Release/2.8.0 #3051
Open
Release/2.8.0 #3051
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added: - Custom text on top inside mainHeader, next to app logo - input area for text to be displayed in main header next to logo - input area for css style of that aforementioned custom text
- Added custom information in system settings for new UI - Added prefix for custom information - Added css styles for custiom information se they are displayed properly - Moved stylesheet to common custom stylesheet instead of special one onyl for custom information - Added migration class V2_8_0_2_AddCustomInformationColumnsToSystemSettings.java
…_that_has_a_problem
feature/#2983_Prevent_XSS_for_URLs
- corrected redirect for error 500 code;
- added serializer: XssStringSerializer; - defined ObjectMapper in xml config(springDispatcher-servlet.xml) and ApplicationBeans.getObjectMapper then use this method when new ObjectMapper; - corrected websocket url in index.js, websocketStore.js, dataPointEdit.jsp; - corrected visible escape text content in EventList.vue; - fixed HttpSenderRT for POST with JSON; - fixed: AuthenticationAPI, ConfigAPI, EventDetectorAPI, EventHandlerAPI, PointPropertiesAPI, PointValueAPI, SystemSettingsAPI, UtilsAPI, ViewAPI, ViewComponentAPI, ViewHierarchyAPI, PointHierarchyController, DataPointsBaseOnNameFilter;
- fixed cssEditor in systemSettings.jsp - replace \n\r to 
 in XssCssStyleSerializer/XssStringSerializer, use innerHTML, added function updateCodeTextEscaped in highlight.jsp, created class XssUtils; - refactoring method: FileUtil.compactFiles; - added methods: DataPointApiService.getDataPointByXid, DataPointApiService.getDataPointByXid, EmportDwr.exportDataPointBy; - deprecated methods/class: DataPointApiService.getConfigurationByXid, EmportDwr.exportJSON, TranslateAPI; - Refactoring API, change return type from String to Map: CustomCssAPI, DataPointAPI, MailingListAPI, ScriptsAPI, SystemSettingsAPI, ViewAPI, AmChartValuesAPI, SynopticPanelAPI, ChangeDataAPI, GetHistoryChangesAPI, ReadDataBaseXIdAPI; - removed unused and deprecated class EventsServiceWebSocket; - corrected translation 'Event Pending Limit' and 'Enabled Event Pending Cache'; - upgrade Jackson lib from 2.8.2 to 2.17.2: jackson-annotations-2.17.2.jar, jackson-core-2.17.2.jar, jackson-databind-2.17.2.jar;
Added: - JUnit 4 test for XssUtils.java class - Logger for org.scada_lts.web.security in log4j2.xml - Minor changes in XssFilter.java
- fixed Synoptic Panel; (XssSynopticPanelSerializer) - added validate svg from Synoptic Panel; - fixed double websocket initialization; - added method ValidationUtils.validSvg;
…rts: - added methods: MangoContextListener.sessionsInitialize, LoggedUsers.loadSessions; - added Logger org.scada_lts.login in log4j2.xml;
…rts: - user sessions initialize first; - check admin;
- The api shows a datapoint is disabled if datasource is disabled
- Datapoint is running moved to DataPointService
- Nodejs upgraded to v22 LTS - Cypress upgraded
- Changed isDataPointRunning implementation
Corrected tests in XssUtilsTest.java and logger Corrected XssUtils.validate(), now it works with all query cases
- Changed DataSourceService yo DataSourceDAO
- corrected regex pattern (check pattern: param=value, param); - added test cases to XssUtilsTest; - renamed method from validate to validateHttpQuery in XssUtils; - corrected implementation Filter;
Improvements in css files
- added test cases to XssUtilsTest; - added properties: scadalts.security.http.query.access.denied.regex, scadalts.security.http.query.access.granted.regex, scadalts.security.http.query.limit scadalts.security.http.query.xss.enabled to env.properties - corrected /pointHierarchy/move/
- included variant abc= in the regex;
…noptic_panel_state_not_loading_correctly2
…e_not_loading_correctly2 #2974 synoptic panel state not loading correctly
…ns_load_in_loggedUsers_bean_when_tomcat_starts #2988 Fixed active sessions load in loggedUsers bean when tomcat sta…
…by_escape_String_content
- corrected after resolve conflict;
Removed: - creating a column for stylesheet in migration class (it should be implemented in different issue)
- Minor changes to css stylesheet
- Minor changes in log4j2.xml
…n_Cyclic_dependency_for_Meta_Data_Point #3055 Added validation Cyclic dependency for Meta Data Point:
