-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize dojo components #849
Conversation
Can one of the admins verify this patch? |
ok to test |
Build succeeded. |
So each day the next 24 days a new PR? :) That would be a nice Advent calendar for WebODF devs :) Please make a separate PR for 3db09e5 given it is a separate topic (and also might mean separate discussion and time to find resolution, at least I would already comment that supporting only http: and https: might be too little). |
3db09e5
to
6d363da
Compare
Nice try ;-)
Absolutely. - I'll create a branch for this commit later (maybe even tomorrow so we have already 2/24 ;-)) |
Build succeeded. |
Just for good record keeping, this is a partial fix for some of the issues highlighted in #724 |
The only (small) style issue I have with this patch is that dojox.html.entities is not a class. We'd generally use a lowercase first letter to indicate this (e.g., htmlEntities). Other than that, the patch looks good from my end. @kossebau ? |
6d363da
to
034339d
Compare
Changed to lower-case. |
Build succeeded. |
@@ -97,6 +97,7 @@ add_custom_command( | |||
COMMAND ${CMAKE_COMMAND} -E make_directory dojox/ | |||
COMMAND ${CMAKE_COMMAND} -E copy_directory dojo-deps/dist/dojox/layout/resources/ dojox/layout/resources/ | |||
COMMAND ${CMAKE_COMMAND} -E copy_directory dojo-deps/dist/dojox/widget/ColorPicker/ dojox/widget/ColorPicker/ | |||
COMMAND ${CMAKE_COMMAND} -E copy_directory dojo-deps/dist/dojox/html/ dojox/html/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This copying is not needed, as in this section only non-JavaScript files are copied. And unless I missed something when I just tested and had a look, html/entities.js is self-contained and does have all data inside. So adding 'dojox/html/entities' to the profile as done abovebelow is all that is needed to include that 'entities' unit.
"dojox/html/entities" will be used to sanitize the strings.
034339d
to
4868742
Compare
Build succeeded. |
sniff I will miss the marquee fun with style names :) |
Where would that match? - Under |
The next release will be 0.5.5, so below the most top
or similar. |
Right, not only JS injection :) |
4868742
to
28c4079
Compare
Build succeeded. |
I see you stood the Turing test and adapted my wrong instructions and placed the entry at the right place :) To frame things, 0.5.5 should be kicked out this year still, I personally target for Dec. 18, hoping to get some other things in until then, so would/could also be the window for anything you plan. |
🎉 - thanks! :-) |
First bunch of fixes… More likely to come later…
@thz @VicDeo @karlitschek FYI