[jira] [Commented] (OFBIZ-12274) Add FtlWriter.processWithArgs
[ https://issues.apache.org/jira/browse/OFBIZ-12274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17385591#comment-17385591 ] Xin Wang commented on OFBIZ-12274: -- Hi [~danwatford], LGTM, good job! I'll close my PR. > Add FtlWriter.processWithArgs > - > > Key: OFBIZ-12274 > URL: https://issues.apache.org/jira/browse/OFBIZ-12274 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Assignee: Daniel Watford >Priority: Major > Attachments: > 0001-Rendering-RenderableFtlMacroCall-with-with_args.patch > > > When calling FTL macro from Java side is needed, instead of crafting a > template string with carefully escaping. with newly added > FtlWriter.processWithArgs, we can pass parameters using an environment > variable, and then invoke macro with "with_args" builtin. With this approach, > it both makes cleaner code and free of fragile escaping. > As an example, I also changes MacroFormRenderer.makeHyperlinkString to make > use of this new facility. > I have created a GitHub PR for this: > https://github.com/apache/ofbiz-framework/pull/307 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12272) Miscellaneous improvements to FindWorkEffort screen
[
https://issues.apache.org/jira/browse/OFBIZ-12272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17379454#comment-17379454
]
Xin Wang commented on OFBIZ-12272:
--
Hi [~nmalin],
With your latest commit, error messages can be displayed now.
Now there is another problem, the reproduce steps are mostly same to the
preivous one, with one additional step:
a) create a WorkEffort with type as "Available" and status as "[General]
Cancelled"
b) update this newly created WorkEffort, change status to "[Task] Completed"
and click "save"
c) after an error message is displayed, click the "save" button again
In step (c), an "undefined" message with black background color is displayed.
> Miscellaneous improvements to FindWorkEffort screen
> ---
>
> Key: OFBIZ-12272
> URL: https://issues.apache.org/jira/browse/OFBIZ-12272
> Project: OFBiz
> Issue Type: Improvement
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Nicolas Malin
>Priority: Major
> Attachments:
> 0001-Miscellaneous-improvements-to-FindWorkEffort-screen.patch,
> OFBIZ-12272-WithDynamism.patch
>
>
> Attached patch add miscellaneous improvements to FindWorkEffort screen:
> 1. Add "noConditionFind" field with value "Y" to FindWorkEffort screen to
> show results without click "Find" button
> 2. Change response type of deleteWorkEffort from "view" to
> "request-redirect", so that user can stay in FindWorkEffort screen after
> deletion
> 3. Remove "buttontext" widget style of workEffortId column, as text of this
> column also contains workEffortName, and it may be very long and even wrapped
> for two lines, "buttontext" does not fit it quite well
> 4. Change ListWorkEfforts from "form" to "grid", and enable "sort-field" for
> most of the columns (except "description")
> 5. Change "workEffortId" field text from "${workEffortName}
> [${workEffortId}]" to "[${workEffortId}] ${workEffortName}", to be consistent
> with the sort order, as this column is sort by workEffortId
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12274) Add FtlWriter.processWithArgs
[ https://issues.apache.org/jira/browse/OFBIZ-12274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17378445#comment-17378445 ] Xin Wang commented on OFBIZ-12274: -- Hi [~danwatford], I have attached a patch to update RenderableFtlMacroCall to using with_args. It is mostly just a POC, as I'm not quite conformable with my modification. I think you are more suitable to do that job, so feel free to do anything based on this patch. :D > Add FtlWriter.processWithArgs > - > > Key: OFBIZ-12274 > URL: https://issues.apache.org/jira/browse/OFBIZ-12274 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Rendering-RenderableFtlMacroCall-with-with_args.patch > > > When calling FTL macro from Java side is needed, instead of crafting a > template string with carefully escaping. with newly added > FtlWriter.processWithArgs, we can pass parameters using an environment > variable, and then invoke macro with "with_args" builtin. With this approach, > it both makes cleaner code and free of fragile escaping. > As an example, I also changes MacroFormRenderer.makeHyperlinkString to make > use of this new facility. > I have created a GitHub PR for this: > https://github.com/apache/ofbiz-framework/pull/307 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12274) Add FtlWriter.processWithArgs
[ https://issues.apache.org/jira/browse/OFBIZ-12274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang updated OFBIZ-12274: - Attachment: 0001-Rendering-RenderableFtlMacroCall-with-with_args.patch > Add FtlWriter.processWithArgs > - > > Key: OFBIZ-12274 > URL: https://issues.apache.org/jira/browse/OFBIZ-12274 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Rendering-RenderableFtlMacroCall-with-with_args.patch > > > When calling FTL macro from Java side is needed, instead of crafting a > template string with carefully escaping. with newly added > FtlWriter.processWithArgs, we can pass parameters using an environment > variable, and then invoke macro with "with_args" builtin. With this approach, > it both makes cleaner code and free of fragile escaping. > As an example, I also changes MacroFormRenderer.makeHyperlinkString to make > use of this new facility. > I have created a GitHub PR for this: > https://github.com/apache/ofbiz-framework/pull/307 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-12272) Miscellaneous improvements to FindWorkEffort screen
[
https://issues.apache.org/jira/browse/OFBIZ-12272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17378410#comment-17378410
]
Xin Wang edited comment on OFBIZ-12272 at 7/10/21, 7:07 AM:
Hi [~nmalin],
Find some time to have a try with your patch, a big improvement! I really
appreciate it.
Following are two problems I encountered when trying some simple CRUD tests:
1. Error message is not displayed when updating is failed, steps to reproduce:
a) create a WorkEffort with type as "Available" and status as "[General]
Cancelled"
b) update this newly created WorkEffort, change status to "[Task] Completed"
Step (b) should be failed and an error message should be displayed.
2. The height of modal dialog seems not be adjusted according to the contained
contents, e.g.:
a) In creating dialog, there is some blank at the bottom of modal dialog
b) in updating dialog, contents is overflowed and a scrollbar is displayed in
modal dialog
I'm using Edge 91.0.864.67 in a 1920x1080 laptop display, with FlatGrey theme.
was (Author: dram):
Hi [~nmalin],
Find some time to have a try with your patch, a big improvement! I really
appreciate it.
Following are two problems I encountered when trying some simple CRUD tests:
1. Error message is not displayed when updating is failed, steps to reproduce:
a) create a WorkEffort with type as "Available" and status as "[General]
Cancelled"
b) update this newly created WorkEffort, change status to "[Task] Completed"
Step (b) should be failed and an error message should be displayed.
