented on OFBIZ-12097: - Commit 483e77ea838d544772d5fe1592910bc3dbc9e177 in ofbiz-framework's branch refs/heads/trunk from James Yong [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=483e77e ] Fixed: Date picker not initialised in ajax-called form (OFBIZ-12097) Use inline script when request is ajax > Date picker not initialised in ajax-called form > > > Key: OFBIZ-12097 > URL: https://issues.apache.org/jira/browse/OFBIZ-12097 > Project: OFBiz > Issue Type: Bug > Components: base >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: James Yong >Priority: Minor > Fix For: Upcoming Branch > > > The date picker icon is missing when the form is called with ajax. > To test: > 1) Go to /catalog/control/ProductStoreFacilities?productStoreId=9000 > 2) Click Add Facility button -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12097) Date picker not initialised in ajax-called form
James Yong created OFBIZ-12097: -- Summary: Date picker not initialised in ajax-called form Key: OFBIZ-12097 URL: https://issues.apache.org/jira/browse/OFBIZ-12097 Project: OFBiz Issue Type: Bug Components: base Affects Versions: Upcoming Branch Reporter: James Yong Assignee: James Yong Fix For: Upcoming Branch The date picker icon is missing when the form is called with ajax. To test: 1) Go to /catalog/control/ProductStoreFacilities?productStoreId=9000 2) Click Add Facility button -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252258#comment-17252258
]
ASF subversion and git services commented on OFBIZ-12096:
-
Commit c52f29e0ae7409884c620434def11f2c47bd380f in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c52f29e ]
Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo
(OFBIZ-12096)
We missed to unescape EcmaScript encoded strings in
UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe"
Thanks: 牛治 for report
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252256#comment-17252256
]
ASF subversion and git services commented on OFBIZ-12096:
-
Commit 540f5c80cd07c470712d8081a827e30a1c520554 in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=540f5c8 ]
Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo
(OFBIZ-12096)
Prevents issues with integration tests
Conflicts handled by hand:
framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252257#comment-17252257
]
ASF subversion and git services commented on OFBIZ-12096:
-
Commit 42571fb635964540ff217f5ecd0753a1fefd3078 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=42571fb ]
Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo
(OFBIZ-12096)
Prevents issues with integration tests
Conflicts handled by hand:
framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Closed] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-12096.
---
Fix Version/s: 17.12.05
18.12.01
Resolution: Fixed
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252241#comment-17252241
]
ASF subversion and git services commented on OFBIZ-12096:
-
Commit c7fef0c409bca7c01d1f94e9431af52714398c58 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c7fef0c ]
Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo
(OFBIZ-12096)
We missed to unescape EcmaScript encoded strings in
UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe"
Thanks: 牛治 for report
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252239#comment-17252239
]
ASF subversion and git services commented on OFBIZ-12096:
-
Commit 637e02978cb0e11df0d202a2272055e3bf68e542 in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=637e029 ]
Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo
(OFBIZ-12096)
We missed to unescape EcmaScript encoded strings in
UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe"
Thanks: 牛治 for report
Conflicts handled by hand => no functional changes in code (ude to IDE setting)
framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252240#comment-17252240
]
ASF subversion and git services commented on OFBIZ-12096:
-
Commit d620550a5f0fb757d2af6f66af0d7b2e19f9cb6f in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d620550 ]
Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo
(OFBIZ-12096)
We missed to unescape EcmaScript encoded strings in
UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe"
Thanks: 牛治 for report
Conflicts handled by hand => no functional changes in code (ude to IDE setting)
framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
Jacques Le Roux created OFBIZ-12096:
---
Summary: Post-auth XSS vulnerability at
catalog/control/EditProductPromo
Key: OFBIZ-12096
URL: https://issues.apache.org/jira/browse/OFBIZ-12096
Project: OFBiz
Issue Type: Sub-task
Components: product/catalog
Affects Versions: Trunk
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
This vulnerability was reported by 牛治 :
Locations:
* catalog/control/EditProductPromo
* catalog/control/EditProductPromoCode
Description: the Promo Name and Promo Text input boxes on the EditProductPromo
page have not a valid verification and result in an XSS attack.
