From 98aff2bc7af51b4c26b4b137f5971e8bdb0917c0 Mon Sep 17 00:00:00 2001 From: Teemu Suo-Anttila Date: Mon, 10 Feb 2014 15:57:20 +0200 Subject: Fix caption lost issue related to focus changing (#12967) Change-Id: I2c3843c078e72dc1f394b28ea7669cc232e1e739 --- client/src/com/vaadin/client/ui/orderedlayout/Slot.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/client/src/com/vaadin/client/ui/orderedlayout/Slot.java b/client/src/com/vaadin/client/ui/orderedlayout/Slot.java index 37a97f3399..efa19895a8 100644 --- a/client/src/com/vaadin/client/ui/orderedlayout/Slot.java +++ b/client/src/com/vaadin/client/ui/orderedlayout/Slot.java @@ -474,7 +474,8 @@ public final class Slot extends SimplePanel { // Made changes to DOM. Focus can be lost if it was in the // widget. - focusLost = widget.getElement().isOrHasChild(focusedElement); + focusLost = (focusedElement == null ? false : widget + .getElement().isOrHasChild(focusedElement)); } } else if (caption != null) { orphan(widget); @@ -485,7 +486,8 @@ public final class Slot extends SimplePanel { captionWrap = null; // Made changes to DOM. Focus can be lost if it was in the widget. - focusLost = widget.getElement().isOrHasChild(focusedElement); + focusLost = (focusedElement == null ? false : widget.getElement() + .isOrHasChild(focusedElement)); } // Caption text -- cgit v1.2.3 From af96612a13c372f8f0884dde76df7d671503004f Mon Sep 17 00:00:00 2001 From: Artur Signell Date: Tue, 4 Feb 2014 23:12:38 +0200 Subject: Test using Tomcat 7 behind Apache proxy (#13302) Change-Id: I725990a16b8f4fd6021044aff15c922c0c0f7bd2 --- uitest/integration_tests.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/uitest/integration_tests.xml b/uitest/integration_tests.xml index 9f639b9cb5..112a349eca 100644 --- a/uitest/integration_tests.xml +++ b/uitest/integration_tests.xml @@ -133,6 +133,12 @@ + + + + + + @@ -424,6 +430,7 @@ + -- cgit v1.2.3 From ad49fe31b3e1d04a263b607ba9451a30181a1744 Mon Sep 17 00:00:00 2001 From: Artur Signell Date: Tue, 4 Feb 2014 23:13:16 +0200 Subject: Test using Wildfly 8 (currently CR1) (#13167) Change-Id: Ie753ce72c0508f11006039369d967c6b313309f3 --- uitest/integration_tests.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/uitest/integration_tests.xml b/uitest/integration_tests.xml index 112a349eca..77c5a94e26 100644 --- a/uitest/integration_tests.xml +++ b/uitest/integration_tests.xml @@ -225,6 +225,12 @@ + + + + + + @@ -421,6 +427,7 @@ + -- cgit v1.2.3 From 6d8b9e5488ad1fd49b66c7a07a20f96fa2781436 Mon Sep 17 00:00:00 2001 From: Artur Signell Date: Tue, 4 Feb 2014 23:14:05 +0200 Subject: Servlet test for push with default parameters (#13299) Ensure push works in default mode for all servers and browsers Change-Id: I7145839bb081165fd52246fe87c6bb3eae7fe510 --- .../ServletIntegrationDefaultPushUI.java | 29 ++++++++++++++++++++++ .../ServletIntegrationDefaultPushUITest.java | 21 ++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java create mode 100644 uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java diff --git a/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java new file mode 100644 index 0000000000..d6def8d69c --- /dev/null +++ b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUI.java @@ -0,0 +1,29 @@ +/* + * Copyright 2000-2013 Vaadin Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.vaadin.tests.integration; + +import com.vaadin.annotations.Push; + +/** + * Server