Servoy 8.1.1

Servoy announcements

Servoy 8.1.1

Postby jcompagner » Fri Nov 25, 2016 2:50 pm

We are pleased to announce the availability of Servoy 8.1.1 (releasenumber 3029)

This version is available through the download at the Servoy website
and through the update site url: http://download.servoy.com/developer/8xx_updates/


Fixes and improvements in this release:

See also for more info about the XSS security stuff: this page

Some extra bug fixes and performance improvements are done for this release compared to the 8.1.1RC:

issues fixed see our wiki: https://wiki.servoy.com/display/DOCS/8.1.1

Previous release notes of 8.1.1RC: this page
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Servoy 8.1.1

Postby steve1376656734 » Mon Nov 28, 2016 5:59 pm

I have upgraded to V8.1.1 and have read the stuff on XSS but am struggling to get an element that contains some Javascript to display in NG Client. The wiki says that to allow elements that contain HTML to be shown "as-is" we need to add a client property to the element using code similar to:

Code: Select all
elements.usernameLabel.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);

The problem I am having is that the element that contains my Javascript is a Bootstrap label and developer is giving a warning saying that putClientProperty is not defined for the type bootstrap components-label. Anyone any idea how I can get my Javascript to run (it is a site seal showing that our site is secure and is supplied by the SSL issuer)?

Thanks
Steve
SAN Developer
steve1376656734
 
Posts: 180
Joined: Fri Aug 16, 2013 2:38 pm
Location: Lanzarote

Re: Servoy 8.1.1

Postby jasantana » Mon Nov 28, 2016 8:07 pm

If it works and you just want to get rid of the warning try this:
elements.usernameLabel["putClientProperty"](APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);
Best regards,
Juan Antonio Santana Medina
[email protected]
EAGER BEAVER 2011
EAGER BEAVER 2012
Servoy 6.x - Servoy 7.x - Servoy 8.x - MySQL - PostgreSQL - Visual Foxpro 9
User avatar
jasantana
 
Posts: 542
Joined: Tue Aug 10, 2010 11:40 am
Location: Leeds - West Yorkshire - United Kingdom

Re: Servoy 8.1.1

Postby steve1376656734 » Mon Nov 28, 2016 9:15 pm

Unfortunately it doesn't seem to work - I am going to try and set the application level property just to see if that solves the issue and go from there.

Steve
Steve
SAN Developer
steve1376656734
 
Posts: 180
Joined: Fri Aug 16, 2013 2:38 pm
Location: Lanzarote

Re: Servoy 8.1.1

Postby jcompagner » Tue Nov 29, 2016 1:55 pm

i am testing this now and what are the properties you set on a bootstrap label?
because the normal label (labelFor == false) has a security issue right now because it will execute javascript (trust all html) by default..

if you use it in labelFor property set to true then that one is the opposite it never allows javascript to be executed (no matter what property is set)
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Servoy 8.1.1

Postby jcompagner » Tue Nov 29, 2016 2:19 pm

what i don't fully understand is what you are trying to fix here
Because pre 8.1.1 the bootstrap label even never was trusting the html. We did what angular does by default (and thats sanitizing the html)
only with the 8.1.1 release we added code to the bootstrap label which would also allow javascript and so on to be executed. (and that was working "to good")

so what does your usernameLabel really do? What is the text value ? That is html with javascript?
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Servoy 8.1.1

Postby steve1376656734 » Tue Nov 29, 2016 2:49 pm

I am trying to create an equivalent of our current web client login form using the sampleCrm_login solution as a guide. Having just looked at the original code in order to try an give a good example here I can see that my original information was incorrect. I was under the impression that we had used a label component to display the site seal but it is in fact an HTML_AREA. My confusion came from bad naming by the original developer who had named the object lblSiteSeal! I was trying to recreate the component using a bootstrap label with the text property set to:

Code: Select all
<span id="siteseal"><script type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=6fVxIxNOpAEl93gtigOB99OtUbjtoLDAplKFraWT2oBGglmWPUbcqiku45F3"></script></span>


So to clarify:-

Can I use a bootstrap-label component with the text property set to this value and should the javascript be executed? If so how do I flag this particular instance of the component as safe to execute the script? Or do I need to use an HTML_AREA field with a form level data provider as previously?

