Sanitize dojo components

[LukasReschke]

First bunch of fixes… More likely to come later…

@thz @VicDeo @karlitschek FYI

[kogmbh-ci]

Can one of the admins verify this patch?

[kossebau]

ok to test

[kogmbh-ci]

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2283/

[kossebau]

Hi @LukasReschke

More likely to come later…

So each day the next 24 days a new PR? :) That would be a nice Advent calendar for WebODF devs :)

Please make a separate PR for 3db09e5 given it is a separate topic (and also might mean separate discussion and time to find resolution, at least I would already comment that supporting only http: and https: might be too little).

[LukasReschke]

So each day the next 24 days a new PR? :) That would be a nice Advent calendar for WebODF devs :)

Nice try ;-)

Please make a separate PR for 3db09e5 given it is a separate topic (and also might mean separate discussion and time to find resolution, at least I would already comment that supporting only http: and https: might be too little).

Absolutely. - I'll create a branch for this commit later (maybe even tomorrow so we have already 2/24 ;-))

[kogmbh-ci]

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2284/

[peitschie]

Just for good record keeping, this is a partial fix for some of the issues highlighted in #724

[peitschie]

The only (small) style issue I have with this patch is that dojox.html.entities is not a class. We'd generally use a lowercase first letter to indicate this (e.g., htmlEntities).

Other than that, the patch looks good from my end. @kossebau ?

[LukasReschke]

Changed to lower-case.

[kogmbh-ci]

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2285/

[kossebau]

This copying is not needed, as in this section only non-JavaScript files are copied. And unless I missed something when I just tested and had a look, html/entities.js is self-contained and does have all data inside. So adding 'dojox/html/entities' to the profile as done abovebelow is all that is needed to include that 'entities' unit.

[kogmbh-ci]

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2286/

[kossebau]

sniff I will miss the marquee fun with style names :)
Otherwise looks good to me and worked for what I tested. So please remove that unneeded copying as mentioned, and also please add an entry to ChangeLog.md for this fix, either as separate commit or with the last, as a short release-notes-like entry. This spares us collecting changes at release time :)
Guess I will be more than tempted to press the "Merge" button then :)

[LukasReschke]

So please remove that unneeded copying as mentioned, and also please add an entry to ChangeLog.md for this fix, either as separate commit or with the last, as a short release-notes-like entry.

Where would that match? - Under # Changes between 0.5.4 and 0.5.5 or does this require a new section?

[kossebau]

The next release will be 0.5.5, so below the most top ## WebODF you would add

### Fixes

* Prevent JS injection from style names and font names ([#849](https://github.com/kogmbh/WebODF/pull/849)))

or similar.

[kossebau]

Right, not only JS injection :)

[kogmbh-ci]

Build succeeded.
Refer to this link for build results: http://ci.kogmbh.com/jenkins/job/WebODF-PullReq/2287/

[kossebau]

I see you stood the Turing test and adapted my wrong instructions and placed the entry at the right place :)
Thanks for the fix, and welcome to the club of WebODF committers, Lukas! 🎉

To frame things, 0.5.5 should be kicked out this year still, I personally target for Dec. 18, hoping to get some other things in until then, so would/could also be the window for anything you plan.
Next thing will be 0.6 then, as a port from Closure to Dojo has been started in the background, and hopefully should be done in January, and that would be worth a version bump.

[LukasReschke]

🎉 - thanks! :-)