Fix xss vulnerability (#924)

* Fix XSS vulnerability for Distribution Set and Software Module field
* Fix XSS vulnerability for Artifact Details of header in Upload view
* Fix XSS vulnerability in Distribution View Software Module box show artifact details window and fix SonarQube issue
* Fix XSS vulnerability in Upload View Software Module field manage metadata
* Fix XSS vulnerability for Notifications when creating or deleting new or existing Distributions or Software Modules plus adapting error notifications when trying to duplicate
* Fix XSS vulnerability for Distributions View when assigning sm to dist confirmation popup text
* Fix XSS vulnerability for Distributions View modules tab of distribution value of SoftwareModule
* Fix XSS vulnerability for Deployment View assigned tab of target which has risky distribution assigned
* Fix XSS vulnerability in Deployment view action history (of) field and eliminate bugs
* Fix XSS vulnerability bug in Deployment View Action history of field
* Fix XSS vulnerability for Distributions View Module tab as it rendered tool tip
* Fix XSS vulnerability formatting
* Invented some IDs to ease testing regarding XSS vulnerability
* Fix XSS peer review findings
* Fix XSS vulnerability for Distribution Set and Software Module field
* Resolve merge conflicts

Signed-off-by: Ammar Bikic <ammar.bikic@bosch-si.com>
This commit is contained in:
amic
2020-01-27 14:41:07 +01:00
committed by Stefan Behl
parent 62c876a435
commit 6c162b2e93
19 changed files with 336 additions and 176 deletions

View File

@@ -38,7 +38,7 @@ $generic-text-font-size: $generic-text-font-scale * $v-font-size;
//Report widget max icon style
.icon-only {
@include sp-icon-style($sp-button-size : $icon-font-size);
@include sp-icon-style($sp-button-size: $icon-font-size);
margin-bottom: 12px !important;
margin-right: 6px !important;
}
@@ -91,6 +91,39 @@ $generic-text-font-size: $generic-text-font-scale * $v-font-size;
-webkit-text-overflow: ellipsis;
}
.text-bold {
font-weight: bold !important;
}
.v-Notification-error .v-icon {
color: white;
}
.header-caption-right {
padding-right: 0.5em;
}
.avoid-tooltip {
pointer-events: none !important;
}
//This was needed to make the split of prefix "Artifact details of"
//and the actual value "smName:smVersion" in context of the XSS vulnerabilities
//possible after changing ContentMode
//from HTML to TEXT. As no Labels allowed at the windows caption field of the
//artifact details window , decision was made to use the methods
//Window.setAssistivePrefix() and Window.setAssistivePostfix() to solve the XSS-problem.
//Both, assistive postfix and prefix are usually not visible on the page and only for
//assistive purpose, but with overwriting this third party html class it's a possible
//workaround for the XSS vulnerability. I added a comment in the generic-styles.scss.
.v-assistive-device-only {
position: static;
top: auto;
left: auto;
width: auto;
overflow: visible;
}
.v-panel,
.v-textfield {
background: $widget-bg;

View File

@@ -169,7 +169,7 @@
//confimation dialogue popup - Content margin adjustment
.confirmbox-question-label {
margin: 0 8px 8px;
margin: 15px 8px 18px 8px;
}
.bulk-upload-button{

View File

@@ -98,9 +98,9 @@ distribution.set.tag.updated.event.container.notifcation.message=distribution se
caption.filter.by.type = Filter by type
caption.bulk.upload = Bulk Upload
caption.action.history = Action history
caption.action.history.for = Action history for {0}
caption.action.history.for = Action history for
caption.artifact.details = Artifact Details
caption.artifact.details.of = Artifact Details of {0}
caption.artifact.details.of = Artifact Details of
caption.action.states= Action States
caption.action.messages = Messages
caption.error = Error