xwiki-devs September 2013

xwiki-devs@xwiki.org

35 participants
75 discussions

[xwiki-devs] redirecting to page in editor

by Prachi Maheshwari

Hey developers, I want to redirect from A page to B, in editing mode and also some variables in url. But it gives me an error if I try to redirect it to a page in editing mode from the WebHome page of my Xwiki. Please suggest. Thank you Prachi Maheshwari

10 years, 11 months

[xwiki-devs] [Reminder] BFD#37

by Vincent Massol

Hi everyone, Tomorrow is BFD 37. We're currently at 3158 bugs created over 1400 days vs 3167 closed, so we're good for 1400 days: http://jira.xwiki.org/secure/Dashboard.jspa?selectPageId=10352 I'm proposing to increase to 1500 days which gives us: * 3485 created vs 3394 closed, i.e. 91 bugs to catch up with This seems reasonable to reach before the end of the 5.x cycle (we could probably go even a bit higher later on once we reach it). WDYT? Here's the BFD#37 dashboard to follow the progress during the day: http://jira.xwiki.org/secure/Dashboard.jspa?selectPageId=11697 Let's crush bugs! Thanks -Vincent

10 years, 11 months

[xwiki-devs] [ Proposal ] Remove XWiki.Admin from xwiki-platform-administration-ui

by Guillaume "Louis-Marie" Delhumeau

Issue : * Since XWiki.Admin is packaged in xwiki-platform-administration-ui, it comes with xwiki-enterprise-ui-wiki (which is the subwiki default UI). * XWiki.Admin is a member of XWiki.XWikiAdminGroup and XWiki.XWikiAllGroup, which are also bundled in xwiki-platform-administration-ui. * WorkspaceManager.Install removes XWiki.Admin from workspacetemplate, in order to not have local admin in new workspaces. * When we upgrade subwikis, DW does not install XWiki.Admin (DW is aware that the user has been intentionally removed), but the merge of XWiki.XWikIAllGroup does no work well : it add XWiki.Admin to the group. * That leads us to: http://jira.xwiki.org/browse/XWIKI-9501 (The local admin does not exist, but she is a member of XWiki.XWikiAllGroup). + I think the WorkspaceManager.Install trick is not clean. My proposal is to *move XWiki.Admin to XE mainwiki*. But it breaks the *functional tests* that needs to *log-in as *an admin. It can be solved by using the *superadmin*! + When DW does the first install, it should use superadmin too, so all default macros come with the rights of superadmin. Here is my +1. Thanks, Louis-Marie

10 years, 11 months

[xwiki-devs] Frrequently AJAX request caused PernGen Exception OutOfMemory

by lequan.moon

Hi, I'm making an application that make an AJAX request frequently from page to page in xwiki. About 1 per 10s The request look like this: $.ajax({ type: "GET", crossDomain: true, url: "/xwiki/bin/get/Lib/LibPage?outputSyntax=plain", dataType: 'text', data: data2send, success: function(result) {...}, error: function(xhr, status, error) { console.log(error) console.log(status) console.log(xhr) } }); And respone is simple as a text or something like a JSON Map, List. I took a look at jconsole and here it is <http://xwiki.475771.n2.nabble.com/file/n7587262/9-26-2013_1-51-09_PM.jpg> Please help! I don't understand how xwiki works on this. Thank in advanced. -- View this message in context: http://xwiki.475771.n2.nabble.com/Frrequently-AJAX-request-caused-PernGen-E… Sent from the XWiki- Dev mailing list archive at Nabble.com.

10 years, 11 months

[xwiki-devs] Regarding manually coding in Xwiki

by Prachi Maheshwari

Hey Everyone, I have been using Xwiki since a month now and I am pretty familiar with it. But I want to manually code now in any of the languages(groovy||velocity||java) to create a new entry in the application with the same form outlet and some default values. Can someone suggest how to go about this?? Thanks.

