valdisiljuconoks / optimizely-advanced-contentarea Goto Github PK
View Code? Open in Web Editor NEWOptimizely content area renderer on steroids
License: Apache License 2.0
Optimizely content area renderer on steroids
License: Apache License 2.0
Either via ViewData
or any other mechanism
In the initialization the BootstrapAwareContentAreaRenderer is added as a Singleton. However multiple threads may be calling the Render() method. The Render method may change the class's properties such as the ContentAreaTag.
This becomes an intermittent error where sometimes the ContentArea items are displayed with the wrong template because the template controller uses the wrong tag.
To reproduce the error locally, I used JMeter to hit my site with multiple threads. I have a ContentArea that is sometimes rendered with a tag and sometimes without the tag.
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.1.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2019-06-11
URL: WS-2018-0590
Type: Upgrade version
Origin: kpdecker/jsdiff@2aec429
Release Date: 2019-06-11
Fix Resolution: 3.5.0
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.6.0
Step up your Open Source Security Game with WhiteSource here
Would it be possible to have more selections for screen sizes? Something like:
Display on large screen as: Display options
Display on medium screen as: Display options
Display on small screen as: Display options
Display on extra small screen as: Display options
That way we could gain more control over how to fallback on smaller views. What do you think?
More details on possible solution: http://world.episerver.com/Modules/Forum/Pages/thread.aspx?id=114327&pageIndex=1#reply
I am looking for a simple way to set the display mode globally to a custom mode that disables the layout features. I have a need to do this since adding the current default messes up the design of our site, and it will take time to rework components to support it. In the meantime we want to opt-in to using the layout features one place at a time. The only way I could think of doing this was adding a "none" option that does not have any css class patterns, and I simply want to make it the default everywhere if possible. Any ideas how this can be done, or if a feature can be added?
Can we push the latest and greatest to nuget feed?
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
The tar module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.
Publish Date: 2015-11-03
URL: WS-2015-0025
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/57
Release Date: 2015-11-03
Fix Resolution: Update to a version 2.0.0 or greater
Step up your Open Source Security Game with WhiteSource here
There is sometimes an invalidoperations exception inside the RegisterDisplayModesInitModule.
2015-04-08 11:27:58,614 [1] ERROR EPiServer.Framework.Initialization.InitializationEngine: Initialize action failed for Initialize on class EPiBootstrapArea.Initialization.RegisterDisplayModesInitModule, EPiBootstrapArea, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null
System.InvalidOperationException: Collection was modified; enumeration operation may not execute.
at System.Collections.Generic.List`1.Enumerator.MoveNextRare()
at EPiServer.Framework.Localization.ProviderBasedLocalizationService.LoadString(String[] normalizedKey, String originalKey, CultureInfo culture)
at EPiServer.Framework.Localization.LocalizationService.TryGetStringByCulture(String originalKey, String[] normalizedKey, CultureInfo culture, String& localizedString)
at EPiServer.Framework.Localization.LocalizationService.TryGetStringByCulture(String resourceKey, CultureInfo culture, String& localizedString)
at EPiBootstrapArea.Initialization.RegisterDisplayModesInitModule.RegisterDisplayOptions()
at EPiServer.Framework.Initialization.ModuleNode.Execute(Action a, String key)
at EPiServer.Framework.Initialization.InitializationEngine.InitializeModules()
I think its a matter of thread safety? The exception hits over and over again, until the site finally comes back to life.
foreach (var mode in modes)
{
// here is modes modified by other thread?
}
// Mathias
these display modes are ignored in content area renderer:
ConfigurationContext.Setup(ctx =>
{
ctx.CustomDisplayOptions.Add<One12thDisplayOption>()
.Add<One6thDisplayOption>()
.Add(new DisplayModeFallback
{
Name = "Full width (1/1)",
Tag = ContentAreaTags.FullWidth,
LargeScreenWidth = 12,
MediumScreenWidth = 12,
SmallScreenWidth = 12,
ExtraSmallScreenWidth = 12,
Icon = "epi-icon__layout--full"
});
});
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
Step up your Open Source Security Game with WhiteSource here
"Is it possible to set the default DisplayOption for Block from inside the Block model, like you can do with the Additional Styles? It would be handy when migrating from another renderer with DisplayOption already set into Block."
Q: what do you think - who would win if you are dropping block with display option (DO1) set via attribute, having also override in method (DO2) into the content area with default display option set to DO3?
A: Tough one. The most inner/specific setting (DO2) should be the winner?
Dojo core is a powerful, lightweight library that makes common tasks quicker and easier. Animate elements, manipulate the DOM, and query with easy CSS syntax, all without sacrificing performance.
Library home page: https://registry.npmjs.org/dojo/-/dojo-1.9.4.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/intern-geezer/node_modules/dojo/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Fix potential XSS vulnerability. Since this is in a DOH test that isn't used anymore nor run automatically, the threat is minimal.
Publish Date: 2018-09-26
URL: WS-2018-0168
Type: Change files
Origin: dojo/dojo@9117ffd
Release Date: 2018-08-10
Fix Resolution: Replace or update the following files: i18nExhaustive.js, unit.html, test-instructions.md
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_41c0e688-d421-4ea5-a1a5-8c862992cfd1/20190702203750_36821/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_41c0e688-d421-4ea5-a1a5-8c862992cfd1/20190702203750_36821/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: bc457a9f9b325b3aac41f3b4fa094e51c068820b
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Publish Date: 2019-05-30
URL: WS-2019-0103
Type: Upgrade version
Origin: handlebars-lang/handlebars.js@edc6220
Release Date: 2019-05-30
Fix Resolution: 4.0.13
Step up your Open Source Security Game with WhiteSource here
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Publish Date: 2019-04-30
URL: WS-2019-0064
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/755/versions
Release Date: 2019-04-30
Fix Resolution: 1.0.6-2,4.0.14,4.1.2
Step up your Open Source Security Game with WhiteSource here
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
Type: Upgrade version
Origin: mishoo/UglifyJS@905b601
Release Date: 2017-01-31
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/fstream/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.