test which uses the default push mechanisms + * + * @since 7.1.12 + * @author Vaadin Ltd + */ +@Push +public class ServletIntegrationDefaultPushUI extends ServletIntegrationUI { + +} diff --git a/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java new file mode 100644 index 0000000000..5f50cdb95d --- /dev/null +++ b/uitest/src/com/vaadin/tests/integration/ServletIntegrationDefaultPushUITest.java @@ -0,0 +1,21 @@ +/* + * Copyright 2000-2013 Vaadin Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ +package com.vaadin.tests.integration; + +public class ServletIntegrationDefaultPushUITest extends + AbstractServletIntegrationTest { + // Uses the test method declared in the super class +} \ No newline at end of file -- cgit v1.2.3 From d88e4090a14ef3670232ad1b4a83c7260db36f9c Mon Sep 17 00:00:00 2001 From: Juho Nurminen Date: Mon, 3 Feb 2014 16:56:31 +0200 Subject: Added proper escaping to OptionGroup item icon URLs (#13310) Change-Id: Id0dea437e04e829567b31df3e9c496cd5adc09b8 --- client/src/com/vaadin/client/ui/VOptionGroup.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/client/src/com/vaadin/client/ui/VOptionGroup.java b/client/src/com/vaadin/client/ui/VOptionGroup.java index fee1c313f5..fe4ef214cb 100644 --- a/client/src/com/vaadin/client/ui/VOptionGroup.java +++ b/client/src/com/vaadin/client/ui/VOptionGroup.java @@ -142,8 +142,9 @@ public class VOptionGroup extends VOptionGroupBase implements FocusHandler, String icon = opUidl.getStringAttribute("icon"); if (icon != null && icon.length() != 0) { String iconUrl = client.translateVaadinUri(icon); - itemHtml = "\"\"" + itemHtml; + itemHtml = "\"\"" + + itemHtml; } String key = opUidl.getStringAttribute("key"); -- cgit v1.2.3 From e680b8f55fadd00fc2a738296d44390eba322e32 Mon Sep 17 00:00:00 2001 From: Juho Nurminen Date: Mon, 3 Feb 2014 17:18:45 +0200 Subject: Changed getAbsoluteUrl to use the correct escaping method (#13311) Change-Id: I84cece7ae1c8ede0b77b82d0f84d6550e77af65b --- client/src/com/vaadin/client/Util.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/client/src/com/vaadin/client/Util.java b/client/src/com/vaadin/client/Util.java index 55d3d13c19..aae3dd5458 100644 --- a/client/src/com/vaadin/client/Util.java +++ b/client/src/com/vaadin/client/Util.java @@ -1343,7 +1343,8 @@ public class Util { divElement.getStyle().setDisplay(Display.NONE); RootPanel.getBodyElement().appendChild(divElement); - divElement.setInnerHTML(""); + divElement.setInnerHTML(""); AnchorElement a = divElement.getChild(0).cast(); String href = a.getHref(); -- cgit v1.2.3 From fe6ea5791f916d8ff13f21ff54ac21039cb4a9c6 Mon Sep 17 00:00:00 2001 From: Marc Englund Date: Tue, 11 Feb 2014 15:37:12 +0200 Subject: Release notes updated to describe #13310 #13311 Change-Id: Id1b612a74f2f8717f98a3dca81489425686237f7 --- WebContent/release-notes.html | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/WebContent/release-notes.html b/WebContent/release-notes.html index a11e526c3f..c7e7558e6a 100644 --- a/WebContent/release-notes.html +++ b/WebContent/release-notes.html @@ -41,6 +41,7 @@
  • Overview of Vaadin @version@ Release
    • +
  • Security fixes
  • Change log for Vaadin @version@
  • Enhancements in Vaadin @@ -75,7 +76,44 @@ href="http://vaadin.com/download/release/@version-minor@/@version-minor@.0/release-notes.html">Release Notes for Vaadin @version-minor@.0.