10 years, 11 months

[xwiki-devs] While creating an new entry on a new application/ Editing the application

by prachi maheshwari

I want two long descriptions on my creating an entry page for different kind of information. But even if I select two Description Field Palates while customizing the application there is only one which comes while creating a new Entry in that application. Can someone please suggest me the other way of doing it. -- View this message in context: http://xwiki.475771.n2.nabble.com/While-creating-an-new-entry-on-a-new-appl… Sent from the XWiki- Dev mailing list archive at Nabble.com.

10 years, 11 months

[xwiki-devs] Regarding modifying the elments while creating a new entry

by Prachi Maheshwari

Hey all, I have created a new application(appwithinmins) from the create your own functionality of xwiki. Now I want to add an entry, so I do add an entry on my application homepage. But I want to pass some default values in the form so that it remains there and repopulate the creating the new entry form. Also is there any class or plug in that I can use to modify or change 'Add an Entry' function on the homepage of the application created. How to do this? Can anyone help? Thanks. -----Original Message----- From: devs-bounces(a)xwiki.org [mailto:devs-bounces@xwiki.org] On Behalf Of devs-request(a)xwiki.org Sent: Tuesday, September 24, 2013 5:05 PM To: devs(a)xwiki.org Subject: devs Digest, Vol 75, Issue 54 Send devs mailing list submissions to devs(a)xwiki.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.xwiki.org/mailman/listinfo/devs or, via email, send a message with subject or body 'help' to devs-request(a)xwiki.org You can reach the person managing the list at devs-owner(a)xwiki.org When replying, please edit your Subject line so it is more specific than "Re: Contents of devs digest..." Today's Topics: 1. Regarding editing the redirecting page (Prachi Maheshwari) 2. Re: While creating an new entry on a new application/ Editing the application (prachi maheshwari) 3. Re: Reading Get/Post variables from url (prachi maheshwari) 4. Re: Regarding editing the redirecting page (Clemens Klein-Robbenhaar) 5. Regarding redirecting using Url variables (Prachi Maheshwari) 6. Re: Security concerns (Thomas Delafosse) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Sep 2013 16:04:10 +0000 From: Prachi Maheshwari <prachi.maheshwari(a)netboss.com> To: "devs(a)xwiki.org" <devs(a)xwiki.org> Subject: [xwiki-devs] Regarding editing the redirecting page Message-ID: <1baead0e63224f38ae46fcdd5ec57e37(a)BL2PR05MB196.namprd05.prod.outlook.com> Content-Type: text/plain; charset="us-ascii" Hey everyone, I have created a redirecting page in my Xwiki space(say A) which redirects every request that comes to it to other page(say B). Now I want to modify some things in the Page A, but cannot since its redirected to B every time. I have tried http:/<server>/Device/Default+Device?language=en and also http:/<server>/Device/Default+Device?editor=WYSIWYG; but nothing is helping, with everything I goto page B. I want to edit page A so please temme some other way. ------------------------------ Message: 2 Date: Tue, 24 Sep 2013 09:11:41 -0700 (PDT) From: prachi maheshwari <prachi.maheshwari(a)netboss.com> To: devs(a)xwiki.org Subject: Re: [xwiki-devs] While creating an new entry on a new application/ Editing the application Message-ID: <5051ce6db66f4d698e9eac7c5ef1630e(a)BL2PR05MB196.namprd05.prod.outlook.com> Content-Type: text/plain; charset=us-ascii Hey Marius, I have tried working with two Long text field palates and I have removed one content box. But now when I create an entry it doesn't show me any of the two long text boxes. Do I have to change some where else also?? To get them displayed on my creating the entry page?? thanks From: Marius Dumitru Florea [via XWiki] [mailto:ml-node+s475771n7587235h16@n2.nabble.com] Sent: Tuesday, September 24, 2013 5:16 AM To: Prachi Maheshwari Subject: Re: While creating an new entry on a new application/ Editing the application I'm guessing that you are trying to add two 'Content' fields. Only one is allowed. See http://jira.xwiki.org/browse/XWIKI-8585 . You should use the 'Long Text' field instead. See http://extensions.xwiki.org/xwiki/bin/view/Extension/App+Within+Minutes+App… . If