2. The height of modal dialog seems not be adjusted according to the contained
contents, e.g.:
a) In creating dialog, there is some blank at the bottom of modal dialog
b) in updating dialog, contents is overflowed and a scrollbar is displayed in
modal dialog
I'm using Edge 91.0.864.67 in a 1920x1080 laptop display.
> Miscellaneous improvements to FindWorkEffort screen
> ---
>
> Key: OFBIZ-12272
> URL: https://issues.apache.org/jira/browse/OFBIZ-12272
> Project: OFBiz
> Issue Type: Improvement
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Nicolas Malin
>Priority: Major
> Attachments:
> 0001-Miscellaneous-improvements-to-FindWorkEffort-screen.patch,
> OFBIZ-12272-WithDynamism.patch
>
>
> Attached patch add miscellaneous improvements to FindWorkEffort screen:
> 1. Add "noConditionFind" field with value "Y" to FindWorkEffort screen to
> show results without click "Find" button
> 2. Change response type of deleteWorkEffort from "view" to
> "request-redirect", so that user can stay in FindWorkEffort screen after
> deletion
> 3. Remove "buttontext" widget style of workEffortId column, as text of this
> column also contains workEffortName, and it may be very long and even wrapped
> for two lines, "buttontext" does not fit it quite well
> 4. Change ListWorkEfforts from "form" to "grid", and enable "sort-field" for
> most of the columns (except "description")
> 5. Change "workEffortId" field text from "${workEffortName}
> [${workEffortId}]" to "[${workEffortId}] ${workEffortName}", to be consistent
> with the sort order, as this column is sort by workEffortId
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12272) Miscellaneous improvements to FindWorkEffort screen
[
https://issues.apache.org/jira/browse/OFBIZ-12272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17378410#comment-17378410
]
Xin Wang commented on OFBIZ-12272:
--
Hi [~nmalin],
Find some time to have a try with your patch, a big improvement! I really
appreciate it.
Following are two problems I encountered when trying some simple CRUD tests:
1. Error message is not displayed when updating is failed, steps to reproduce:
a) create a WorkEffort with type as "Available" and status as "[General]
Cancelled"
b) update this newly created WorkEffort, change status to "[Task] Completed"
Step (b) should be failed and an error message should be displayed.
2. The height of modal dialog seems not be adjusted according to the contained
contents, e.g.:
a) In creating dialog, there is some blank at the bottom of modal dialog
b) in updating dialog, contents is overflowed and a scrollbar is displayed in
modal dialog
I'm using Edge 91.0.864.67 in a 1920x1080 laptop display.
> Miscellaneous improvements to FindWorkEffort screen
> ---
>
> Key: OFBIZ-12272
> URL: https://issues.apache.org/jira/browse/OFBIZ-12272
> Project: OFBiz
> Issue Type: Improvement
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Nicolas Malin
>Priority: Major
> Attachments:
> 0001-Miscellaneous-improvements-to-FindWorkEffort-screen.patch,
> OFBIZ-12272-WithDynamism.patch
>
>
> Attached patch add miscellaneous improvements to FindWorkEffort screen:
> 1. Add "noConditionFind" field with value "Y" to FindWorkEffort screen to
> show results without click "Find" button
> 2. Change response type of deleteWorkEffort from "view" to
> "request-redirect", so that user can stay in FindWorkEffort screen after
> deletion
> 3. Remove "buttontext" widget style of workEffortId column, as text of this
> column also contains workEffortName, and it may be very long and even wrapped
> for two lines, "buttontext" does not fit it quite well
> 4. Change ListWorkEfforts from "form" to "grid", and enable "sort-field" for
> most of the columns (except "description")
> 5. Change "workEffortId" field text from "${workEffortName}
> [${workEffortId}]" to "[${workEffortId}] ${workEffortName}", to be consistent
> with the sort order, as this column is sort by workEffortId
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12272) Miscellaneous improvements to FindWorkEffort screen
[
https://issues.apache.org/jira/browse/OFBIZ-12272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17376644#comment-17376644
]
Xin Wang commented on OFBIZ-12272:
--
Hi [~nmalin],
I'll have a look at that in this weekend, just a bit busy in recent days.
> Miscellaneous improvements to FindWorkEffort screen
> ---
>
> Key: OFBIZ-12272
> URL: https://issues.apache.org/jira/browse/OFBIZ-12272
> Project: OFBiz
> Issue Type: Improvement
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Nicolas Malin
>Priority: Major
> Attachments:
> 0001-Miscellaneous-improvements-to-FindWorkEffort-screen.patch,
> OFBIZ-12272-WithDynamism.patch
>
>
> Attached patch add miscellaneous improvements to FindWorkEffort screen:
> 1. Add "noConditionFind" field with value "Y" to FindWorkEffort screen to
> show results without click "Find" button
> 2. Change response type of deleteWorkEffort from "view" to
> "request-redirect", so that user can stay in FindWorkEffort screen after
> deletion
> 3. Remove "buttontext" widget style of workEffortId column, as text of this
> column also contains workEffortName, and it may be very long and even wrapped
> for two lines, "buttontext" does not fit it quite well
> 4. Change ListWorkEfforts from "form" to "grid", and enable "sort-field" for
> most of the columns (except "description")
> 5. Change "workEffortId" field text from "${workEffortName}
> [${workEffortId}]" to "[${workEffortId}] ${workEffortName}", to be consistent
> with the sort order, as this column is sort by workEffortId
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12274) Add FtlWriter.processWithArgs
[ https://issues.apache.org/jira/browse/OFBIZ-12274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17374807#comment-17374807 ] Xin Wang commented on OFBIZ-12274: -- Hi [~danwatford], I think I have got your point. I'm quite busy this week, will have a closer look at RenderableFtl this weekend or next week, to see whether it is possible to implement with_args mechanism in RenderableFtl. > Add FtlWriter.processWithArgs > - > > Key: OFBIZ-12274 > URL: https://issues.apache.org/jira/browse/OFBIZ-12274 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > > When calling FTL macro from Java side is needed, instead of crafting a > template string with carefully escaping. with newly added > FtlWriter.processWithArgs, we can pass parameters using an environment > variable, and then invoke macro with "with_args" builtin. With this approach, > it both makes cleaner code and free of fragile escaping. > As an example, I also changes MacroFormRenderer.makeHyperlinkString to make > use of this new facility. > I have created a GitHub PR for this: > https://github.com/apache/ofbiz-framework/pull/307 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12270) Add menu-container-style to calendar menu
