Comments (5)
There is now a fix in place for the label and link elements for the qvt (/qapps) and vuet (/vapps) render modes. See this commit in moqui-runtime:
From a bit of research the best solution seems to be adding the v-pre
attribute to an element wrapping the text so that the text is not interpreted by Vue JS, avoiding the template injection issue and resulting in the text just being displayed.
There does not seem to be a way to encode the text so that it is not interpreted. This means that for any custom Vue templates, or any other places in the framework we discover over time, the v-pre attribute will need to be adding (possibly in a wrapping span element like I did for the link macros so that it doesn't break the intended parts of the template because it seems to disable Vue template interpretation for the element with a v-pre attribute as well as the contents of the element!).
This fixes the issue for the Product Store screen and various others. If you find any other places this happens please let me know, in this issue or another one.
from moqui-framework.
Hello @jonesde is this a valid bug? how to fix it?
from moqui-framework.
Was able to reproduce. Thank you @Narmu-1 for figuring this out!
from moqui-framework.
How to fix this is another question. Some ideas are server side validation of {{ or }} (handling potential whitespace) for all fields by default, add server side escaping for { and } characters such as https://v2.vuejs.org/v2/guide/security#HTML-content, or/and changing the ftl templates to sanitize output characters.
from moqui-framework.
thanks @acetousk for confirming. Can you please assign the labels for this issue.
Regards.
from moqui-framework.
Related Issues (20)
- Need to support custom SQL HOT 1
- Connection pool issues HOT 3
- docker - moqui server not running https://moqui.local HOT 2
- CVE-2023-26049 (Medium) detected in jetty-http-10.0.13.jar HOT 1
- CVE-2023-26048 (Medium) detected in jetty-server-10.0.13.jar HOT 1
- CVE-2023-24998 (High) detected in commons-fileupload-1.4.jar HOT 1
- When entity find has pk and other conditions, only pk takes effect
- WS-2023-0236 (Low) detected in jetty-xml-10.0.13.jar, jetty-xml-10.0.15.jar - autoclosed HOT 2
- CVE-2023-34478 (Critical) detected in shiro-core-1.11.0.jar HOT 1
- Xss risk HOT 3
- Issues when using sendJsonResponse in service for rest call HOT 4
- If the parameter type of service is BigDecimal, it will be unconditionally cast. HOT 1
- After clicking "Clear Parameters" to query the order, the query results are incorrect
- After the order is unapproved, an error is reported when importing inventory HOT 1
- Catalog/Search: ordering is broken HOT 1
- Any plans to upgrade to Java 17 or Java 21? HOT 2
- 100% CPU for pressure testing database HOT 4
- Is jetty mode startup of Moqui not supporting HTTPS? HOT 2
- CVE-2023-46750 (Medium) detected in shiro-web-1.12.0.jar HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from moqui-framework.