you already tried this then make sure the application was properly saved. Hope this helps, Marius On Mon, Sep 23, 2013 at 9:49 PM, prachi maheshwari <[hidden email]</user/SendEmail.jtp?type=node&node=7587235&i=0>> wrote: > I want two long descriptions on my creating an entry page for > different kind of information. But even if I select two Description > Field Palates while customizing the application there is only one > which comes while creating a new Entry in that application. Can > someone please suggest me the other way of doing it. > > > > -- > View this message in context: > http://xwiki.475771.n2.nabble.com/While-creating-an-new-entry-on-a-new > -application-Editing-the-application-tp7587225.html > Sent from the XWiki- Dev mailing list archive at Nabble.com. > _______________________________________________ > devs mailing list > [hidden email]</user/SendEmail.jtp?type=node&node=7587235&i=1> > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [hidden email]</user/SendEmail.jtp?type=node&node=7587235&i=2> http://lists.xwiki.org/mailman/listinfo/devs ________________________________ If you reply to this email, your message will be added to the discussion below: http://xwiki.475771.n2.nabble.com/While-creating-an-new-entry-on-a-new-appl… To unsubscribe from While creating an new entry on a new application/ Editing the application, click here<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscrib…>. NAML<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=macro_view…> -- View this message in context: http://xwiki.475771.n2.nabble.com/While-creating-an-new-entry-on-a-new-appl… Sent from the XWiki- Dev mailing list archive at Nabble.com. ------------------------------ Message: 3 Date: Tue, 24 Sep 2013 09:12:32 -0700 (PDT) From: prachi maheshwari <prachi.maheshwari(a)netboss.com> To: devs(a)xwiki.org Subject: Re: [xwiki-devs] Reading Get/Post variables from url Message-ID: <46387884658642d8b3926fd614376d18(a)BL2PR05MB196.namprd05.prod.outlook.com> Content-Type: text/plain; charset=UTF-8 Thank you everyone. $request.get(?param?); works Thanks From: Denis Gervalle-2 [via XWiki] [mailto:ml-node+s475771n7587236h47@n2.nabble.com] Sent: Tuesday, September 24, 2013 5:47 AM To: Prachi Maheshwari Subject: Re: Reading Get/Post variables from url On Tue, Sep 24, 2013 at 10:02 AM, Valdis V?toli?? <[hidden email]</user/SendEmail.jtp?type=node&node=7587236&i=0>>wrote: > In short: > $request.getParameter('param') > In shorter: :) $request.param PS: Your question is appropriate for the user list, the devs list is about the development of XWiki itself. See http://dev.xwiki.org/xwiki/bin/view/Community/MailingLists. Thanks. > > Valdis > > Hi, > > > > You have access to the request from velocity and groovy, check for > $request > > in scripting reference [1]. > > > > [1] http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation > > > > Br, > > Jeremie > > Le 23 sept. 2013 20:52, "prachi maheshwari" < > [hidden email]</user/SendEmail.jtp?type=node&node=7587236&i=1>> > > a ?crit : > > > > > Hey everyone, > > > I wanna read and access the variables passed in url in Velocity on > > > different Xwiki Pages. Please suggest me a method. I have tried > > > something in > groovy > > > and velocity but I want to use only one macro/language for it. > > > Thanks > > > > > > > > > > > > -- > > > View this message in context: > > > > http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-url- > tp7587226.html > > > Sent from the XWiki- Dev mailing list archive at Nabble.com. > > > _______________________________________________ > > > devs mailing list > > > [hidden email]</user/SendEmail.jtp?type=node&node=7587236&i=2> > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > _______________________________________________ > > devs mailing list > > [hidden email]</user/SendEmail.jtp?type=node&node=7587236&i=3> > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > [hidden email]</user/SendEmail.jtp?type=node&node=7587236&i=4> > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO _______________________________________________ devs mailing list [hidden email]</user/SendEmail.jtp?type=node&node=7587236&i=5> http://lists.xwiki.org/mailman/listinfo/devs ________________________________ If you reply to this email, your message