|
6 | 6 |
|
7 | 7 | [Solved Issues](https://github.com/basemate/matestack-ui-core/issues?q=is%3Aissue+is%3Aclosed+milestone%3A0.7.4) |
8 | 8 |
|
| 9 | +### Security Fixes |
| 10 | + |
| 11 | +XSS/Script injection |
| 12 | + |
| 13 | +* matestack-ui-core is vulnerable to XSS/Script injection |
| 14 | +* matestack-ui-core does not excape strings by default and does not cover this in the docs |
| 15 | +* matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability |
| 16 | + |
| 17 | +```ruby |
| 18 | +class Pages::MyApp::MyExamplePage < Matestack::Ui::Page |
| 19 | + |
| 20 | + class FakeUser < Struct.new(:name) |
| 21 | + end |
| 22 | + |
| 23 | + def prepare |
| 24 | + @user = FakeUser.new("<script>alert('such hack many wow')</script>") |
| 25 | + end |
| 26 | + |
| 27 | + def response |
| 28 | + components { |
| 29 | + div do |
| 30 | + heading size: 1, text: "Hello #{@user.name}" # is not escaped |
| 31 | + plain "Hello #{@user.name}" # is not escaped |
| 32 | + end |
| 33 | + } |
| 34 | + end |
| 35 | +end |
| 36 | + |
| 37 | +``` |
| 38 | + |
| 39 | +Affected Versions |
| 40 | + |
| 41 | +<= 0.7.3 |
| 42 | + |
| 43 | +Patched Versions |
| 44 | + |
| 45 | +>= 0.7.4 --> please update! |
| 46 | +
|
| 47 | +Workarounds |
| 48 | + |
| 49 | +escape string explicitly/manually |
| 50 | + |
| 51 | +reported by @PragTob |
| 52 | + |
9 | 53 | ### Improvements |
10 | 54 |
|
11 | 55 | * On form submit, matestack form values are reset to previous values by fiedl |
| 56 | + |
12 | 57 | --> The form component now does not reset itself when using `put` |
| 58 | + |
13 | 59 | --> The reset behavior can now be configured (described in `form` component docs) |
14 | 60 |
|
15 | 61 | * Dockerized core dev and test environment by jonasjabari |
| 62 | + |
16 | 63 | --> easy local dev and test setup, cross-platform default for dev and testing |
| 64 | + |
17 | 65 | --> CI is configured to run tests via dockerized test suite; same as local testing and good base for matrix testing (upcoming) |
| 66 | + |
18 | 67 | --> Usage described in contribution docs |
19 | 68 |
|
20 | 69 | * Add `follow_response` option to action component by fiedl |
| 70 | + |
21 | 71 | --> same behavior enhancement as added to the `form` component in 0.7.3 |
| 72 | + |
22 | 73 | --> server may now decide where the transition should navigate to |
| 74 | + |
23 | 75 | --> described in `action` component docs |
24 | 76 |
|
25 | 77 | * Add confirm option to action component by fiedl |
| 78 | + |
26 | 79 | --> easily add confirmation before performing an action |
| 80 | + |
27 | 81 | --> prevent unintended delete action for example |
| 82 | + |
28 | 83 | --> described in `action` component docs |
29 | 84 |
|
30 | 85 | * New webpacker features by fiedl |
| 86 | + |
31 | 87 | * make webpacker create es5 code instead of es6 code |
| 88 | + |
32 | 89 | * Switch to Vue Production Mode if RAILS_ENV=staging or production |
| 90 | + |
33 | 91 | * Establish webpack(er) and asset-pipeline workflows |
34 | 92 |
|
35 | 93 | --> webpacker now builds assets for asset pipline usage AND webpacker usage (both usage approaches are described in the installation docs) |
| 94 | + |
36 | 95 | --> webpacker now builds minified versions of matestack-ui-core.js (great improvement in file size!) |
| 96 | + |
37 | 97 | --> webpacker now builds es5 code, which is compatible with IE11 |
| 98 | + |
38 | 99 | --> when used via asset pipeline, the minified version of matestack-ui-core together with the production build of vue.js is automatically required |
39 | | ---> when used via webpacker, matestack-ui-core can be used within a modern javascript workflow, importing and extending single matestack module for example |
| 100 | + |
| 101 | +--> when used via webpacker, matestack-ui-core can be used within a modern javascript workflow, importing and extending |
| 102 | +single matestack module for example |
40 | 103 |
|
41 | 104 | * New components |
42 | 105 | * Add HTML `<picture>` tag to core components by pascalwengerter |
|
0 commit comments