Release/2.8.0 #3051
Open
Release/2.8.0 #3051
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Nodejs upgraded to v22 LTS - Cypress upgraded
- Changed isDataPointRunning implementation
Corrected tests in XssUtilsTest.java and logger Corrected XssUtils.validate(), now it works with all query cases
- Changed DataSourceService yo DataSourceDAO
- corrected regex pattern (check pattern: param=value, param); - added test cases to XssUtilsTest; - renamed method from validate to validateHttpQuery in XssUtils; - corrected implementation Filter;
Improvements in css files
- added test cases to XssUtilsTest; - added properties: scadalts.security.http.query.access.denied.regex, scadalts.security.http.query.access.granted.regex, scadalts.security.http.query.limit scadalts.security.http.query.xss.enabled to env.properties - corrected /pointHierarchy/move/
- included variant abc= in the regex;
…noptic_panel_state_not_loading_correctly2
…e_not_loading_correctly2 #2974 synoptic panel state not loading correctly
…ns_load_in_loggedUsers_bean_when_tomcat_starts #2988 Fixed active sessions load in loggedUsers bean when tomcat sta…
…by_escape_String_content
- corrected after resolve conflict;
Removed: - creating a column for stylesheet in migration class (it should be implemented in different issue)
- Minor changes to css stylesheet
- Minor changes in log4j2.xml
- Minor changes in log4j2.xml
- Changed way of top description being dynamically refreshed
- Changed way of top description being dynamically refreshed
This reverts commit 7c70a42.
- renamed XssCssStyleSerializer to XssProtectCssStyleSerializer, XssStringSerializer to XssProtectStringSerializer, XssSynopticPanelSerializer to XssProtectSynopticPanelSerializer, XssUtils to XssProtectHtmlEscapeUtils; - moved XssProtectCssStyleSerializer, XssProtectStringSerializer, XssProtectSynopticPanelSerializer, XssProtectSynopticPanelSerializer, XssProtectHtmlEscapeUtils to org.scada_lts.web.security package; - added test XssProtectHtmlEscapeUtilsTest; - removed XssSynopticPanelSerializer; - added function unescapeHtml in: \Scada-LTS\WebContent\resources\common.js \Scada-LTS\scadalts-ui\src\utils\common.js - corrected unescape content comment on new ui;
- fixed websocket url;
- renamed XssCssStyleSerializer to XssProtectCssStyleSerializer, XssStringSerializer to XssProtectStringSerializer, XssSynopticPanelSerializer to XssProtectSynopticPanelSerializer, XssUtils to XssProtectHtmlEscapeUtils; - moved XssProtectCssStyleSerializer, XssProtectStringSerializer, XssProtectSynopticPanelSerializer, XssProtectSynopticPanelSerializer, XssProtectHtmlEscapeUtils to org.scada_lts.web.security package; - added test XssProtectHtmlEscapeUtilsTest; - removed XssSynopticPanelSerializer; - added function unescapeHtml in: \Scada-LTS\WebContent\resources\common.js \Scada-LTS\scadalts-ui\src\utils\common.js - corrected unescape content comment on new ui;
…PI_by_escape_String_content' into fix/#2985_Prevent_XSS_for_REST_API_by_escape_String_content
- revert websocket url: index.js, websocketStore.js;
- added Logger org.springframework.security; - set ERROR logging level for securityLoggingLevel; - set default query limit to 3900, default URL length limit for Apache Server a is approximately 4000 characters;
- corrected junit test config
- commented old configuration for http-firewall
- upgrade version actions/checkout to v4; - added configuration github-actions-version-updater;
- Added support OPC UA protocol by Eclipse Milo library; - Added support operations: multi read nodes, write node, browse nodes; - Using ForkJoinPool to speed up the extraction of the Browse operation, which is based on a recursive algorithm. Configuration with parallelism level 4, speeds up the operation by up to 20 times; - Added the ability to configure the ForkJoinPool in the env.properties file; - Mechanism has been introduced to limit calling the browse operation too often - after calling the operation 10 times, you have to wait 15 seconds; - Generalization of the DataSourceRT implementation based on update/doPoll. - Added junit tests: IsPossibleSettableOpcUaDataTypeTest, OpcUaDataTypeTestsSuite, ValidateOpcUaDataTypeTest; - Fixed Import/Export Data Source OPC UA;
- Wrapped classes to separate Milo library classes from application classes; - Fixed change opc data type for created data point;
- Removed DATA_SOURCE_POINT; - DataSourcePointEventType.getEventSourceId then DATA_SOURCE; - Corrected alarmAck.tag, Permissions.hasEventTypePermission, MangoContextListener.constantsInitialize, EventTypeVO.createEventType, EventType, EventTypeUtil.createEventType;
…lity_to_copy_paste_graphical_views #3066 Add the possibility to copy-paste graphical views
![github-advanced-security[bot]](/~https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -57,6 +57,19 @@ | |||
| } | |||
| } | |||
|
|
|||
| export function unescapeHtml(value) { | |||
| let div = document.createElement("div"); | |||
| div.innerHTML = value; | |||
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 30 days ago
To fix the problem, we need to ensure that any HTML content processed by the unescapeHtml function is properly sanitized to prevent XSS attacks. This can be achieved by using a library like DOMPurify to sanitize the input before setting it as innerHTML.
