10.0.0-beta1 #971

bcordis · 2024-12-02T23:05:16Z

First Beta release for public testing.

…oid errors

…g more in "if"

Many fixes plus router

…aused fatal errors.

…king through the new server creation error.

…od_proclaim # Conflicts: # admin/src/Helper/Cwmparams.php

New mod_proclaimicon for Admin View.

media/js/cwmcore.js

+					$.find(targetImage).show()
+				}
+
+			$.find(targetImage).attr('src', activeDir.join('/') + '/' + $(this).val())


To fix the problem, we need to ensure that the value retrieved from $(this).val() is properly sanitized or escaped before being used to set the src attribute of the image element. This can be achieved by using a function that escapes any potentially dangerous characters in the value.

The best way to fix this without changing existing functionality is to use a utility function to escape the value before concatenating it with the rest of the URL. We can use a well-known library like lodash for this purpose, which provides a method _.escape to escape HTML characters.

media/js/cwmcore.js

+
+	if (sE && (url = sE.options[sE.selectedIndex].value))
+	{
+		location.href = url


To fix the problem, we need to ensure that the url value is properly validated before it is used to set location.href. This can be done by checking that the url value is a valid and safe URL. We can use a regular expression to validate the URL format or use the URL constructor to ensure it is a valid URL.

The best way to fix the problem without changing existing functionality is to add a validation step before setting location.href. We will use the URL constructor to validate the URL.

media/js/videoswitch.js

+			const newmp4 = videolink.attr('data-src')
+			const player = $('#' + videoID)
+			player.get(0).pause()
+			player.attr('src', newmp4)


To fix the problem, we need to ensure that the value extracted from the data-src attribute is properly sanitized before being used. One way to achieve this is by using a library like DOMPurify to sanitize the URL. This will help prevent any malicious content from being executed.

Import the DOMPurify library.

Sanitize the newmp4 value before assigning it to the src attribute of the video element.

# Conflicts: # site/helpers/media.php

tomfuller2

Approved!

bcordis and others added 30 commits July 21, 2023 16:40

Fix up for Data pass through. Missing content.

349a444

Fixed issue with wrong folder in JBS Backup. not tested

d99da2a

Adding a json_decode to check params before passing to Registry to av…

23e4f29

…oid errors

Added statement to run related studies only if set to show

8d60f4d

Added statement to run related studies only if set to show - includin…

6b46a9a

…g more in "if"

Merge branch 'development' into development-router

59fab6f

Formatting fix up

759d820

Merge pull request #945 from Joomla-Bible-Study/development-router

ee24657

Many fixes plus router

Removed the \stdClass declaration for the $template varable as this c…

093e581

…aused fatal errors.

Removed JSON THROW Error and made it IGNORE

b85d607

Optimize getRelated Links Query

73b5faa

Merge remote-tracking branch 'origin/development' into development

6573972

Corrected podcast view name to cwmpodcasts

ebf1a6a

Fixed a stdclass to array problem with teachers view

854eaac

Found error in addon that will not display right on server. Still wor…

5454dde

…king through the new server creation error.

Merge branch 'development' into 942-images-do-not-save-for-podcast

b450127

Fixed some Teacher view under Case Sensitive.

1a6879f

Fixes naming for Case Sensitive servers

0c4dbe1

Fix Calendar format for new Joomla 4 version.

35a1d76

Fix 8.x casting

6bbed46

Admin Template edite page fix rendering

686cf56

Small clean up of code.

d30c7ff

Helped with scripture return faster.

f65c296

Fix for making podcast using the button on Podcasts view.

87297b8

Update to some JS files using Minifier

75c78df

Update Assets Fix return.

81e7cf1

Update doc statements

5f7a0e1

Removed not used CWMImage.php

e219d9f

Updates for images and podcast usage.

6c4176f

Fixing images to remove Joomla junk

32e8175

bcordis and others added 22 commits October 3, 2024 07:53

Updated CSS for cpanel icon layout.

ac9c051

Fixed some cleanCache workings

9d5bf71

Add catch to getAdmin

b0bf809

Update CacheClean

011c0d5

Corrected loading of css.

439b6bb

Updated Icon Layout still to work on.

84bfae1

Added Podcast Task Status to the Podcasts page.

a1af1df

Updated to absolute if statement

cdaa983

New mod_proclaimicon for Admin View.

8edb770

Corrected loading of css.

a18bdad

Merge remote-tracking branch 'origin/admin_mod_proclaim' into admin_m…

6661191

…od_proclaim # Conflicts: # admin/src/Helper/Cwmparams.php

New Symbolic Links update.

88a8370

Remove build.properties from Git tracking

b976a53

trying new build properties file.

3950de3

trying new build properties file update.

86f4ecf

Update some build and other docs.

7b69786

Update some build with header to explain the check

6ce1f60

Update message wording

ee4ee7f

Add default icon value to xml

b86a3d4

Add function to publish the Admin Icon on installation.

883010d

Merge pull request #966 from Joomla-Bible-Study/admin_mod_proclaim

e625973

New mod_proclaimicon for Admin View.

Beta1 for 10.0.0 release as of Dec 10th

4b7404d

bcordis requested a review from tomfuller2 December 2, 2024 23:05

bcordis assigned bcordis and tomfuller2 Dec 2, 2024

bcordis added Accepted 1 - Ready labels Dec 2, 2024

github-advanced-security bot found potential problems Dec 2, 2024

View reviewed changes

Merge remote-tracking branch 'origin/main' into development

e492fb0

# Conflicts: # site/helpers/media.php

tomfuller2 approved these changes Dec 3, 2024

View reviewed changes

@@ -1 +1,2 @@
+            import _ from 'lodash';
             /**
@@ -105,3 +106,3 @@
-            			$.find(targetImage).attr('src', activeDir.join('/') + '/' + $(this).val())
+            			$.find(targetImage).attr('src', activeDir.join('/') + '/' + _.escape($(this).val()))
             			},

@@ -30,4 +30,3 @@
                 "comments": false,
-                "ignore": [
-                ]
+                "ignore": []
               },
@@ -38,3 +37,4 @@
                 "@hapi/hoek": "<=9.2.1",
-                "less": "^4.1.2"
+                "less": "^4.1.2",
+                "lodash": "^4.17.21"
               }

Package	Version	Security advisories
lodash (npm)	4.17.21	None

@@ -204,3 +204,8 @@
             	{
-            		location.href = url
+            		try {
+            			new URL(url);
+            			location.href = url;
+            		} catch (e) {
+            			console.error('Invalid URL:', url);
+            		}
             	}

@@ -1 +1,2 @@
+            import DOMPurify from 'dompurify';
             (function (window, document, $) {
@@ -7,3 +8,3 @@
             			const videolink = $('#' + contentPanelId)
-            			const newmp4 = videolink.attr('data-src')
+            			const newmp4 = DOMPurify.sanitize(videolink.attr('data-src'))
             			const player = $('#' + videoID)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

10.0.0-beta1 #971

10.0.0-beta1 #971

bcordis commented Dec 2, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

tomfuller2 left a comment

10.0.0-beta1 #971

Are you sure you want to change the base?

10.0.0-beta1 #971

Conversation

bcordis commented Dec 2, 2024

tomfuller2 left a comment

Choose a reason for hiding this comment