[jira] [Closed] (OFBIZ-12097) Date picker not initialised in ajax-called form
[ https://issues.apache.org/jira/browse/OFBIZ-12097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Yong closed OFBIZ-12097. -- Resolution: Fixed > Date picker not initialised in ajax-called form > > > Key: OFBIZ-12097 > URL: https://issues.apache.org/jira/browse/OFBIZ-12097 > Project: OFBiz > Issue Type: Bug > Components: base >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: James Yong >Priority: Minor > Fix For: Upcoming Branch > > > The date picker icon is missing when the form is called with ajax. > To test: > 1) Go to /catalog/control/ProductStoreFacilities?productStoreId=9000 > 2) Click Add Facility button -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12097) Date picker not initialised in ajax-called form
[ https://issues.apache.org/jira/browse/OFBIZ-12097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252291#comment-17252291 ] ASF subversion and git services commented on OFBIZ-12097: - Commit 483e77ea838d544772d5fe1592910bc3dbc9e177 in ofbiz-framework's branch refs/heads/trunk from James Yong [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=483e77e ] Fixed: Date picker not initialised in ajax-called form (OFBIZ-12097) Use inline script when request is ajax > Date picker not initialised in ajax-called form > > > Key: OFBIZ-12097 > URL: https://issues.apache.org/jira/browse/OFBIZ-12097 > Project: OFBiz > Issue Type: Bug > Components: base >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: James Yong >Priority: Minor > Fix For: Upcoming Branch > > > The date picker icon is missing when the form is called with ajax. > To test: > 1) Go to /catalog/control/ProductStoreFacilities?productStoreId=9000 > 2) Click Add Facility button -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12097) Date picker not initialised in ajax-called form
James Yong created OFBIZ-12097: -- Summary: Date picker not initialised in ajax-called form Key: OFBIZ-12097 URL: https://issues.apache.org/jira/browse/OFBIZ-12097 Project: OFBiz Issue Type: Bug Components: base Affects Versions: Upcoming Branch Reporter: James Yong Assignee: James Yong Fix For: Upcoming Branch The date picker icon is missing when the form is called with ajax. To test: 1) Go to /catalog/control/ProductStoreFacilities?productStoreId=9000 2) Click Add Facility button -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252258#comment-17252258 ] ASF subversion and git services commented on OFBIZ-12096: - Commit c52f29e0ae7409884c620434def11f2c47bd380f in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c52f29e ] Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) We missed to unescape EcmaScript encoded strings in UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe" Thanks: 牛治 for report > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 18.12.01, 17.12.05 > > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252256#comment-17252256 ] ASF subversion and git services commented on OFBIZ-12096: - Commit 540f5c80cd07c470712d8081a827e30a1c520554 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=540f5c8 ] Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) Prevents issues with integration tests Conflicts handled by hand: framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 18.12.01, 17.12.05 > > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252257#comment-17252257 ] ASF subversion and git services commented on OFBIZ-12096: - Commit 42571fb635964540ff217f5ecd0753a1fefd3078 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=42571fb ] Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) Prevents issues with integration tests Conflicts handled by hand: framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 18.12.01, 17.12.05 > > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-12096. --- Fix Version/s: 17.12.05 18.12.01 Resolution: Fixed > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 18.12.01, 17.12.05 > > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252241#comment-17252241 ] ASF subversion and git services commented on OFBIZ-12096: - Commit c7fef0c409bca7c01d1f94e9431af52714398c58 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c7fef0c ] Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) We missed to unescape EcmaScript encoded strings in UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe" Thanks: 牛治 for report > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252239#comment-17252239 ] ASF subversion and git services commented on OFBIZ-12096: - Commit 637e02978cb0e11df0d202a2272055e3bf68e542 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=637e029 ] Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) We missed to unescape EcmaScript encoded strings in UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe" Thanks: 牛治 for report Conflicts handled by hand => no functional changes in code (ude to IDE setting) framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252240#comment-17252240 ] ASF subversion and git services commented on OFBIZ-12096: - Commit d620550a5f0fb757d2af6f66af0d7b2e19f9cb6f in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=d620550 ] Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) We missed to unescape EcmaScript encoded strings in UtilCoded::checkStringForHtmlSafe, ie in all form fields using allow-html="safe" Thanks: 牛治 for report Conflicts handled by hand => no functional changes in code (ude to IDE setting) framework/base/src/main/java/org/apache/ofbiz/base/util/UtilCodec.java > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