[ https://issues.apache.org/jira/browse/OFBIZ-12270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17374794#comment-17374794 ] Xin Wang commented on OFBIZ-12270: -- Hi [~jleroux], I have attached two images, show difference between patch applied or not. Hope that helps. > Add menu-container-style to calendar menu > - > > Key: OFBIZ-12270 > URL: https://issues.apache.org/jira/browse/OFBIZ-12270 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Minor > Attachments: 0001-Add-menu-container-style-to-calendar-menu.patch, > with-patch.png, without-patch.png > > > Attached patch try to make calendar menu more appealing in Helveticus theme, > Without this, menu items will be squeezed together. > > See this for example: > https://demo-trunk.ofbiz.apache.org/workeffort/control/calendar > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12270) Add menu-container-style to calendar menu
[ https://issues.apache.org/jira/browse/OFBIZ-12270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang updated OFBIZ-12270: - Attachment: with-patch.png > Add menu-container-style to calendar menu > - > > Key: OFBIZ-12270 > URL: https://issues.apache.org/jira/browse/OFBIZ-12270 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Minor > Attachments: 0001-Add-menu-container-style-to-calendar-menu.patch, > with-patch.png, without-patch.png > > > Attached patch try to make calendar menu more appealing in Helveticus theme, > Without this, menu items will be squeezed together. > > See this for example: > https://demo-trunk.ofbiz.apache.org/workeffort/control/calendar > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12270) Add menu-container-style to calendar menu
[ https://issues.apache.org/jira/browse/OFBIZ-12270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang updated OFBIZ-12270: - Attachment: without-patch.png > Add menu-container-style to calendar menu > - > > Key: OFBIZ-12270 > URL: https://issues.apache.org/jira/browse/OFBIZ-12270 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Minor > Attachments: 0001-Add-menu-container-style-to-calendar-menu.patch, > with-patch.png, without-patch.png > > > Attached patch try to make calendar menu more appealing in Helveticus theme, > Without this, menu items will be squeezed together. > > See this for example: > https://demo-trunk.ofbiz.apache.org/workeffort/control/calendar > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12274) Add FtlWriter.processWithArgs
[ https://issues.apache.org/jira/browse/OFBIZ-12274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17374298#comment-17374298 ] Xin Wang commented on OFBIZ-12274: -- Hi [~danwatford] , I take a look at RenderableFtlMacroCall, the internal process seems difference from FtlWriter.processWithArgs which I proposed. Take makeHyperlinkString for example, with RenderableFtlMacroCall, the rendering steps are: 1. Encode parameters into strings, with necessary escaping 2. Concatenate macro name and parameters into a template string, that string may be long 3. Let FreeMarker parsing that template string and invoke included macro With FtlWriter.processWithArgs, the steps are: 1. Wrap parameters using DefaultObjectWrapper, to turn Java data structures into FreeMarker ones 2. Pass wrapped parameters into template environment, using Environment.setVariable, with a temporary variable name, e.g.: $args$makeHyperlinkString 3. Let FreeMarker parsing and invoke a template with mostly fixed length, e.g. <@makeHyperlinkString?with_args($args$makeHyperlinkString)/> I think the improvements introduced by FtlWriter.processWithArgs includes: 1. No escaping is needed, as parameters are passed as FreeMarker data structures 2. The temporary template string is smaller, as no parameter strings are included 3. It is future-proofed, if FreeMarker expose a stable Macro API in the future (for now, freemarker.core.Macro is deprecated), it is relatively easy to make use of it > Add FtlWriter.processWithArgs > - > > Key: OFBIZ-12274 > URL: https://issues.apache.org/jira/browse/OFBIZ-12274 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > > When calling FTL macro from Java side is needed, instead of crafting a > template string with carefully escaping. with newly added > FtlWriter.processWithArgs, we can pass parameters using an environment > variable, and then invoke macro with "with_args" builtin. With this approach, > it both makes cleaner code and free of fragile escaping. > As an example, I also changes MacroFormRenderer.makeHyperlinkString to make > use of this new facility. > I have created a GitHub PR for this: > https://github.com/apache/ofbiz-framework/pull/307 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12275) Upgrade Apache Shiro to 1.7.1
Xin Wang created OFBIZ-12275: Summary: Upgrade Apache Shiro to 1.7.1 Key: OFBIZ-12275 URL: https://issues.apache.org/jira/browse/OFBIZ-12275 Project: OFBiz Issue Type: Improvement Affects Versions: Trunk Reporter: Xin Wang As stated by comment, after upgrading Shiro to latest version, an EntityCrypto exception will be triggered when loading data. After some investigation, I found that the default padding scheme of ECB mode in Shiro is different between v1.4.1 and v1.7.1, i.e.: v1.4.1 getPaddingSchemeName() output: PKCS5Padding v1.7.1 getPaddingSchemeName() output: NoPadding After specifying padding scheme explicitly, EntityCrypto exception does not raise anymore. I'll create a pull request in GitHub. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12272) Miscellaneous improvements to FindWorkEffort screen
[
https://issues.apache.org/jira/browse/OFBIZ-12272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17373853#comment-17373853
]
Xin Wang commented on OFBIZ-12272:
--
Hi [~nmalin] ,
No problem, feel free to add more improvements.
