Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TECHNICAL SUPPORT] LPS-125854 Fix XSS validating context and encoding HTML #97915

Closed
wants to merge 4 commits into from
Closed

[TECHNICAL SUPPORT] LPS-125854 Fix XSS validating context and encoding HTML #97915

wants to merge 4 commits into from

Conversation

liferay-continuous-integration
Copy link
Collaborator

Forwarded from: liferay-frontend#699 (Took 1 ci:forward attempt in 3 hours 8 minutes)

@NemethNorbert
@liferay-frontend

Original pull request comment:
Hey,
LPS-125854,

I based my work on: 418sec/form#1

First sec issue, let me know if I missed something.

Please review it.
Thanks,

✔️ ci:test:stable - 9 out of 9 jobs passed

✔️ ci:test:relevant - 23 out of 23 jobs passed in 2 hours 39 minutes

Click here for more details.

Base Branch:

Branch Name: master
Branch GIT ID: 7d640f4b27841520daf470b08dbe8683c2f2e033

Copied in Private Modules Branch:

Branch Name: master-private
Branch GIT ID: 2b89e6be0ae0f6e12dec390930d3e9525006e687

ci:test:stable - 9 out of 9 jobs PASSED
9 Successful Jobs:
ci:test:relevant - 23 out of 23 jobs PASSED
23 Successful Jobs:
For more details click here.

✔️ ci:test:sf - 1 out of 1 jobs passed in 0 ms

Click here for more details.

Base Branch:

Branch Name: master
Branch GIT ID: 9abb5412f865531a30c879edc61e94795e419bce

Sender Branch:

Branch Name: LPS-125854
Branch GIT ID: e144224c2ff63145dc2a6ed2607c1fdb7dbe1a56

1 out of 1jobs PASSED
1 Successful Jobs:
For more details click here.

Closed
@liferay-continuous-integration
Copy link
Collaborator Author

To conserve resources, the PR Tester does not automatically run for forwarded pull requests.

@brianchandotcom
Copy link
Owner

@NemethNorbert I'm not fond this

	 * version: 3.51.0-2014.06.20
	 * version: 3.51.0.LIFERAY-PATCHED-ISSUE-586

First, it doesn't work for more than one patch issue. Second, I have no idea what the patch was. If you look at our other patched files in modules/third-party, we use actual patch files.

I'm OK with using a patch file in build.gradle

See archived/opensocial-portlet/patches/LPS-21488.patch

But we can do it other ways as well. Please consult with @jbalsas and @wincent thx.

@jbalsas
Copy link

jbalsas commented Jan 21, 2021

Thanks @brianchandotcom, I had similar doubts, but seeing as this is a very old plugin which hasn't changed ever, it felt like the odds of us having to apply more patches is really insignificant compared to the cost of applying patches.

We'll try to work out a different approach.

@wincent
Copy link

wincent commented Jan 25, 2021

I pushed this to my fork as a POC of an alternative approach (downloading then patching the jquery.form source), but I am not really a huge fan of it. There are all sorts of annoying obstacles caused by the way Gradle works (caching) and the other build tooling (Babel); for example, to patch the original source, you can't prepare a patch against what's in src and apply it to build/ or classes/, because the whitespace gets damaged on the way through — so that means you have to patch in-place and then you're fighting against the cache.

@liferay-continuous-integration liferay-continuous-integration deleted the ci-forward-LPS-125854-pr-699-sender-NemethNorbert-ts-1611166270003 branch January 28, 2021 11:24
@wincent wincent mentioned this pull request Feb 8, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ci:test:relevant - success ci:test:sf - success ci:test:stable - success
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@liferay-continuous-integration @brianchandotcom @jbalsas @wincent @NemethNorbert