- Import the
DOMPurifylibrary. - Use
DOMPurify.sanitizeto clean the input before setting it asinnerHTML.
Suggested changeset
2
scadalts-ui/src/utils/common.js
| @@ -1 +1,3 @@ | ||
| import DOMPurify from 'dompurify'; | ||
|
|
||
| export function getAppLocation() { | ||
| @@ -61,3 +63,3 @@ | ||
| let div = document.createElement("div"); | ||
| div.innerHTML = value; | ||
| div.innerHTML = DOMPurify.sanitize(value); | ||
| return div.textContent || div.innerText; |
scadalts-ui/package.json
Outside changed files
| @@ -63,3 +63,4 @@ | ||
| "vuex": "3.0.1", | ||
| "webstomp-client": "1.2.6" | ||
| "webstomp-client": "1.2.6", | ||
| "dompurify": "^3.2.3" | ||
| }, |
This fix introduces these dependencies
| Package | Version | Security advisories |
| dompurify (npm) | 3.2.3 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
- Added "Reset Nodes" button in "Add Nodes"; - Rename button to "Search Server"; - Invoke "Search Server" for New Data Source; - Newly found nodes are at the top of the list; - Corrected validate Data Source;
…n_typeId_for_event_handlers #3061 Fixed missing column typeId for event handlers
…A_protocol_using_the_PLC4X_library2
…_OPC_UA_protocol_using_the_PLC4X_library2 #2119 Support for the OPC UA protocol using the PLC4X library:
- Added "Check Nodes" and "Uncheck Nodes" button in "Add Nodes"; - Corrected interaction user in "Add Nodes";
- Corrected editOpcUa.jsp
- removed unused import in OpcUaDataType.java
…_OPC_UA_protocol_using_the_PLC4X_library2 #2119 Support for the OPC UA protocol using the PLC4X library:
…rce: - Added validate cyclic dependency in methods: MetaPointLocatorRT.pointInitialized, MetaPointLocatorRT.pointTerminated; - User Login Event set state 'Return To Normal' after logout user; - Refactoring for recursive actions: SearchCyclicDependencyAction, SetUnreliableDataPointsAction, CollectMetaDataPointFromContextAction, SearchOpcUaNodesAction; - Added param 'scadalts.validation.search-cyclic-depth' to env.properties; - Invoke mangoContextListener.contextInitialized is not initialized mangoContextListener; - Invoke 'Return To Normal' again only if changed unreliable; - Added test cases in: CyclicDependencyValidationUtilsTest, DataPointUnreliableUtilsTest; - Optimized test, closed timer, reduce number threads 'Serotonin Timer': DataPointUnreliableUtilsTest;
- Change List to Map for activeEvents in EventManager; - Corrected update LoggedUsers when restart tomcat after logged;
…tioning_to_the_Return_to_Normal_state #3090 Fixed events transitioning to the "Return to Normal" state:
…xed_StackOverflowError_for_Cyclic_Dependency_in_Meta_Data_Source
…rce: - junit use fork join pool with 2 threads; - correceted name from nodesFinder to searchNodes variable in OpcUaMaster.browse;
…Error_for_Cyclic_Dependency_in_Meta_Data_Source #3088 Fixed StackOverflowError for Cyclic Dependency in Meta Data Sou…
…rce: - Corrected actions: CollectMetaDataPointFromContextAction, SearchCyclicDependencyAction;
…5_Import_all_informations_from_the_Bacnet_Object_list1
- Removed BACnetEngineeringUnit; - Refactoring methods: DataSourceEditDwr.validatePoint, DataSourceEditDwr.saveBACnetIPPointLocator; - Added method: DataSourceEditDwr.validateAndSaveDataPoint;
- default port 0 in BACnetIPDataSourceVO;
- fixed set Engineering Unit;
…rmations_from_the_Bacnet_Object_list1 #3035 Import all informations from the Bacnet Object list
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.