> Miscellaneous improvements to FindWorkEffort screen
> ---
>
> Key: OFBIZ-12272
> URL: https://issues.apache.org/jira/browse/OFBIZ-12272
> Project: OFBiz
> Issue Type: Improvement
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Nicolas Malin
>Priority: Major
> Attachments:
> 0001-Miscellaneous-improvements-to-FindWorkEffort-screen.patch
>
>
> Attached patch add miscellaneous improvements to FindWorkEffort screen:
> 1. Add "noConditionFind" field with value "Y" to FindWorkEffort screen to
> show results without click "Find" button
> 2. Change response type of deleteWorkEffort from "view" to
> "request-redirect", so that user can stay in FindWorkEffort screen after
> deletion
> 3. Remove "buttontext" widget style of workEffortId column, as text of this
> column also contains workEffortName, and it may be very long and even wrapped
> for two lines, "buttontext" does not fit it quite well
> 4. Change ListWorkEfforts from "form" to "grid", and enable "sort-field" for
> most of the columns (except "description")
> 5. Change "workEffortId" field text from "${workEffortName}
> [${workEffortId}]" to "[${workEffortId}] ${workEffortName}", to be consistent
> with the sort order, as this column is sort by workEffortId
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OFBIZ-12274) Add FtlWriter.processWithArgs
Xin Wang created OFBIZ-12274: Summary: Add FtlWriter.processWithArgs Key: OFBIZ-12274 URL: https://issues.apache.org/jira/browse/OFBIZ-12274 Project: OFBiz Issue Type: Improvement Affects Versions: Trunk Reporter: Xin Wang When calling FTL macro from Java side is needed, instead of crafting a template string with carefully escaping. with newly added FtlWriter.processWithArgs, we can pass parameters using an environment variable, and then invoke macro with "with_args" builtin. With this approach, it both makes cleaner code and free of fragile escaping. As an example, I also changes MacroFormRenderer.makeHyperlinkString to make use of this new facility. I have created a GitHub PR for this: https://github.com/apache/ofbiz-framework/pull/307 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12272) Miscellaneous improvements to FindWorkEffort screen
Xin Wang created OFBIZ-12272:
Summary: Miscellaneous improvements to FindWorkEffort screen
Key: OFBIZ-12272
URL: https://issues.apache.org/jira/browse/OFBIZ-12272
Project: OFBiz
Issue Type: Improvement
Affects Versions: Trunk
Reporter: Xin Wang
Attachments:
0001-Miscellaneous-improvements-to-FindWorkEffort-screen.patch
Attached patch add miscellaneous improvements to FindWorkEffort screen:
1. Add "noConditionFind" field with value "Y" to FindWorkEffort screen to show
results without click "Find" button
2. Change response type of deleteWorkEffort from "view" to "request-redirect",
so that user can stay in FindWorkEffort screen after deletion
3. Remove "buttontext" widget style of workEffortId column, as text of this
column also contains workEffortName, and it may be very long and even wrapped
for two lines, "buttontext" does not fit it quite well
4. Change ListWorkEfforts from "form" to "grid", and enable "sort-field" for
most of the columns (except "description")
5. Change "workEffortId" field text from "${workEffortName} [${workEffortId}]"
to "[${workEffortId}] ${workEffortName}", to be consistent with the sort order,
as this column is sort by workEffortId
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OFBIZ-12271) Add TASK_STATUS to `status' field options in EditCalEvent form
Xin Wang created OFBIZ-12271:
Summary: Add TASK_STATUS to `status' field options in EditCalEvent
form
Key: OFBIZ-12271
URL: https://issues.apache.org/jira/browse/OFBIZ-12271
Project: OFBiz
Issue Type: Improvement
Affects Versions: Trunk
Reporter: Xin Wang
Attachments:
0001-Add-TASK_STATUS-to-status-field-options-in-EditCalEv.patch
As WorkEffort entities with type as `Task' and a non-empty `Estimated Start
Date' will be included in calendar page, so TASK_STATUS should be added to
EditCalEvent, to make task status be correctly displayed and updated.
1. Go to page:
https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffort
2. Create a WorkEffort with {{Type}} as {{Task}}, {{Status}} as {{[Task]
Accepted}}, and select {{Now}} for {{Estimated Start Date}}
3. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/calendar
4. Selected newly added task entry in calender, to show the edit form
In step 4, task status will be shown as {{In Planning}}, instead of
{{Accepted}}.
Attached patch try to fix this problem.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OFBIZ-12270) Add menu-container-style to calendar menu
Xin Wang created OFBIZ-12270: Summary: Add menu-container-style to calendar menu Key: OFBIZ-12270 URL: https://issues.apache.org/jira/browse/OFBIZ-12270 Project: OFBiz Issue Type: Improvement Affects Versions: Trunk Reporter: Xin Wang Attachments: 0001-Add-menu-container-style-to-calendar-menu.patch Attached patch try to make calendar menu more appealing in Helveticus theme, Without this, menu items will be squeezed together. See this for example: https://demo-trunk.ofbiz.apache.org/workeffort/control/calendar -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
[ https://issues.apache.org/jira/browse/OFBIZ-12255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17367500#comment-17367500 ] Xin Wang commented on OFBIZ-12255: -- Hi [~jleroux], thanks! all is committed, confirmed. :) > Add global web.xml to simplify session timeout configuration > > > Key: OFBIZ-12255 > URL: https://issues.apache.org/jira/browse/OFBIZ-12255 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Assignee: Jacques Le Roux >Priority: Major > Fix For: Upcoming Branch > > Attachments: > 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch > > > Currently, session timeout is configured in apps separately, but session is > shared globally, so the smallest one take effects, and it will not take > effort separately for different apps. > Then it is both inconvenient and confusing to increase session timeout value, > as all values in those files need to be updated. > I think a global web.xml is needed, to simplify session timeout configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
[
https://issues.apache.org/jira/browse/OFBIZ-12255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17367201#comment-17367201
]
Xin Wang commented on OFBIZ-12255:
--
Thanks, [~jleroux].
BTW, skimming through the commit message, it seems that newly added file
{{framework/catalina/config/web.xml}} is missing in the commit, which is
contained in the patch file.
> Add global web.xml to simplify session timeout configuration
>
>
> Key: OFBIZ-12255
> URL: https://issues.apache.org/jira/browse/OFBIZ-12255
> Project: OFBiz
> Issue Type: Improvement
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: Upcoming Branch
>
> Attachments:
> 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch
>
>
> Currently, session timeout is configured in apps separately, but session is
> shared globally, so the smallest one take effects, and it will not take
> effort separately for different apps.
> Then it is both inconvenient and confusing to increase session timeout value,
> as all values in those files need to be updated.
> I think a global web.xml is needed, to simplify session timeout configuration.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12260) Xml Element Link type hidden-form fail to resolve the form
[
https://issues.apache.org/jira/browse/OFBIZ-12260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17365818#comment-17365818
]
Xin Wang commented on OFBIZ-12260:
--
[~nmalin] glad to see that it works, LGTM.
> Xml Element Link type hidden-form fail to resolve the form
> --
>
> Key: OFBIZ-12260
> URL: https://issues.apache.org/jira/browse/OFBIZ-12260
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/widget
>Affects Versions: Trunk
>Reporter: Nicolas Malin
>Assignee: Nicolas Malin
>Priority: Major
> Labels: screen, widget
> Attachments: OFBIZ-12260.patch, OFBIZ-12260.patch
>
>
> When you generate a link with the type hidden-form and the link present an
> update area, on the click jquery failed to resolve the form.