Poc: Encode the characters of "alert('poruin')", and the poc
after encoding is as follows
"\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[
https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12096:
Description:
This vulnerability was reported by 牛治 :
Locations:
* catalog/control/EditProductPromo
* catalog/control/EditProductPromoCode
Description: the Promo Name and Promo Text input boxes on the EditProductPromo
page have not a valid verification and result in an XSS attack.
Poc: Encode the characters of "alert('poruin')", and the poc
after encoding is as follows
"\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
As this vulnerability is a post-auth we did not create a CVE
was:
This vulnerability was reported by 牛治 :
Locations:
* catalog/control/EditProductPromo
* catalog/control/EditProductPromoCode
Description: the Promo Name and Promo Text input boxes on the EditProductPromo
page have not a valid verification and result in an XSS attack.
Poc: Encode the characters of "alert('poruin')", and the poc
after encoding is as follows
"\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> Post-auth XSS vulnerability at catalog/control/EditProductPromo
> ---
>
> Key: OFBIZ-12096
> URL: https://issues.apache.org/jira/browse/OFBIZ-12096
> Project: OFBiz
> Issue Type: Sub-task
> Components: product/catalog
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> This vulnerability was reported by 牛治 :
> Locations:
> * catalog/control/EditProductPromo
> * catalog/control/EditProductPromoCode
> Description: the Promo Name and Promo Text input boxes on the
> EditProductPromo page have not a valid verification and result in an XSS
> attack.
> Poc: Encode the characters of "alert('poruin')", and the poc
> after encoding is as follows
> "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"
> As this vulnerability is a post-auth we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12092) Update build.gradle to the latest dependencies
[
https://issues.apache.org/jira/browse/OFBIZ-12092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252184#comment-17252184
]
ASF subversion and git services commented on OFBIZ-12092:
-
Commit 3355c64f4c288e2dd23653fbd1c9fd61cd352d64 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3355c64 ]
Fixed: Update build.gradle to the latest dependencies (OFBIZ-12092)
After last changes jdom is missing when using framework only, certainly due to a
3rd party lib change that included it.
This fixes the issue, by not only adding last jdom lib ('org.jdom:jdom:2.0.2')
in build.gradle but also changing the import where used: they changed to jdom2!
> Update build.gradle to the latest dependencies
> --
>
> Key: OFBIZ-12092
> URL: https://issues.apache.org/jira/browse/OFBIZ-12092
> Project: OFBiz
> Issue Type: Sub-task
> Components: Gradle
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Minor
> Fix For: Upcoming Branch
>
>
> See
> https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check
> for libs not upgraded.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Closed] (OFBIZ-12095) Change inline style to class for wait-spinner
[
https://issues.apache.org/jira/browse/OFBIZ-12095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Yong closed OFBIZ-12095.
--
Resolution: Fixed
> Change inline style to class for wait-spinner
> -
>
> Key: OFBIZ-12095
> URL: https://issues.apache.org/jira/browse/OFBIZ-12095
> Project: OFBiz
> Issue Type: Improvement
> Components: base
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: James Yong
>Priority: Minor
> Fix For: Upcoming Branch
>
>
> Inline style not encouraged by Content Security Policy
> Will change from
> {code:java}
>
>
>
> {code}
> to
> {code:java}
>
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12095) Change inline style to class for wait-spinner
[
https://issues.apache.org/jira/browse/OFBIZ-12095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252149#comment-17252149
]
ASF subversion and git services commented on OFBIZ-12095:
-
Commit d45c3773397d09b0625662c5a8c32f9b503318cf in ofbiz-plugins's branch
refs/heads/trunk from James Yong
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=d45c377 ]
Improved: Change inline style to class for wait-spinner (OFBIZ-12095)
Inline style not encouraged by Content Security Policy
> Change inline style to class for wait-spinner
> -
>
> Key: OFBIZ-12095
> URL: https://issues.apache.org/jira/browse/OFBIZ-12095
> Project: OFBiz
> Issue Type: Improvement
> Components: base
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: James Yong
>Priority: Minor
> Fix For: Upcoming Branch
>
>
> Inline style not encouraged by Content Security Policy
> Will change from
> {code:java}
>
>
>
> {code}
> to
> {code:java}
>
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