…ces list view Added details for BACnet data points in description field on data source list view
fix/#3061_Fixed_missing_column_typeId_for_event_handlers
Added option to set modbus data point slave id to range from 0 to 255 instead of range from 1 to 255
…_of_list_of_points_in_BacNet_source_in_data_sources_list_view #3058 Improve content of list of points in BacNet source in data sources list view
…profiles view - Added escaping for data source and data point names in users view
…ave_id_to_be_zero #2799 Allow modbus tcp slave id to be zero
…d_data_source_names_are_not_escaped_in_user_profiles_view Fixed data point and data source names are not escaped in user profiles view #3063
- Created method for creating an EventType for the Event Handler: EventDAO.createHandlerEventType;
Added option to copy graphical view
- upgrade version actions/checkout to v4; - added configuration github-actions-version-updater;
- Added support OPC UA protocol by Eclipse Milo library; - Added support operations: multi read nodes, write node, browse nodes; - Using ForkJoinPool to speed up the extraction of the Browse operation, which is based on a recursive algorithm. Configuration with parallelism level 4, speeds up the operation by up to 20 times; - Added the ability to configure the ForkJoinPool in the env.properties file; - Mechanism has been introduced to limit calling the browse operation too often - after calling the operation 10 times, you have to wait 15 seconds; - Generalization of the DataSourceRT implementation based on update/doPoll. - Added junit tests: IsPossibleSettableOpcUaDataTypeTest, OpcUaDataTypeTestsSuite, ValidateOpcUaDataTypeTest; - Fixed Import/Export Data Source OPC UA;
- Wrapped classes to separate Milo library classes from application classes; - Fixed change opc data type for created data point;
- Removed DATA_SOURCE_POINT; - DataSourcePointEventType.getEventSourceId then DATA_SOURCE; - Corrected alarmAck.tag, Permissions.hasEventTypePermission, MangoContextListener.constantsInitialize, EventTypeVO.createEventType, EventType, EventTypeUtil.createEventType;
…lity_to_copy_paste_graphical_views #3066 Add the possibility to copy-paste graphical views
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -57,6 +57,19 @@ | |||
| } | |||
| } | |||
|
|
|||
| export function unescapeHtml(value) { | |||
| let div = document.createElement("div"); | |||
| div.innerHTML = value; | |||
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 10 days ago
To fix the problem, we need to ensure that any HTML content processed by the unescapeHtml function is properly sanitized to prevent XSS attacks. This can be achieved by using a library like DOMPurify to sanitize the input before setting it as innerHTML.
- Import the
DOMPurifylibrary. - Use
DOMPurify.sanitizeto clean the input before setting it asinnerHTML.
Suggested changeset
2
scadalts-ui/src/utils/common.js
| @@ -1 +1,3 @@ | ||
| import DOMPurify from 'dompurify'; | ||
|
|
||
| export function getAppLocation() { | ||
| @@ -61,3 +63,3 @@ | ||
| let div = document.createElement("div"); | ||
| div.innerHTML = value; | ||
| div.innerHTML = DOMPurify.sanitize(value); | ||
| return div.textContent || div.innerText; |
scadalts-ui/package.json
Outside changed files
| @@ -63,3 +63,4 @@ | ||
| "vuex": "3.0.1", | ||
| "webstomp-client": "1.2.6" | ||
| "webstomp-client": "1.2.6", | ||
| "dompurify": "^3.2.3" | ||
| }, |
This fix introduces these dependencies
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.3 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
- Added "Reset Nodes" button in "Add Nodes"; - Rename button to "Search Server"; - Invoke "Search Server" for New Data Source; - Newly found nodes are at the top of the list; - Corrected validate Data Source;
…n_typeId_for_event_handlers #3061 Fixed missing column typeId for event handlers
…A_protocol_using_the_PLC4X_library2
…_OPC_UA_protocol_using_the_PLC4X_library2 #2119 Support for the OPC UA protocol using the PLC4X library:
- Added "Check Nodes" and "Uncheck Nodes" button in "Add Nodes"; - Corrected interaction user in "Add Nodes";
- Corrected editOpcUa.jsp
- removed unused import in OpcUaDataType.java
…_OPC_UA_protocol_using_the_PLC4X_library2 #2119 Support for the OPC UA protocol using the PLC4X library:
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.