> Example of a current link generate
> {code:java}
> href="javascript:ajaxSubmitFormUpdateAreas('ListProductMeterActionMenus_delete_LF_1__0',
>
> 'embedded13009956-a841-47d3-86b1-b1931e6b430e,https://localhost:8443/catalog/control/ListProductMeters,productId=GZ-1000')">javascript:ajaxSubmitFormUpdateAreas('ListProductMeterActionMenus_delete_LF_1__0',
>
> 'embedded13009956-a841-47d3-86b1-b1931e6b430e,https://localhost:8443/catalog/control/ListProductMeters,productId=GZ-1000'){code}
> The problem come from OfbizUtil.js:748
> {code:java}
> var $form = jQuery("#" + form){code}
> To solve the it this, I propose to extend all hidden-form with add the
> missing id attribute.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12260) Xml Element Link type hidden-form fail to resolve the form
[
https://issues.apache.org/jira/browse/OFBIZ-12260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17365573#comment-17365573
]
Xin Wang commented on OFBIZ-12260:
--
Is this issue related to OFBIZ-11810? Although I did not understand this
problem fully, but I kind of think that instead of add {{id}} attribute, we can
select form by name, e.g. {{jQuery("form[name='" + form + "']")}}. Even better,
we can pass form object directly into {{ajaxSubmitFormUpdateAreas()}}, using
{{document.${uniqueItemName}}}.
> Xml Element Link type hidden-form fail to resolve the form
> --
>
> Key: OFBIZ-12260
> URL: https://issues.apache.org/jira/browse/OFBIZ-12260
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/widget
>Affects Versions: Trunk
>Reporter: Nicolas Malin
>Assignee: Nicolas Malin
>Priority: Major
> Labels: screen, widget
> Attachments: OFBIZ-12260.patch
>
>
> When you generate a link with the type hidden-form and the link present an
> update area, on the click jquery failed to resolve the form.
> Example of a current link generate
> {code:java}
> href="javascript:ajaxSubmitFormUpdateAreas('ListProductMeterActionMenus_delete_LF_1__0',
>
> 'embedded13009956-a841-47d3-86b1-b1931e6b430e,https://localhost:8443/catalog/control/ListProductMeters,productId=GZ-1000')">javascript:ajaxSubmitFormUpdateAreas('ListProductMeterActionMenus_delete_LF_1__0',
>
> 'embedded13009956-a841-47d3-86b1-b1931e6b430e,https://localhost:8443/catalog/control/ListProductMeters,productId=GZ-1000'){code}
> The problem come from OfbizUtil.js:748
> {code:java}
> var $form = jQuery("#" + form){code}
> To solve the it this, I propose to extend all hidden-form with add the
> missing id attribute.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-11810) Element link can update partial area
[
https://issues.apache.org/jira/browse/OFBIZ-11810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17365568#comment-17365568
]
Xin Wang commented on OFBIZ-11810:
--
Interesting that I failed to reproduce the problem raised by [~holivier], did I
do somthing wrong? see following link:
https://demo-trunk.ofbiz.apache.org/ordermgr/control/ViewRequest?custRequestId=1
> Element link can update partial area
>
>
> Key: OFBIZ-11810
> URL: https://issues.apache.org/jira/browse/OFBIZ-11810
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/widget
>Affects Versions: Trunk
>Reporter: Nicolas Malin
>Assignee: Nicolas Malin
>Priority: Major
> Labels: screen, widget
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11808-OFBIZ-11810.patch
>
>
> Currently when you want to display an information easily on sub-screen
> dynamically (example as related element) is currently not possible without
> write specific js code. A easy step would be add a new link type:
> update-area, to indicate to the theme that we want to refresh after the call
> only a local area.
> {code:xml}
> target-window="detail">
> from-field="productCategory.productCategoryId"/>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
[ https://issues.apache.org/jira/browse/OFBIZ-12255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17363685#comment-17363685 ] Xin Wang commented on OFBIZ-12255: -- Hi Jacques, Sorry for the late reply, I'm a bit busy recently, will write a mail to mailing list soon. > Add global web.xml to simplify session timeout configuration > > > Key: OFBIZ-12255 > URL: https://issues.apache.org/jira/browse/OFBIZ-12255 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch > > > Currently, session timeout is configured in apps separately, but session is > shared globally, so the smallest one take effects, and it will not take > effort separately for different apps. > Then it is both inconvenient and confusing to increase session timeout value, > as all values in those files need to be updated. > I think a global web.xml is needed, to simplify session timeout configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
[ https://issues.apache.org/jira/browse/OFBIZ-12255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17361777#comment-17361777 ] Xin Wang commented on OFBIZ-12255: -- Hi [~pierresmits], Thank you for your kind words. I also thought about this, but hesitated to integrate more configurations, as I'm a bit new to OFBiz. Hope that someone who are more familiar with the overall system can continue this work. :D > Add global web.xml to simplify session timeout configuration > > > Key: OFBIZ-12255 > URL: https://issues.apache.org/jira/browse/OFBIZ-12255 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch > > > Currently, session timeout is configured in apps separately, but session is > shared globally, so the smallest one take effects, and it will not take > effort separately for different apps. > Then it is both inconvenient and confusing to increase session timeout value, > as all values in those files need to be updated. > I think a global web.xml is needed, to simplify session timeout configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
[ https://issues.apache.org/jira/browse/OFBIZ-12255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang updated OFBIZ-12255: - Attachment: 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch > Add global web.xml to simplify session timeout configuration > > > Key: OFBIZ-12255 > URL: https://issues.apache.org/jira/browse/OFBIZ-12255 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch > > > Currently, session timeout is configured in apps separately, but session is > shared globally, so the smallest one take effects, and it will not take > effort separately for different apps. > Then it is both inconvenient and confusing to increase session timeout value, > as all values in those files need to be updated. > I think a global web.xml is needed, to simplify session timeout configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
[ https://issues.apache.org/jira/browse/OFBIZ-12255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17361293#comment-17361293 ] Xin Wang commented on OFBIZ-12255: -- A patch is attached. > Add global web.xml to simplify session timeout configuration > > > Key: OFBIZ-12255 > URL: https://issues.apache.org/jira/browse/OFBIZ-12255 > Project: OFBiz > Issue Type: Improvement >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Improved-Add-global-web.xml-to-simplify-session-time.patch > > > Currently, session timeout is configured in apps separately, but session is > shared globally, so the smallest one take effects, and it will not take > effort separately for different apps. > Then it is both inconvenient and confusing to increase session timeout value, > as all values in those files need to be updated. > I think a global web.xml is needed, to simplify session timeout configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12255) Add global web.xml to simplify session timeout configuration