will be added to the discussion below: http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-url-tp758… To unsubscribe from Reading Get/Post variables from url, click here<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscrib…>. NAML<http://xwiki.475771.n2.nabble.com/template/NamlServlet.jtp?macro=macro_view…> -- View this message in context: http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-url-tp758… Sent from the XWiki- Dev mailing list archive at Nabble.com. ------------------------------ Message: 4 Date: Tue, 24 Sep 2013 18:37:15 +0200 From: Clemens Klein-Robbenhaar <c.robbenhaar(a)espresto.com> To: devs(a)xwiki.org Subject: Re: [xwiki-devs] Regarding editing the redirecting page Message-ID: <5241BFBB.1050406(a)espresto.com> Content-Type: text/plain; charset=ISO-8859-1 On 09/24/2013 06:04 PM, Prachi Maheshwari wrote: > Hey everyone, > I have created a redirecting page in my Xwiki space(say A) which > redirects every request that comes to it to other page(say B). Now I > want to modify some things in the Page A, but cannot since its > redirected to B every time. I have tried > http:/<server>/Device/Default+Device?language=en and also > http:/<server>/Device/Default+Device?editor=WYSIWYG; > but nothing is helping, with everything I goto page B. I want to edit > page A so please temme some other way. > How did you create the redirect? You need to tell XWiki you want to have the edit view, so maybe something like http:/<server>/edit/Device/Default+Device?editor=WYSIWYG might help Clemens ------------------------------ Message: 5 Date: Tue, 24 Sep 2013 20:46:01 +0000 From: Prachi Maheshwari <prachi.maheshwari(a)netboss.com> To: "devs(a)xwiki.org" <devs(a)xwiki.org> Subject: [xwiki-devs] Regarding redirecting using Url variables Message-ID: <292aef4f1b5b4584a17e4a6874223c9a(a)BL2PR05MB196.namprd05.prod.outlook.com> Content-Type: text/plain; charset="us-ascii" Hey everyone, I am using $response.sendRedirect("http://<server>/abc?A=${A}&B=${B}) For redirecting onto another page. I also need to pass some variables from the url but this ain't working. Please help. Also, I am passing four to five variables and the url is getting broken and only passes value until a limit only. So, is there any kind of limit for the url length for xwiki specifically?? Also is there any other method for doing so?? -----Original Message----- From: devs-bounces(a)xwiki.org [mailto:devs-bounces@xwiki.org] On Behalf Of devs-request(a)xwiki.org Sent: Tuesday, September 24, 2013 8:00 AM To: devs(a)xwiki.org Subject: devs Digest, Vol 75, Issue 53 Send devs mailing list submissions to devs(a)xwiki.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.xwiki.org/mailman/listinfo/devs or, via email, send a message with subject or body 'help' to devs-request(a)xwiki.org You can reach the person managing the list at devs-owner(a)xwiki.org When replying, please edit your Subject line so it is more specific than "Re: Contents of devs digest..." Today's Topics: 1. Re: Reading Get/Post variables from url (Valdis V?toli??) 2. Re: While creating an new entry on a new application/ Editing the application (Marius Dumitru Florea) 3. Re: Reading Get/Post variables from url (Denis Gervalle) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Sep 2013 11:02:10 +0300 From: Valdis V?toli?? <valdis.vitolins(a)odo.lv> To: XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] Reading Get/Post variables from url Message-ID: <1380009730.2421.0.camel@vostro> Content-Type: text/plain; charset="UTF-8" In short: $request.getParameter('param') Valdis > Hi, > > You have access to the request from velocity and groovy, check for > $request in scripting reference [1]. > > [1] http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation > > Br, > Jeremie > Le 23 sept. 2013 20:52, "prachi maheshwari" > <prachi.maheshwari(a)netboss.com> a ?crit : > > > Hey everyone, > > I wanna read and access the variables passed in url in Velocity on > > different Xwiki Pages. Please suggest me a method. I have tried > > something in groovy and velocity but I want to use only one > > macro/language for it. > > Thanks > > > > > > > > -- > > View this message in context: > > http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-ur > > l-tp7587226.html Sent from the XWiki- Dev