    - + + +

    Security fixes in Vaadin Framework 7.1.11

    + +

    + Vaadin 7.1.11 fixes two security issues discovered during internal review. +

    +

    Escaping of OptionGroup item icon URLs

    +

    + The issue affects OptionGroup with item icons. Proper escaping of the + src-attribute on the client side was not ensured when using icons for + OptionGroup items. This could potentially, in certain situations, allow + a malicious user to inject content, such as javascript, in order to + perform a cross-site scripting (XSS) attack. +

    +

    + In order for an application to be vulnerable, user provided input must + be used to form a URL used to display an icon for an OptionGroup item, + when showing that Option Group to other users.
    + The vulnerability has been classified as moderate, due to it's limited + application. +

    +

    Escaping of URLs in Util.getAbsoluteUrl()

    +

    + The client side Util.getAbsoluteUrl() did not ensure proper escaping + of the given URL. This could potentially, in certain situations, allow + a malicious user to inject content, such as javascript, in order to + perform a cross-site scripting (XSS) attack. +

    +

    + The method is used internally by the framework in such a manner that it + is unlikely this attack vector can be utilized in practice. However, + third party components, or future use of the method, could make an + attack viable.
    + The vulnerability has been classified as moderate, due to it's limited + application. +

    +

    Change log for Vaadin @version@

    This release includes the following closed issues:

    -- cgit v1.2.3 From ef208a686c9b32a66d317ceaf571a1b0387625bb Mon Sep 17 00:00:00 2001 From: Leif Åstrand Date: Thu, 13 Feb 2014 08:55:48 +0200 Subject: Javadoc formatting fixup Change-Id: If0ddad3f71c5f2cea2c4ed3514ffd392b1489f21 --- server/src/com/vaadin/data/Container.java | 85 +++++++++++++++---------------- 1 file changed, 42 insertions(+), 43 deletions(-) diff --git a/server/src/com/vaadin/data/Container.java b/server/src/com/vaadin/data/Container.java index e93db52a35..ef507c5f31 100644 --- a/server/src/com/vaadin/data/Container.java +++ b/server/src/com/vaadin/data/Container.java @@ -86,7 +86,7 @@ public interface Container extends Serializable { * Gets the {@link Item} with the given Item ID from the Container. If the * Container does not contain the requested Item, null is * returned. - * + *

    * Containers should not return Items that are filtered out. * * @param itemId @@ -108,11 +108,11 @@ public interface Container extends Serializable { * Gets the ID's of all visible (after filtering and sorting) Items stored * in the Container. The ID's cannot be modified through the returned * collection. - * + *

    * If the container is {@link Ordered}, the collection returned by this * method should follow that order. If the container is {@link Sortable}, * the items should be in the sorted order. - * + *

    * Calling this method for large lazy containers can be an expensive * operation and should be avoided when practical. * @@ -145,7 +145,7 @@ public interface Container extends Serializable { /** * Gets the number of visible Items in the Container. - * + *

    * Filtering can hide items so that they will not be visible through the * container API. * @@ -155,7 +155,7 @@ public interface Container extends Serializable { /** * Tests if the Container contains the specified Item. - * + *

    * Filtering can hide items so that they will not be visible through the * container API, and this method should respect visibility of items (i.e. * only indicate visible items as being in the container) if feasible for @@ -235,7 +235,7 @@ public interface Container extends Serializable { /** * Adds a new Property to all Items in the Container. The Property ID, data * type and default value of the new Property are given as parameters. - * + *

    * This functionality is optional. * * @param propertyId @@ -256,7 +256,7 @@ public interface Container extends Serializable { /** * Removes a Property specified by the given Property ID from the Container. * Note that the Property will be removed from all Items in the Container. - * + *

    * This functionality is optional. * * @param propertyId @@ -427,10 +427,8 @@ public interface Container extends Serializable { public interface Sortable extends Ordered { /** - * Sort method. - * * Sorts the container items. - * + *

    * Sorting a container can irreversibly change the order of its items or * only change the order temporarily, depending on the container. * @@ -486,40 +484,34 @@ public interface Container extends Serializable { /** * Get the item id for the item at the position given by - * index.
    - *
    - * Throws: {@link IndexOutOfBoundsException} if - * index is outside the range of the container. (i.e. - * index < 0 || container.size()-1 < index) + * index. + *

    * * @param index * the index of the requested item id * @return the item id of the item at the given index + * @throws IndexOutOfBoundsException + * if index is outside the range of the + * container. (i.e. + * index < 0 || container.size()-1 < index + * ) */ public Object getIdByIndex(int index); /** * Get numberOfItems consecutive item ids from the - * container, starting with the item id at startIndex.
    - *
    - * + * container, starting with the item id at startIndex. + *

