1. 09 Nov, 2021 3 commits
  2. 08 Nov, 2021 2 commits
    • Jacques Le Roux's avatar
      Reverted: work related to PartyRole handling initiated with (OFBIZ-5980) · 6727f469
      Jacques Le Roux authored
      Currently OFBiz is broken and hard to fix. You can't even create an order !
      
      Revert "Improved: visibility of expire button (OFBIZ-12362) (#331)"
      This reverts commit e3b125ef.
      
      Revert "(OFBIZ-5980) Improvement: PartyRole record(s) expiration/revocation (#330)"
      This reverts commit a8ab2be5.
      
      Revert "Improved: seed data (OFBIZ-12355) (#328)"
      This reverts commit b204b867.
      
      Revert "Reverted: Have the ability to revoke (expire) roles of a party (OFBIZ-5980)"
      This reverts commit 85e066de.
      
      Revert "Reverted: damn I did not revert the right push :/"
      This reverts commit b867b2a8.
      
      Revert "(OFBIZ-5980) Improvement: PartyRole record(s) expiration/revocation (#325)"
      This reverts commit 8ed2252d.
      
      Revert "Reverted: Have the ability to revoke (expire) roles of a party (OFBIZ-5980)"
      This reverts commit 5b5e03f7.
      
      Revert "Improved: Have the ability to revoke (expire) roles of a party (OFBIZ-5980)"
      This reverts commit 46f7ee91.
      
      Revert "Improved: seed data (OFBIZ-12353) (#324)"
      This reverts commit fade92bb.
      6727f469
    • Jacques Le Roux's avatar
      Improved: Fix OFBiz speficic Javascript securiy issues reported by GH CodeQL (OFBIZ-12366) · dfc7ee40
      Jacques Le Roux authored
      Fixes "A DOM text reinterpreted as HTML" issue in fieldlookup.js
      
      GH CodeQL reports:
      "A webpage with this vulnerability reads text from the DOM, and afterwards adds
      the text as HTML to the DOM. Using text from the DOM as HTML effectively
      unescapes the text, and thereby invalidates any escaping done on the text. If an
      attacker is able to control the safe sanitized text, then this vulnerability can
      be exploited to perform a cross-site scripting attack.
      
      Recommendation
      To guard against cross-site scripting, consider using contextual output
      encoding/escaping before writing text to the page, or one of the other solutions
      that are mentioned in the References section below.
      
      Example
      "Extracting text from a DOM node and interpreting it as HTML can lead to a
      cross-site scripting vulnerability."
      
      GH CodeQL suggest:
      The above vulnerability can be fixed by using $.find instead of $. The $.find
      function will only interpret target as a CSS selector and never as HTML,
      thereby preventing an XSS attack.
      dfc7ee40
  3. 06 Nov, 2021 1 commit
  4. 04 Nov, 2021 1 commit
  5. 03 Nov, 2021 3 commits
  6. 02 Nov, 2021 7 commits
  7. 01 Nov, 2021 2 commits
  8. 31 Oct, 2021 1 commit
    • Jacques Le Roux's avatar
      Improved: Try to reduce "Incomplete string escaping or encoding branch" issues... · ce564ebc
      Jacques Le Roux authored
      Improved: Try to reduce "Incomplete string escaping or encoding branch" issues reported by CodeQL (OFBIZ-12356)
      
      GH CodeQL reports 556 "Incomplete string escaping or encoding branch" issues
      (there are 588 issues at all).
      
      Most of them are in jQuery-UI but not only. So this only an attempt to clarify
      among the 23 pages reported by upgrading jQuery-UI to 1.13.0.
      ce564ebc
  9. 30 Oct, 2021 1 commit
  10. 29 Oct, 2021 2 commits
  11. 28 Oct, 2021 1 commit
  12. 27 Oct, 2021 1 commit
  13. 18 Oct, 2021 3 commits
  14. 17 Oct, 2021 6 commits
  15. 16 Oct, 2021 3 commits
  16. 14 Oct, 2021 1 commit
  17. 12 Oct, 2021 1 commit
  18. 11 Oct, 2021 1 commit
    • Jacques Le Roux's avatar
      Improved: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) · 3cb4e791
      Jacques Le Roux authored
      Prevents an useless inevitable warning by commenting out
      RequestWrapper::getParameterNames and with it all the unused methods in
      RequestWrapper class
      
      Also better comments CacheFilter::doFilter by giving its real and only goal:
      <<to prevent a post-auth security issue described in OFBIZ-12332>>
      3cb4e791