Xin Wang created OFBIZ-12255: Summary: Add global web.xml to simplify session timeout configuration Key: OFBIZ-12255 URL: https://issues.apache.org/jira/browse/OFBIZ-12255 Project: OFBiz Issue Type: Improvement Affects Versions: Trunk Reporter: Xin Wang Currently, session timeout is configured in apps separately, but session is shared globally, so the smallest one take effects, and it will not take effort separately for different apps. Then it is both inconvenient and confusing to increase session timeout value, as all values in those files need to be updated. I think a global web.xml is needed, to simplify session timeout configuration. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17359434#comment-17359434 ] Xin Wang commented on OFBIZ-12249: -- Hi Jacques, To make my opinion more clear, I have filed another issue OFBIZ-12254, which is related to a XSS vulnerability. Although this vulnerability is only valid when `sanitizer.enable` is disabled. but the point is that we can escaping text properly to prevent that problem, without the help of sanitizer, as shown in the attached patch. > Unexpected decoding of url encoded textarea data after submission > -- > > Key: OFBIZ-12249 > URL: https://issues.apache.org/jira/browse/OFBIZ-12249 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Assignee: Jacques Le Roux >Priority: Major > Attachments: Image 005.png, Image 006.png, OFBIZ-12249.patch, > OFBIZ-12249.patch > > > When trying to add a note to WorkEffort entity, I found that url encoded > characters are unescaped, which is not expected. > e.g.: > 1. Go to page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 > 2. Add a note with content: https://example.com/a%20link > 3. After submission, it will turned to be: https://example.com/a link > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12254) XSS vulnerability for ListWorkEfforts form
[ https://issues.apache.org/jira/browse/OFBIZ-12254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang updated OFBIZ-12254: - Attachment: 0001-Fixed-Escaping-description-text-for-hyperlink-OFBIZ-.patch > XSS vulnerability for ListWorkEfforts form > -- > > Key: OFBIZ-12254 > URL: https://issues.apache.org/jira/browse/OFBIZ-12254 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Fixed-Escaping-description-text-for-hyperlink-OFBIZ-.patch > > > If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be > vulnerable to XSS attack, because of incomplete escaping. > Steps to reproduce: > 1. Turn off `sanitizer.enable` in owasp.properties > 2. Create a WorkEffort entity with name as `alert(1)` > 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort > 4. Search for "Work Effort Name" which contains "script" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12254) XSS vulnerability for ListWorkEfforts form
[ https://issues.apache.org/jira/browse/OFBIZ-12254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17359431#comment-17359431 ] Xin Wang commented on OFBIZ-12254: -- A patch have been attached. > XSS vulnerability for ListWorkEfforts form > -- > > Key: OFBIZ-12254 > URL: https://issues.apache.org/jira/browse/OFBIZ-12254 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Fixed-Escaping-description-text-for-hyperlink-OFBIZ-.patch > > > If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be > vulnerable to XSS attack, because of incomplete escaping. > Steps to reproduce: > 1. Turn off `sanitizer.enable` in owasp.properties > 2. Create a WorkEffort entity with name as `alert(1)` > 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort > 4. Search for "Work Effort Name" which contains "script" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12254) XSS vulnerability for ListWorkEfforts form
Xin Wang created OFBIZ-12254: Summary: XSS vulnerability for ListWorkEfforts form Key: OFBIZ-12254 URL: https://issues.apache.org/jira/browse/OFBIZ-12254 Project: OFBiz Issue Type: Bug Affects Versions: Trunk Reporter: Xin Wang If `sanitizer.enable` is turned off, `ListWorkEfforts` form will be vulnerable to XSS attack, because of incomplete escaping. Steps to reproduce: 1. Turn off `sanitizer.enable` in owasp.properties 2. Create a WorkEffort entity with name as `alert(1)` 3. Go to page: http://localhost:8080/workeffort/control/FindWorkEffort 4. Search for "Work Effort Name" which contains "script" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358651#comment-17358651 ] Xin Wang commented on OFBIZ-12249: -- Hi Jacques, Through the discussion, I have posted following three examples, and with your revised patch, only second one can be saved without unescaping: 1. https://example.com/a%20link 2. blah blah blah ... (see http://example.com/a%20link) ... 3. blah blah blah ... (http://example.com/a%20link) ... I'll investigate this issue when I find time, but it seems that some fundamental changes are needed, so it may take some time. > Unexpected decoding of url encoded textarea data after submission > -- > > Key: OFBIZ-12249 > URL: https://issues.apache.org/jira/browse/OFBIZ-12249 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Assignee: Jacques Le Roux >Priority: Major > Attachments: Image 005.png, OFBIZ-12249.patch > > > When trying to add a note to WorkEffort entity, I found that url encoded > characters are unescaped, which is not expected. > e.g.: > 1. Go to page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 > 2. Add a note with content: https://example.com/a%20link > 3. After submission, it will turned to be: https://example.com/a link > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358279#comment-17358279 ] Xin Wang commented on OFBIZ-12249: -- Hi Jacques, Sorry that I post an invalid example, you can have a try with following one: blah blah blah ... (http://example.com/a%20link) ... BTW, if we do not call `canonicalizeParameter' for parts of the text, and without fully output encoding, it may open a security hole. If we do output encoding completely, any text can be accepted, so my point is that we should accept any text user submitted for free-form text input widgets, and encode that properly before html rendering. > Unexpected decoding of url encoded textarea data after submission > -- > > Key: OFBIZ-12249 > URL: https://issues.apache.org/jira/browse/OFBIZ-12249 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Assignee: Jacques Le Roux >Priority: Major > Attachments: Image 005.png, OFBIZ-12249.patch > > > When trying to add a note to WorkEffort entity, I found that url encoded > characters are unescaped, which is not expected. > e.g.: > 1. Go to page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 > 2. Add a note with content: https://example.com/a%20link > 3. After submission, it will turned to be: https://example.com/a link > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[
https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358120#comment-17358120
]
Xin Wang commented on OFBIZ-12249:
--
Hi Jacques,
Seems that following example will be rejected by this new patch:
{quote}blah blah blah ... (see [http://example.com/a%20link]) ...
{quote}
I think that for free-form text input widgets, it is really hard to guess what
kind of text will be submitted. What we can do is output encoding, instead of
input sanitization.
> Unexpected decoding of url encoded textarea data after submission
> --
>
> Key: OFBIZ-12249
> URL: https://issues.apache.org/jira/browse/OFBIZ-12249
> Project: OFBiz
> Issue Type: Bug
>Affects Versions: Trunk
>Reporter: Xin Wang
>Assignee: Jacques Le Roux
>Priority: Major
> Attachments: OFBIZ-12249.patch
>
>
> When trying to add a note to WorkEffort entity, I found that url encoded
> characters are unescaped, which is not expected.