Sorry for the confusion
Steve
Steve
SAN Developer
steve1376656734
 
Posts: 180
Joined: Fri Aug 16, 2013 2:38 pm
Location: Lanzarote

Re: Servoy 8.1.1

Postby jcompagner » Tue Nov 29, 2016 3:24 pm

bootstrap label should also just work (for sure the one that is now released)
i will make a new release soon of the bootstrap components that fixes the problem that the above script is always working and then you really need to do:

elements.label_1.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);

before that will work. (this put property should be done as soon as possible so in the onload)
That will give a javascript warning because putClientProperty is not seen as a valid method to call on a webcomponent (for this you can create case so we can add that to the code completion and validation)

so you can use a bootstrap label or a html area component, but for both you need to specify that you want to execute javascript in the given html
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Servoy 8.1.1

Postby jcompagner » Tue Nov 29, 2016 3:32 pm

a new release of the bootstrap components is created: https://github.com/Servoy/bootstrapcomp ... tag/v1.0.6
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Servoy 8.1.1

Postby steve1376656734 » Thu Dec 01, 2016 6:28 pm

Hi Johan,

I have downloaded the new release of the bootstrap components and the seal now shows up perfectly in developer but does not show in the browser when I run the solution! If I inspect the element in the browser it looks like the value of the label is becoming corrupted somehow. In developer I have entered the following for the text property:
Code: Select all
<span id="siteseal"><script async type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=6fVxIxNOpAEl93gtigOB99OtUbjtoLDAplKFraWT2oBGglmWPUbcqiku45F3"></script></span>


But when it is rendered in the browser I can see the following:
Code: Select all
<script type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=6fVxIxNOpAEl93gtigOB99OtUb>jtoLDAplKFraWT2oBGglmWPUbcqiku45F3"></script>


It seems to have a spurious ">" in the middle of the string!

This is the developer image:
developer.png


This is the browser:
browser.png


And this is the HTML that is rendered:
inspecthtml.png


Any ideas?

Thanks
Steve
You do not have the required permissions to view the files attached to this post.
Steve
SAN Developer
steve1376656734
 
Posts: 180
Joined: Fri Aug 16, 2013 2:38 pm
Location: Lanzarote

Re: Servoy 8.1.1

Postby jcompagner » Fri Dec 02, 2016 10:56 am

i can't reproduce that, also the span of the siteseal is in a really weird place. It should be inside the span that is below that (with ng-class svy-click)

So please make a sample that shows this.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Servoy 8.1.1

Postby steve1376656734 » Fri Dec 02, 2016 12:39 pm

I have just gone to try and create a sample that demonstrates this and everything has now changed again :(

The seal still shows Developer but the browser now has the span in the correct place but it is empty. It will only show in the browser if I add:
Code: Select all
   elements.lblSiteSeal.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);


to the onLoad event. Should that be the case? It also gives me a warning that putClientProperty is undefined for bootstrapcomponents-label but it works :D

Looks like the original problem was sorted by a reboot overnight.

Thanks
Steve
Steve
SAN Developer
steve1376656734
 
Posts: 180
Joined: Fri Aug 16, 2013 2:38 pm
Location: Lanzarote

Re: Servoy 8.1.1

Postby jcompagner » Fri Dec 02, 2016 1:11 pm

yes that is what you need to do.
you need to tell servoy (or the component) that it should execute the javascript tag. By default that will be filtered out
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 7977
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet


Return to Announcements

Who is online

Users browsing this forum: No registered users and 1 guest