mailing list archive at > > Nabble.com. > > _______________________________________________ > > devs mailing list > > devs(a)xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs ------------------------------ Message: 2 Date: Tue, 24 Sep 2013 12:15:29 +0300 From: Marius Dumitru Florea <mariusdumitru.florea(a)xwiki.com> To: XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] While creating an new entry on a new application/ Editing the application Message-ID: <CALZcbBariN8a-tX+7LKaUt8utFOJWZKf6CNhwr2t-PUDp_FVLg(a)mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I'm guessing that you are trying to add two 'Content' fields. Only one is allowed. See http://jira.xwiki.org/browse/XWIKI-8585 . You should use the 'Long Text' field instead. See http://extensions.xwiki.org/xwiki/bin/view/Extension/App+Within+Minutes+App… . If you already tried this then make sure the application was properly saved. Hope this helps, Marius On Mon, Sep 23, 2013 at 9:49 PM, prachi maheshwari <prachi.maheshwari(a)netboss.com> wrote: > I want two long descriptions on my creating an entry page for > different kind of information. But even if I select two Description > Field Palates while customizing the application there is only one > which comes while creating a new Entry in that application. Can > someone please suggest me the other way of doing it. > > > > -- > View this message in context: > http://xwiki.475771.n2.nabble.com/While-creating-an-new-entry-on-a-new > -application-Editing-the-application-tp7587225.html > Sent from the XWiki- Dev mailing list archive at Nabble.com. > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs ------------------------------ Message: 3 Date: Tue, 24 Sep 2013 11:46:13 +0200 From: Denis Gervalle <dgl(a)softec.lu> To: valdis.vitolins(a)odo.lv, XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] Reading Get/Post variables from url Message-ID: <CADb+PMpE6oaj=cJ4EQvE5_9X+4NvtHFSQ_kZV1v=WMC9v5GcNQ(a)mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On Tue, Sep 24, 2013 at 10:02 AM, Valdis V?toli?? <valdis.vitolins(a)odo.lv>wrote: > In short: > $request.getParameter('param') > In shorter: :) $request.param PS: Your question is appropriate for the user list, the devs list is about the development of XWiki itself. See http://dev.xwiki.org/xwiki/bin/view/Community/MailingLists. Thanks. > > Valdis > > Hi, > > > > You have access to the request from velocity and groovy, check for > $request > > in scripting reference [1]. > > > > [1] http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation > > > > Br, > > Jeremie > > Le 23 sept. 2013 20:52, "prachi maheshwari" < > prachi.maheshwari(a)netboss.com> > > a ?crit : > > > > > Hey everyone, > > > I wanna read and access the variables passed in url in Velocity on > > > different Xwiki Pages. Please suggest me a method. I have tried > > > something in > groovy > > > and velocity but I want to use only one macro/language for it. > > > Thanks > > > > > > > > > > > > -- > > > View this message in context: > > > > http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-url- > tp7587226.html > > > Sent from the XWiki- Dev mailing list archive at Nabble.com. > > > _______________________________________________ > > > devs mailing list > > > devs(a)xwiki.org > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > _______________________________________________ > > devs mailing list > > devs(a)xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO ------------------------------ _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs End of devs Digest, Vol 75, Issue 53 ************************************ ------------------------------ Message: 6 Date: Tue, 24 Sep 2013 23:04:56 +0200 From: Thomas Delafosse <thomas.delafosse(a)xwiki.com> To: XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] Security concerns Message-ID: <CAHXP8+cXffA=N=HMvEc6z_co+qPyT8pP44D6sMUgMTpMv_g-nA(a)mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hello Christian, Sorry to have been so long before answering ! Here's at least a little patch that you can easily apply to make HTML macro secure. Note that a lot of HTML macros that are in wikis default pages won't work anymore ! Note also that you need the JSOUP package (http://jsoup.org/download) in your wiki libs to make it