> e.g.:
> 1. Go to page:
> https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01
> 2. Add a note with content: https://example.com/a%20link
> 3. After submission, it will turned to be: https://example.com/a link
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Closed] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL
[ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang closed OFBIZ-12252. Resolution: Information Provided > Session id `externalLoginKey' should not be included in URL > --- > > Key: OFBIZ-12252 > URL: https://issues.apache.org/jira/browse/OFBIZ-12252 > Project: OFBiz > Issue Type: Bug >Reporter: Xin Wang >Priority: Major > > When changing between different OFBiz apps, session id `externalLoginKey' > will be inserted into URL as a query string. But sensitive info like that > should not be included in URL if we concerning about security, as it will be > exposed in following scenarios: > 1. It will be recorded in browser history > 2. It will be recorded in web server access log > 3. It will be sent to other servers in Referer header > Anyone get this key can log into OFBiz without authentication, until that key > expired. > See following discussion for more info: > https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL
[ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358032#comment-17358032 ] Xin Wang commented on OFBIZ-12252: -- Hi Jacques, Thank you for your detailed explanation! As related issues have been fully discussed, I will close this one. Thanks! > Session id `externalLoginKey' should not be included in URL > --- > > Key: OFBIZ-12252 > URL: https://issues.apache.org/jira/browse/OFBIZ-12252 > Project: OFBiz > Issue Type: Bug >Reporter: Xin Wang >Priority: Major > > When changing between different OFBiz apps, session id `externalLoginKey' > will be inserted into URL as a query string. But sensitive info like that > should not be included in URL if we concerning about security, as it will be > exposed in following scenarios: > 1. It will be recorded in browser history > 2. It will be recorded in web server access log > 3. It will be sent to other servers in Referer header > Anyone get this key can log into OFBiz without authentication, until that key > expired. > See following discussion for more info: > https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12253) Show WorkEffort names in FindWorkEffort page
[ https://issues.apache.org/jira/browse/OFBIZ-12253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358029#comment-17358029 ] Xin Wang commented on OFBIZ-12253: -- I have attached a simple patch to fix this issue. > Show WorkEffort names in FindWorkEffort page > > > Key: OFBIZ-12253 > URL: https://issues.apache.org/jira/browse/OFBIZ-12253 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Fixed-Show-WorkEffort-names-in-FindWorkEffort-page-O.patch > > > In FindWorkEffort page ( > https://demo-trunk.ofbiz.apache.org/workeffort/control/FindWorkEffort ), > "Work Effort Name" can be specified as search option, but the result table do > not show it. > I think it would be nice if WorkEffort names can be displayed. Actually, > there are some code around there already, but do not work properly (see > workEffortId field definition in ListWorkEfforts form). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12253) Show WorkEffort names in FindWorkEffort page
[ https://issues.apache.org/jira/browse/OFBIZ-12253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xin Wang updated OFBIZ-12253: - Attachment: 0001-Fixed-Show-WorkEffort-names-in-FindWorkEffort-page-O.patch > Show WorkEffort names in FindWorkEffort page > > > Key: OFBIZ-12253 > URL: https://issues.apache.org/jira/browse/OFBIZ-12253 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: > 0001-Fixed-Show-WorkEffort-names-in-FindWorkEffort-page-O.patch > > > In FindWorkEffort page ( > https://demo-trunk.ofbiz.apache.org/workeffort/control/FindWorkEffort ), > "Work Effort Name" can be specified as search option, but the result table do > not show it. > I think it would be nice if WorkEffort names can be displayed. Actually, > there are some code around there already, but do not work properly (see > workEffortId field definition in ListWorkEfforts form). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12253) Show WorkEffort names in FindWorkEffort page
Xin Wang created OFBIZ-12253: Summary: Show WorkEffort names in FindWorkEffort page Key: OFBIZ-12253 URL: https://issues.apache.org/jira/browse/OFBIZ-12253 Project: OFBiz Issue Type: Bug Affects Versions: Trunk Reporter: Xin Wang In FindWorkEffort page ( https://demo-trunk.ofbiz.apache.org/workeffort/control/FindWorkEffort ), "Work Effort Name" can be specified as search option, but the result table do not show it. I think it would be nice if WorkEffort names can be displayed. Actually, there are some code around there already, but do not work properly (see workEffortId field definition in ListWorkEfforts form). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358005#comment-17358005 ] Xin Wang edited comment on OFBIZ-12249 at 6/6/21, 1:32 AM: --- Hi Jacques, Thank you for your patch! `example.com' is a valid domain, so it can pass UrlValidator for that case. But as `noteInfo' is a free-form textarea field, users can add more text around url, which I think is quite valid from view of users, but will be rejected by OFBiz, e.g.: blah blah blah ... see https://example.com/a%20link and related ... was (Author: dram): Hi Jacques, Thank you for your patch! `example.com' is a valid domain, so it can pass UrlValidator for that case. But as `noteInfo' is a free-form textarea field, users can add more text around url, which I think is quite valid from view of users, but will be rejected by OFBiz: blah blah blah ... see https://example.com/a%20link and related ... > Unexpected decoding of url encoded textarea data after submission > -- > > Key: OFBIZ-12249 > URL: https://issues.apache.org/jira/browse/OFBIZ-12249 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: OFBIZ-12249.patch > > > When trying to add a note to WorkEffort entity, I found that url encoded > characters are unescaped, which is not expected. > e.g.: > 1. Go to page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 > 2. Add a note with content: https://example.com/a%20link > 3. After submission, it will turned to be: https://example.com/a link > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17358005#comment-17358005 ] Xin Wang commented on OFBIZ-12249: -- Hi Jacques, Thank you for your patch! `example.com' is a valid domain, so it can pass UrlValidator for that case. But as `noteInfo' is a free-form textarea field, users can add more text around url, which I think is quite valid from view of users, but will be rejected by OFBiz: blah blah blah ... see https://example.com/a%20link and related ... > Unexpected decoding of url encoded textarea data after submission > -- > > Key: OFBIZ-12249 > URL: https://issues.apache.org/jira/browse/OFBIZ-12249 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > Attachments: OFBIZ-12249.patch > > > When trying to add a note to WorkEffort entity, I found that url encoded > characters are unescaped, which is not expected. > e.g.: > 1. Go to page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 > 2. Add a note with content: https://example.com/a%20link > 3. After submission, it will turned to be: https://example.com/a link > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL
[ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17357998#comment-17357998 ] Xin Wang edited comment on OFBIZ-12252 at 6/5/21, 11:39 PM: Hi Jacques, Thank you for pointing to Tomcat SSO, that helps! BTW, regarding to the security issues of `externalLoginKey', I think it should be turned off by default. (I'm aware that currently Tomcat SSO is not supported in cluster mode, but users can turn on `externalLoginKey' in cluster mode if they fully aware of those security issues.) was (Author: dram): Hi Jacques, Thank you for pointing to Tomcat SSO, that helps! BTW, regarding to the security issues of `externalLoginKey', I think it should be turned off by default. (I'm aware that currently Tomcat SSO is not supported in cluster mode, but users can turn on it in cluster mode if they fully aware of those security issues.) > Session id `externalLoginKey' should not be included in URL > --- > > Key: OFBIZ-12252 > URL: https://issues.apache.org/jira/browse/OFBIZ-12252 > Project: OFBiz > Issue Type: Bug >Reporter: Xin Wang >Priority: Major > > When changing between different OFBiz apps, session id `externalLoginKey' > will be inserted into URL as a query string. But sensitive info like that > should not be included in URL if we concerning about security, as it will be > exposed in following scenarios: > 1. It will be recorded in browser history > 2. It will be recorded in web server access log > 3. It will be sent to other servers in Referer header > Anyone get this key can log into OFBiz without authentication, until that key > expired. > See following discussion for more info: > https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL
[ https://issues.apache.org/jira/browse/OFBIZ-12252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17357998#comment-17357998 ] Xin Wang commented on OFBIZ-12252: -- Hi Jacques, Thank you for pointing to Tomcat SSO, that helps! BTW, regarding to the security issues of `externalLoginKey', I think it should be turned off by default. (I'm aware that currently Tomcat SSO is not supported in cluster mode, but users can turn on it in cluster mode if they fully aware of those security issues.) > Session id `externalLoginKey' should not be included in URL > --- > > Key: OFBIZ-12252 > URL: https://issues.apache.org/jira/browse/OFBIZ-12252 > Project: OFBiz > Issue Type: Bug >Reporter: Xin Wang >Priority: Major > > When changing between different OFBiz apps, session id `externalLoginKey' > will be inserted into URL as a query string. But sensitive info like that > should not be included in URL if we concerning about security, as it will be > exposed in following scenarios: > 1. It will be recorded in browser history > 2. It will be recorded in web server access log > 3. It will be sent to other servers in Referer header > Anyone get this key can log into OFBiz without authentication, until that key > expired. > See following discussion for more info: > https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12252) Session id `externalLoginKey' should not be included in URL
Xin Wang created OFBIZ-12252: Summary: Session id `externalLoginKey' should not be included in URL Key: OFBIZ-12252 URL: https://issues.apache.org/jira/browse/OFBIZ-12252 Project: OFBiz Issue Type: Bug Reporter: Xin Wang When changing between different OFBiz apps, session id `externalLoginKey' will be inserted into URL as a query string. But sensitive info like that should not be included in URL if we concerning about security, as it will be exposed in following scenarios: 1. It will be recorded in browser history 2. It will be recorded in web server access log 3. It will be sent to other servers in Referer header Anyone get this key can log into OFBiz without authentication, until that key expired. See following discussion for more info: https://stackoverflow.com/questions/7351225/passing-session-identifier-as-a-query-string-parameter -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12250) Failed to update work effort child
[ https://issues.apache.org/jira/browse/OFBIZ-12250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17357768#comment-17357768 ] Xin Wang commented on OFBIZ-12250: -- Seems related to https://issues.apache.org/jira/browse/OFBIZ-753 , workEffortId is also duplicated in edit form, If I comment out workEffortId field of EditWorkEffortAndAssoc, it works properly. > Failed to update work effort child > -- > > Key: OFBIZ-12250 > URL: https://issues.apache.org/jira/browse/OFBIZ-12250 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Priority: Major > > When trying to update child work effort, a SQL error is reported: Column > 'WORK_EFFORT_ID' cannot accept a NULL value. > Steps to reproduce: > 1. Open page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/ChildWorkEfforts?workEffortId=TASK01=TASK01 > 2. Select a child work effort > 3. Modify the name and click "Save" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12250) Failed to update work effort child
Xin Wang created OFBIZ-12250: Summary: Failed to update work effort child Key: OFBIZ-12250 URL: https://issues.apache.org/jira/browse/OFBIZ-12250 Project: OFBiz Issue Type: Bug Affects Versions: Trunk Reporter: Xin Wang When trying to update child work effort, a SQL error is reported: Column 'WORK_EFFORT_ID' cannot accept a NULL value. Steps to reproduce: 1. Open page: https://demo-trunk.ofbiz.apache.org/workeffort/control/ChildWorkEfforts?workEffortId=TASK01=TASK01 2. Select a child work effort 3. Modify the name and click "Save" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
[ https://issues.apache.org/jira/browse/OFBIZ-12249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17357741#comment-17357741 ] Xin Wang commented on OFBIZ-12249: -- After some investigation, I found that it is altered by UtilHttp.canonicalizeParameter, which unescaped the encoded input. Regarding to preventing XSS attacks, I think we should rely on output encoding for free-form text input. Following are some discussions about input sanitization and output encoding: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html https://security.stackexchange.com/questions/95325/input-sanitization-vs-output-sanitization > Unexpected decoding of url encoded textarea data after submission > -- > > Key: OFBIZ-12249 > URL: https://issues.apache.org/jira/browse/OFBIZ-12249 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Xin Wang >Assignee: Jacques Le Roux >Priority: Major > > When trying to add a note to WorkEffort entity, I found that url encoded > characters are unescaped, which is not expected. > e.g.: > 1. Go to page: > https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 > 2. Add a note with content: https://example.com/a%20link > 3. After submission, it will turned to be: https://example.com/a link > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12249) Unexpected decoding of url encoded textarea data after submission
Xin Wang created OFBIZ-12249: Summary: Unexpected decoding of url encoded textarea data after submission Key: OFBIZ-12249 URL: https://issues.apache.org/jira/browse/OFBIZ-12249 Project: OFBiz Issue Type: Bug Affects Versions: Trunk Reporter: Xin Wang When trying to add a note to WorkEffort entity, I found that url encoded characters are unescaped, which is not expected. e.g.: 1. Go to page: https://demo-trunk.ofbiz.apache.org/workeffort/control/EditWorkEffortNotes?workEffortId=TASK01 2. Add a note with content: https://example.com/a%20link 3. After submission, it will turned to be: https://example.com/a link -- This message was sent by Atlassian Jira (v8.3.4#803005)