Publish Date: 2019-05-23
URL: WS-2019-0100
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/886
Release Date: 2019-05-23
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
It would be great if default width of the block could be added for content area. The setting could be configured through attribute on content are property like:
[DefaultDisplayMode("one-third")
public virtual ContentArea ContentArea {get;set;}
If "one-third" does not exist, fallback to full width.
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Publish Date: 2017-01-23
URL: CVE-2015-8860
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8860
Release Date: 2017-01-23
Fix Resolution: 2.0.0
Step up your Open Source Security Game with WhiteSource here
If ContentArea
is rendered in Language A and contains item B, that does not have translation in target language A, you will get null reference exception.
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/fileset/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
I'm trying to get the block index and selected display option for a block, but the block index always returns -1 och GetDisplayOption() returns an empty string.
I'm using in the html helpers in the view, like so:
@Html.GetDisplayOption(Model)
@Html.BlockIndex()
Any idea why this is?
I'm using Episerver 11.13.2.
var tagExists = itemInfos.Any(ii => !string.IsNullOrEmpty(ii.Tag));
if (!tagExists)
{
base.RenderContentAreaItems(htmlHelper, items);
return;
}
Hey Valdis,
was runing on version 4.0.1, after upgrading to latest 4.3 make some init modules to fail.
missing objects:
DisplayModeFallbackProviderInitModule
SwapRendererInitModule
RowSupportEnabled
AutoAddRow
...For()
.Use()
.SetProperty(i => i.RowSupportEnabled = false)
.SetProperty(i => i.AutoAddRow = false));
Sorry, asking before looking for answers. Stressed
Also is any of this breaking changes?
Regards Luc
I upgraded this module to 5.2 version for EPI 11 and initialize this using the below article.
https://github.com/valdisiljuconoks/EPiBootstrapArea/blob/master/README.md#available-configuration-options
I make below properties to false but it still adding the row class on each ContentArea.
ctx.RowSupportEnabled = false;
ctx.AutoAddRow = false;
Please provide any insight on this.
Thanks
Ravindra
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
...
[DefaultDisplayOptionForTag("...", "...")]
public virtual ContentArea MyContentArea { get; set; }
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with WhiteSource here
When using your renderer in edit mode, all form elements are nicely wrapped in row elements and it works beautifully. Once not in edit mode, those rows are gone and I cannot find a way to enable them anymore. I tried applying rowsupport specifically on the field that contains the form:
@Html.PropertyFor(m => m.MainContentArea, new { rowsupport = true })
But that wraps the entire form in a row, breaking my layout. It does nothing with the form elements. I tried playing with the global settings to no success. Only use this feature on forms right now, so I cant turn it on everywhere yet because my blocks do not support bootstrap layouts. Any ideas?
Missing translations for registered display options. Should display English ones does not exist in resources.
We used EPiBootstrapArea
on an EPi 10
-project.
I guess we have a special case that not plays well with this Nuget-package, at least on current version. We are using our custom renderer as ContentAreaRenderer
in the Initialization, and EPiBootstrapArea-renderer was only used on Forms (overridden forms ascx in Views/Shared/ElementBlocks
.
When we updated to EPi 11
and this Nuget-package the EPiBootstrapArea-renderer took over our instead of our custom renderer and messed rendering all over our site. So we had to override that, so our renderer was used as default ContentAreaRenderer
.
But then the we couldn't get forms rendering to work, since @Html.RenderFormElements
couldn't lookup and use the EPiBootstrapArea-renderer (the Exception about not correct renderer is thrown).
We would really appreciate if we could use this on forms only, so we don't need to override ContentAreaRenderer
after EPiBootstrapArea has registered its renderer for ContentAreaRenderer
and that @Html.RenderFormElements
could be modified to lookup the EPiBootstrapArea:s renderer-instance differently if not registered as the implementation of ContentAreaRenderer
.
Maybe register as a singleton for its own type and on RenderFormElements
look up as you do, but instead of throw try to lookup the own type, and if that not working throwing an Exception that the EPiBootstrapArea isn't registered in known ways?
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Quoteless Attributes in Templates can lead to Content Injection
Publish Date: 2015-12-14
URL: WS-2015-0003
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/61
Release Date: 2015-12-14
Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.
Step up your Open Source Security Game with WhiteSource here
We're having problems with specifying a class which should only be displayed on the container if in edit mode.
By default EPiServer offers the property EditContainerClass for this purpose:
`
However, it seems to me that this property is swallowed by EPiBootstrapArea. Workaround is to have an if statement in the view which checks if in edit mode, if so use CssClass. CssClass seems to flow through EPiBootstrapArea correctly.
It would be nice to be able to define a custom display mode provider, and assign it to a ContentArea type so I can have only the display modes I've set up for that particular ContentArea.
@valdisiljuconoks -- when I updated to your latest version from 4.0.0 I lost the [DisplayModeFallbackProviderInitModule] decorator type attribute. I couldn't find where it might've moved in your newer versions, and it was still referenced in your readme. Help? :)
DisplayOptionProvider should be able to provide its own custom classes for any screen size.
It would be useful to be able to skip rendering the wrapper elements, and have the plugin render only the block contents.
Created as new issue apart from #29
Add support for specifying custom CSS classes for row element.
@Html.PropertyFor(m => m.MainContentArea, new { rowsupport = true, rowclass = "extra-row-class" })
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.