work, as this is the library I used for the verification of the html macro content. For more liberty, you can instead try to make a custom verification such as the one I made for the wiki syntax, it's up to you :). To finish, note also that you should skip the tests when building the new xwiki-rendering-macro-html package, as I didn't adapt them (these test contains quite a lot of tags and attributes that should be forbidden for security reasons). As I probably said earlier, a cleaner way to do that is to put the html macro in the platform code, and to add a check for programming rights. I got something like that somewhere, but I should rework it a bit when I got some time to do it. But at least this patch should let see how this is supposed to work ! Of course if you have any questions, feel free to ask them, and I would try to reply a bit faster this time ;) Hope this helps ! Thomas On Tue, Sep 17, 2013 at 11:34 AM, Vincent Massol <vincent(a)massol.net> wrote: > > On Sep 17, 2013, at 10:26 AM, Christian Meunier < > christian.meunier(a)magelo.com> wrote: > > > Thanks Vincent for the heads up ! > > > > Any chance Marius or some other dev can have a look the XSS in wiki > Syntax PR ? > > > https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 > > > > I have tested it, beside the bug I have spotted, it worked just fine for > me. > > > > Would be nice to include this one in 5.2 because right now, it just too > trivial to do XSS injection with the wiki syntax.. > > It seems too large a patch to make it in 5.2 now (we're reaching RC1) but > it could go in 5.3M1. > > Thanks > -Vincent > > > Thanks ! > > > > -- > > Chris > > > > On 9/17/2013 14:43, Vincent Massol wrote: > >> Hi Christian, > >> > >> On Sep 17, 2013, at 8:16 AM, Christian Meunier < > christian.meunier(a)magelo.com> wrote: > >> > >>> Hi Thomas, > >>> > >>> Hope you had good holidays ! > >>> > >>> I was wondering if you could give me an update on the work you started > for the html macro ? > >>> Btw, have you noticed my comment on > https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 ? > >>> > >>> Also, question for the devs, I see that the 5.2 is near the corner and > yet many of Thomas's security PRs are still pending.. > >> Several have been applied (by Marius). > >> > >>> Shouldnt those security PRs be a priority ? Is there a roadmap/target > for those ? > >> FYI ThomasD was working lately on signed scripts which will fix a lot > of current potential security issues. This is a big piece of work. I said > "was" because Thomas is now going abroad in the context of his school > studies and will probably be less available. The good news is that Denis > Gervalle has agreed to carry on his work and more generally to focus on > security issues for the coming 3 months at least. > >> > >> So you should see progress in this area :) > >> > >> Thanks > >> -Vincent > >> > >>> Thanks ! > >>> > >>> -- > >>> Chris > >>> > >>> On 8/10/2013 05:10, Thomas Delafosse wrote: > >>>> Hello Christian, > >>>> > >>>> It's nice to see that you are interested in XWiki security :) > >>>> As for the secure html macro I've been working on, there's no PR made > for > >>>> it (the issue was that it was breaking a lot of panels that were using > >>>> unsafe html code thanks to this macro), but I would try to create a > branch > >>>> on github with the corresponding code when I have time. To sum up > what I've > >>>> done, I just used a library called JSoup which allows to easily deal > with > >>>> whitelists (see > http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html for > >>>> example). And as I wanted to let users with Programming Rights use > the HTML > >>>> macro without restriction, I had to put my "secure" html macro in > >>>> xwiki-platform instead of xwiki-rendering, so that my whitelist check > is > >>>> not used against these users. > >>>> BTW let me know if there any issue you get with my other XSS PR and > don't > >>>> hesitate to contact me if you have questions or suggestions about > what I've > >>>> done there (or for other security matters !). As Vincent said, I'm in > >>>> holidays right now, so I could be slow to answer, but I won't forget > you ;). > >>>> > >>>> Thanks ! > >>>> > >>>> Thomas > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs >

10 years, 11 months

[xwiki-devs] Security concerns

by Christian Meunier

Hi everyone, I have played some more with Xwiki over the week-end, and some security issues came up, namely: 1) User own profile: Any given user has the right to edit his own profile, so far so good when the given user is in normal mode and the edit defaults to the inline form. Now things get ugly when he switches to the advanced mode and suddenly can add/update/delete objects and rights. For example he can delete his Xwiki.users object and instantly completely break his account. He can mess up with permissions, like granting others permissions to his profile. I am using a custom authentication/sso mechanism and when I create the user on the fly, I among other things, store the userId from our system into the XWiki.users (added one Int property). Suddenly, the user can even change that value... He can also rename his profile, effectively renaming his username... which in a sandbox environment might not be too much of an issue, even if I find it a little weird that users can change their identity on their owns as often they want but when the wiki system in coupled with another system, it's just a disaster... 2) User in advanced mode Generally speaking, users in advanced mode seems to be able to do things that I didnt foresee with just the edit permission : - I could grant myself the delete permission on pretty much any page I have edit permission and therefore deleting the pages - I could add/update/delete pretty much any objects on any page I have edit permission including XWiki.XWikiRights instances which seems to cover the ACL specific to the page. I granted there myself programming rights, it does not seem to work however the ACL is saved just fine... Regarding the ACL, I strongly suggest that on the Access Rights page, when the permission is blank (delegating upstream), the given permission should be still visible (with a tooltip indicating from where the permission has been inherited), maybe in parenthesis just after the checkmark box. It is crucial that on any page/space/wiki, an admin is able to review the effective permissions of that given page/space/wiki. Otherwise, it makes reviewing permissions a nightmare really quickly. 3) HTML macro This is more a question on the best way to make sure the HTML macro will filter out specific stuff to prevent script injection ? From what I understand, the macro cannot be removed at the moment but I am not sure what is the best way to secure it. Regarding 1 & 2, hopefully I am overlooking something but I looked around and could not find any thing obvious. Using Xwiki Enterprise 5.1 Thanks in advance for your help ! -- Chris

