Leif Åstrand [Wed, 10 Dec 2014 08:49:45 +0000 (10:49 +0200)]
Prevent HTTP Response splitting in case the server doesn't (#19611)
Prevent user-provided input used in the redirect from containing newline
characters as the user agent would interpret subsequent parts of the
input as additional headers or the actual HTTP payload.
At least modern versions of Tomcat and Jetty already protect against
this kind of attack by escaping received header values, but that is not
necessarily the case for older versions or other servlet engines.
See https://www.owasp.org/index.php/HTTP_Response_Splitting for details.
Artur Signell [Sat, 16 Jan 2016 11:02:45 +0000 (13:02 +0200)]
Do not process click events for disabled optiongroups (#19433)
This removes the warning logged on the server side when the RPC reaches it
for the disabled component. As this is more of a cosmetic change, there is
no automatic test.
Artur Signell [Sat, 16 Jan 2016 11:11:22 +0000 (13:11 +0200)]
Allow legacy components to paint infinity double values again (#19447)
JsonPaintTarget.addAttribute(String,double) converts infinity values to
{ "name": Infinity }. This is not valid JSON but has "always worked" and
at least NumberField relies on being able to send infinity values.
For state and RPC it's not possible to send 'infinity' as JsonNumber
converts those to null.
It is not possible to send 'infinity' back to the server using a legacy
variable either as also in this case JsonNumber is used and the value becomes
null.
This fix should be reverted when legacy variable support is removed.
Add a simple waitForApplication for servlet integration tests
This waitForApplication checks if an UI element exists on the page. If
not, then it will wait 10 seconds in order for it to appear. This should
reduce the amount of false negatives in server tests.
Fix ScrollbarBundle to not round down pixel values (#19421)
Since Escalator now uses subpixels in most cases, scrollbar calculation
fails when ScrollbarBundle calls Math.floor for the offset size. Removed
rounding, added a pixel epsilon check that we don't make a scrollbar
when it's not really needed.
maxschuster [Sun, 11 Oct 2015 18:48:52 +0000 (20:48 +0200)]
Fix custom attributes of Link component (#19107)
Added the custom attributes href and target to the Link component to
match the attribute names used by Link.readDesign() and
Link.writeDesign()
Change-Id: I7f257fcf89cb78d14d9632aa1be548e92f3010c3
Fix WidgetRenderer column cells not correctly init on change (#19086)
When changing to a widget renderer with an existing column, the widget
renderer expects that the cells would be initialized to have a correct
widget for it. Because of original design where you could not change
renderers, this was not taken into account and cells did not get
reinitialized when changing the renderer.
This patch showed another underlying detach problem from removing a
widget renderer and destroying complex renderers. These both are also
addressed to make this bug possible to test correctly.
Patch includes a client-side test that verifies the integrity of the
renderer state in different stages of its lifecycle.
Atmosphere will disconnect the push connection when going offline and reconnect it
when going online again. There are no events sent when this happens, which means the
reconnect logic cannot take this into account.
Having it enabled leads to something like:
1. Browser goes offline, push is disconnected
2. Framework sees it as a normal close and does not show the reconnect dialog
3. The user does something, the framework tries to send a websocket request
4. A new Atmosphere request is created and enters a try-to-reconnect loop as expected
5. The browser goes online, and the online event re-initializes the old connection
although a try-to-reconnect loop is already running
Fix Grid column resize to take account min width for cells (#16597)
Use Escalator cell size calculation without content to determine the
absolute minimum size for cells. This is used in Grid when drag resizing
or sorting columns to prevent cells from overflowing to the next row.
Henri Sara [Tue, 15 Dec 2015 13:41:53 +0000 (15:41 +0200)]
Fix LegacyComponentThemeChangeTest on Chrome 47
The test uses an Embedded component with non-existent Flash content.
This does not work on Chrome 47 so this change disables that part
of the test on Chrome like it was already disabled on IE8.
Fix text selection and context click events for Android devices (#19367)
Text and element selection needs to be disabled on touch start for
Android as well. Other touch event handling used by iOS devices is not
used on Android.
Prevent text selection on iOS devices with long tap (#19367)
Text or elements should not get selected when there's a context click
listener. Pre-emptively prevent text selection for the whole widget when
that happens.
Anna Koskinen [Wed, 25 Feb 2015 11:43:39 +0000 (13:43 +0200)]
Fix mouse wheel scrolling of ComboBox in IE11 (#16918)
IE11 is broken so that the simple implementation always moves up on any
mouse wheel event. Therefore, this change borrows the approach taken by
Escalator for low-level handling of mouse wheel events in a way compatible
with all supported browsers.
Fix RpcDataProvider listener handling on ItemSetChange (#19371)
Old ValueChangeListeners are discarded and new ones created when an
ItemSetChange occurs. This is done to reapply the listeners to possibly
recreated Items.
Fix and extend Javadoc for setFirstDayOfWeek (#19227)
The Javadoc was incorrect saying the method goal was to set the first
day of week depending on locale. Actual main goal - to set it in
independent way.
Also extended the doc to look more complete.
Change-Id: I2c82c774f4e245437b03c0bd0246a0361584d949
Fix selecting a row that was deselected on the server (#19360)
Client-side connector of the SingleSelectionModel attempts to keep track
of currently selected row. This tracking gets lost when the row get
deselected on the server-side. Special case is now correctly handled.
Reapply DataGenerators when container changes (#19357, #19359)
Previously on container change Grid applied only its internal
DataGenerators to the new RpcDataProviderExtension. Now it goes through
all existing Extensions and adds all DataGenerators to the data
provider.