    * Implementations should return at most numberOfItems item * ids, but can contain less if the container has less items than * required to fulfill the request. The returned list must hence contain - * all of the item ids from the range:
    - *
    + * all of the item ids from the range: + *

    * startIndex to - * max(startIndex + (numberOfItems-1), container.size()-1).
    - *
    + * max(startIndex + (numberOfItems-1), container.size()-1). + *

    * For quick migration to new API see: * {@link ContainerHelpers#getItemIdsUsingGetIdByIndex(int, int, Indexed)} - * .
    - *
    - * Throws: {@link IllegalArgumentException} if - * numberOfItems is < 0
    - * Throws: {@link IndexOutOfBoundsException} if - * startIndex is outside the range of the container. (i.e. - * startIndex < 0 || container.size()-1 < startIndex) * * @param startIndex * the index for the first item which id to include @@ -529,6 +521,14 @@ public interface Container extends Serializable { * @return List containing the requested item ids or empty list if * numberOfItems == 0; not null * + * @throws IllegalArgumentException + * if numberOfItems is < 0 + * @throws IndexOutOfBoundsException + * if startIndex is outside the range of the + * container. (i.e. + * startIndex < 0 || container.size()-1 < startIndex + * ) + * * @since 7.0 */ public List getItemIds(int startIndex, int numberOfItems); @@ -723,7 +723,6 @@ public interface Container extends Serializable { * Note that being a leaf does not imply whether or not an Item is * allowed to have children. *

    - * . * * @param itemId * ID of the Item to be tested @@ -795,15 +794,15 @@ public interface Container extends Serializable { /** * Add a filter for given property. - * + *

    * The API {@link Filterable#addContainerFilter(Filter)} is recommended * instead of this method. A {@link SimpleStringFilter} can be used with * the new API to implement the old string filtering functionality. - * + *

    * The filter accepts items for which toString() of the value of the * given property contains or starts with given filterString. Other * items are not visible in the container when filtered. - * + *

    * If a container has multiple filters, only items accepted by all * filters are visible. * @@ -836,17 +835,17 @@ public interface Container extends Serializable { /** * Filter interface for container filtering. - * + *

    * If a filter does not support in-memory filtering, * {@link #passesFilter(Item)} should throw * {@link UnsupportedOperationException}. - * + *

    * Lazy containers must be able to map filters to their internal * representation (e.g. SQL or JPA 2.0 Criteria). - * + *

    * An {@link UnsupportedFilterException} can be thrown by the container if a * particular filter is not supported by the container. - * + *

    * An {@link Filter} should implement {@link #equals(Object)} and * {@link #hashCode()} correctly to avoid duplicate filter registrations * etc. @@ -930,7 +929,7 @@ public interface Container extends Serializable { public interface Filterable extends Container, Serializable { /** * Adds a filter for the container. - * + *

    * If a container has multiple filters, only items accepted by all * filters are visible. * @@ -942,7 +941,7 @@ public interface Container extends Serializable { /** * Removes a filter from the container. - * + *

    * This requires that the equals() method considers the filters as * equivalent (same instance or properly implemented equals() method). */ @@ -1023,7 +1022,7 @@ public interface Container extends Serializable { /** * Container Item set change listener interface. - * + *

    * An item set change refers to addition, removal or reordering of items in * the container. A simple property value change is not an item set change. */ @@ -1044,7 +1043,7 @@ public interface Container extends Serializable { * listeners. By implementing this interface a class explicitly announces * that it will generate a ItemSetChangeEvent when its contents * are modified. - * + *

    * An item set change refers to addition, removal or reordering of items in * the container. A simple property value change is not an item set change. * @@ -1097,7 +1096,7 @@ public interface Container extends Serializable { /** * An Event object specifying the Container whose Property set * has changed. - * + *

    * A property set change means the addition, removal or other structural * changes to the properties of a container. Changes concerning the set of * items in the container and their property values are not property set @@ -1116,7 +1115,7 @@ public interface Container extends Serializable { /** * The listener interface for receiving PropertySetChangeEvent * objects. - * + *

    * A property set change means the addition, removal or other structural * change of the properties (supported property IDs) of a container. Changes * concerning the set of items in the container and their property values -- cgit v1.2.3