10 years, 11 months

[xwiki-devs] Regarding redirecting using Url variables

by Prachi Maheshwari

Hey everyone, I am using $response.sendRedirect("http://<server>/abc?A=${A}&B=${B}) For redirecting onto another page. I also need to pass some variables from the url but this ain't working. Please help. Also, I am passing four to five variables and the url is getting broken and only passes value until a limit only. So, is there any kind of limit for the url length for xwiki specifically?? Also is there any other method for doing so?? -----Original Message----- From: devs-bounces(a)xwiki.org [mailto:devs-bounces@xwiki.org] On Behalf Of devs-request(a)xwiki.org Sent: Tuesday, September 24, 2013 8:00 AM To: devs(a)xwiki.org Subject: devs Digest, Vol 75, Issue 53 Send devs mailing list submissions to devs(a)xwiki.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.xwiki.org/mailman/listinfo/devs or, via email, send a message with subject or body 'help' to devs-request(a)xwiki.org You can reach the person managing the list at devs-owner(a)xwiki.org When replying, please edit your Subject line so it is more specific than "Re: Contents of devs digest..." Today's Topics: 1. Re: Reading Get/Post variables from url (Valdis V?toli??) 2. Re: While creating an new entry on a new application/ Editing the application (Marius Dumitru Florea) 3. Re: Reading Get/Post variables from url (Denis Gervalle) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Sep 2013 11:02:10 +0300 From: Valdis V?toli?? <valdis.vitolins(a)odo.lv> To: XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] Reading Get/Post variables from url Message-ID: <1380009730.2421.0.camel@vostro> Content-Type: text/plain; charset="UTF-8" In short: $request.getParameter('param') Valdis > Hi, > > You have access to the request from velocity and groovy, check for > $request in scripting reference [1]. > > [1] http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation > > Br, > Jeremie > Le 23 sept. 2013 20:52, "prachi maheshwari" > <prachi.maheshwari(a)netboss.com> a ?crit : > > > Hey everyone, > > I wanna read and access the variables passed in url in Velocity on > > different Xwiki Pages. Please suggest me a method. I have tried > > something in groovy and velocity but I want to use only one > > macro/language for it. > > Thanks > > > > > > > > -- > > View this message in context: > > http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-ur > > l-tp7587226.html Sent from the XWiki- Dev mailing list archive at > > Nabble.com. > > _______________________________________________ > > devs mailing list > > devs(a)xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs ------------------------------ Message: 2 Date: Tue, 24 Sep 2013 12:15:29 +0300 From: Marius Dumitru Florea <mariusdumitru.florea(a)xwiki.com> To: XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] While creating an new entry on a new application/ Editing the application Message-ID: <CALZcbBariN8a-tX+7LKaUt8utFOJWZKf6CNhwr2t-PUDp_FVLg(a)mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I'm guessing that you are trying to add two 'Content' fields. Only one is allowed. See http://jira.xwiki.org/browse/XWIKI-8585 . You should use the 'Long Text' field instead. See http://extensions.xwiki.org/xwiki/bin/view/Extension/App+Within+Minutes+App… . If you already tried this then make sure the application was properly saved. Hope this helps, Marius On Mon, Sep 23, 2013 at 9:49 PM, prachi maheshwari <prachi.maheshwari(a)netboss.com> wrote: > I want two long descriptions on my creating an entry page for > different kind of information. But even if I select two Description > Field Palates while customizing the application there is only one > which comes while creating a new Entry in that application. Can > someone please suggest me the other way of doing it. > > > > -- > View this message in context: > http://xwiki.475771.n2.nabble.com/While-creating-an-new-entry-on-a-new > -application-Editing-the-application-tp7587225.html > Sent from the XWiki- Dev mailing list archive at Nabble.com. > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs ------------------------------ Message: 3 Date: Tue, 24 Sep 2013 11:46:13 +0200 From: Denis Gervalle <dgl(a)softec.lu> To: valdis.vitolins(a)odo.lv, XWiki Developers <devs(a)xwiki.org> Subject: Re: [xwiki-devs] Reading Get/Post variables from url Message-ID: <CADb+PMpE6oaj=cJ4EQvE5_9X+4NvtHFSQ_kZV1v=WMC9v5GcNQ(a)mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On Tue, Sep 24, 2013 at 10:02 AM, Valdis V?toli?? <valdis.vitolins(a)odo.lv>wrote: > In short: > $request.getParameter('param') > In shorter: :) $request.param PS: Your question is appropriate for the user list, the devs list is about the development of XWiki itself. See http://dev.xwiki.org/xwiki/bin/view/Community/MailingLists. Thanks. > > Valdis > > Hi, > > > > You have access to the request from velocity and groovy, check for > $request > > in scripting reference [1]. > > > > [1] http://platform.xwiki.org/xwiki/bin/view/SRD/Navigation > > > > Br, > > Jeremie > > Le 23 sept. 2013 20:52, "prachi maheshwari" < > prachi.maheshwari(a)netboss.com> > > a ?crit : > > > > > Hey everyone, > > > I wanna read and access the variables passed in url in Velocity on > > > different Xwiki Pages. Please suggest me a method. I have tried > > > something in > groovy > > > and velocity but I want to use only one macro/language for it. > > > Thanks > > > > > > > > > > > > -- > > > View this message in context: > > > > http://xwiki.475771.n2.nabble.com/Reading-Get-Post-variables-from-url- > tp7587226.html > > > Sent from the XWiki- Dev mailing list archive at Nabble.com. > > > _______________________________________________ > > > devs mailing list > > > devs(a)xwiki.org > > > http://lists.xwiki.org/mailman/listinfo/devs > > > > > _______________________________________________ > > devs mailing list > > devs(a)xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO ------------------------------ _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs End of devs Digest, Vol 75, Issue 53 ************************************

10 years, 11 months

[xwiki-devs] Regarding editing the redirecting page

by Prachi Maheshwari

Hey everyone, I have created a redirecting page in my Xwiki space(say A) which redirects every request that comes to it to other page(say B). Now I want to modify some things in the Page A, but cannot since its redirected to B every time. I have tried http:/<server>/Device/Default+Device?language=en and also http:/<server>/Device/Default+Device?editor=WYSIWYG; but nothing is helping, with everything I goto page B. I want to edit page A so please temme some other way.

10 years, 11 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

xwiki-devs September 2013