Jacques Le Roux created OFBIZ-12096: --- Summary: Post-auth XSS vulnerability at catalog/control/EditProductPromo Key: OFBIZ-12096 URL: https://issues.apache.org/jira/browse/OFBIZ-12096 Project: OFBiz Issue Type: Sub-task Components: product/catalog Affects Versions: Trunk Reporter: Jacques Le Roux Assignee: Jacques Le Roux This vulnerability was reported by 牛治 : Locations: * catalog/control/EditProductPromo * catalog/control/EditProductPromoCode Description: the Promo Name and Promo Text input boxes on the EditProductPromo page have not a valid verification and result in an XSS attack. Poc: Encode the characters of "alert('poruin')", and the poc after encoding is as follows "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12096) Post-auth XSS vulnerability at catalog/control/EditProductPromo
[ https://issues.apache.org/jira/browse/OFBIZ-12096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-12096: Description: This vulnerability was reported by 牛治 : Locations: * catalog/control/EditProductPromo * catalog/control/EditProductPromoCode Description: the Promo Name and Promo Text input boxes on the EditProductPromo page have not a valid verification and result in an XSS attack. Poc: Encode the characters of "alert('poruin')", and the poc after encoding is as follows "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" As this vulnerability is a post-auth we did not create a CVE was: This vulnerability was reported by 牛治 : Locations: * catalog/control/EditProductPromo * catalog/control/EditProductPromoCode Description: the Promo Name and Promo Text input boxes on the EditProductPromo page have not a valid verification and result in an XSS attack. Poc: Encode the characters of "alert('poruin')", and the poc after encoding is as follows "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > Post-auth XSS vulnerability at catalog/control/EditProductPromo > --- > > Key: OFBIZ-12096 > URL: https://issues.apache.org/jira/browse/OFBIZ-12096 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > This vulnerability was reported by 牛治 : > Locations: > * catalog/control/EditProductPromo > * catalog/control/EditProductPromoCode > Description: the Promo Name and Promo Text input boxes on the > EditProductPromo page have not a valid verification and result in an XSS > attack. > Poc: Encode the characters of "alert('poruin')", and the poc > after encoding is as follows > "\x3C\x73\x63\x72\x69\x70\x74\x3E\x61\x6C\x65\x72\x74\x28\x27\x70\x6F\x72\x75\x69\x6E\x27\x29\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E" > As this vulnerability is a post-auth we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12092) Update build.gradle to the latest dependencies
[ https://issues.apache.org/jira/browse/OFBIZ-12092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252184#comment-17252184 ] ASF subversion and git services commented on OFBIZ-12092: - Commit 3355c64f4c288e2dd23653fbd1c9fd61cd352d64 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3355c64 ] Fixed: Update build.gradle to the latest dependencies (OFBIZ-12092) After last changes jdom is missing when using framework only, certainly due to a 3rd party lib change that included it. This fixes the issue, by not only adding last jdom lib ('org.jdom:jdom:2.0.2') in build.gradle but also changing the import where used: they changed to jdom2! > Update build.gradle to the latest dependencies > -- > > Key: OFBIZ-12092 > URL: https://issues.apache.org/jira/browse/OFBIZ-12092 > Project: OFBiz > Issue Type: Sub-task > Components: Gradle >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > See > https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check > for libs not upgraded. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-12095) Change inline style to class for wait-spinner
[ https://issues.apache.org/jira/browse/OFBIZ-12095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Yong closed OFBIZ-12095. -- Resolution: Fixed > Change inline style to class for wait-spinner > - > > Key: OFBIZ-12095 > URL: https://issues.apache.org/jira/browse/OFBIZ-12095 > Project: OFBiz > Issue Type: Improvement > Components: base >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: James Yong >Priority: Minor > Fix For: Upcoming Branch > > > Inline style not encouraged by Content Security Policy > Will change from > {code:java} > > > > {code} > to > {code:java} > > > > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12095) Change inline style to class for wait-spinner
[ https://issues.apache.org/jira/browse/OFBIZ-12095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17252149#comment-17252149 ] ASF subversion and git services commented on OFBIZ-12095: - Commit d45c3773397d09b0625662c5a8c32f9b503318cf in ofbiz-plugins's branch refs/heads/trunk from James Yong [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=d45c377 ] Improved: Change inline style to class for wait-spinner (OFBIZ-12095) Inline style not encouraged by Content Security Policy > Change inline style to class for wait-spinner > - > > Key: OFBIZ-12095 > URL: https://issues.apache.org/jira/browse/OFBIZ-12095 > Project: OFBiz > Issue Type: Improvement > Components: base >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: James Yong >Priority: Minor > Fix For: Upcoming Branch > > > Inline style not encouraged by Content Security Policy > Will change from > {code:java} > > > > {code} > to > {code:java} > > > > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)