valdisiljuconoks / optimizely-advanced-contentarea Goto Github PK
View Code? Open in Web Editor NEWOptimizely content area renderer on steroids
License: Apache License 2.0
optimizely-advanced-contentarea's Issues
Bring selected DisplayOption information down to template
Either via ViewData or any other mechanism
Add support for Bootstrap 4.0
BootstrapAwareContentAreaRenderer is not thread safe
In the initialization the BootstrapAwareContentAreaRenderer is added as a Singleton. However multiple threads may be calling the Render() method. The Render method may change the class's properties such as the ContentAreaTag.
This becomes an intermittent error where sometimes the ContentArea items are displayed with the wrong template because the template controller uses the wrong tag.
To reproduce the error locally, I used JMeter to hit my site with multiple threads. I have a ContentArea that is sometimes rendered with a tag and sometimes without the tag.
WS-2018-0590 (High) detected in diff-1.1.0.tgz
WS-2018-0590 - High Severity Vulnerability
Vulnerable Library - diff-1.1.0.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.1.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/diff/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- ❌ diff-1.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2019-06-11
URL: WS-2018-0590
CVSS 2 Score Details (7.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@2aec429
Release Date: 2019-06-11
Fix Resolution: 3.5.0
Step up your Open Source Security Game with WhiteSource here
CVE-2015-8858 (High) detected in uglify-js-2.3.6.tgz
CVE-2015-8858 - High Severity Vulnerability
Vulnerable Library - uglify-js-2.3.6.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- handlebars-1.3.0.tgz
- ❌ uglify-js-2.3.6.tgz (Vulnerable Library)
- handlebars-1.3.0.tgz
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.6.0
Step up your Open Source Security Game with WhiteSource here
multiselect for screen sizes
Would it be possible to have more selections for screen sizes? Something like:
Display on large screen as: Display options
Display on medium screen as: Display options
Display on small screen as: Display options
Display on extra small screen as: Display options
That way we could gain more control over how to fallback on smaller views. What do you think?
Detect position index of content area item
More details on possible solution: http://world.episerver.com/Modules/Forum/Pages/thread.aspx?id=114327&pageIndex=1#reply
Specify the default display option globally
I am looking for a simple way to set the display mode globally to a custom mode that disables the layout features. I have a need to do this since adding the current default messes up the design of our site, and it will take time to rework components to support it. In the meantime we want to opt-in to using the layout features one place at a time. The only way I could think of doing this was adding a "none" option that does not have any css class patterns, and I simply want to make it the default everywhere if possible. Any ideas how this can be done, or if a feature can be added?
push nuget
Can we push the latest and greatest to nuget feed?
WS-2015-0025 (High) detected in tar-0.1.20.tgz
WS-2015-0025 - High Severity Vulnerability
Vulnerable Library - tar-0.1.20.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
- decompress-0.2.3.tgz
- ❌ tar-0.1.20.tgz (Vulnerable Library)
- decompress-0.2.3.tgz
- digdug-1.4.0.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
The tar module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.
Publish Date: 2015-11-03
URL: WS-2015-0025
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/57
Release Date: 2015-11-03
Fix Resolution: Update to a version 2.0.0 or greater
Step up your Open Source Security Game with WhiteSource here
RegisterDisplayModesInitModule: System.InvalidOperationException: Collection was modified; enumeration operation may not execute
There is sometimes an invalidoperations exception inside the RegisterDisplayModesInitModule.
2015-04-08 11:27:58,614 [1] ERROR EPiServer.Framework.Initialization.InitializationEngine: Initialize action failed for Initialize on class EPiBootstrapArea.Initialization.RegisterDisplayModesInitModule, EPiBootstrapArea, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null
System.InvalidOperationException: Collection was modified; enumeration operation may not execute.
at System.Collections.Generic.List`1.Enumerator.MoveNextRare()
at EPiServer.Framework.Localization.ProviderBasedLocalizationService.LoadString(String[] normalizedKey, String originalKey, CultureInfo culture)
at EPiServer.Framework.Localization.LocalizationService.TryGetStringByCulture(String originalKey, String[] normalizedKey, CultureInfo culture, String& localizedString)
at EPiServer.Framework.Localization.LocalizationService.TryGetStringByCulture(String resourceKey, CultureInfo culture, String& localizedString)
at EPiBootstrapArea.Initialization.RegisterDisplayModesInitModule.RegisterDisplayOptions()
at EPiServer.Framework.Initialization.ModuleNode.Execute(Action a, String key)
at EPiServer.Framework.Initialization.InitializationEngine.InitializeModules()
I think its a matter of thread safety? The exception hits over and over again, until the site finally comes back to life.
foreach (var mode in modes)
{
// here is modes modified by other thread?
}
// Mathias
Custom registered displlay options are not available in content area renderer
these display modes are ignored in content area renderer:
ConfigurationContext.Setup(ctx =>
{
ctx.CustomDisplayOptions.Add<One12thDisplayOption>()
.Add<One6thDisplayOption>()
.Add(new DisplayModeFallback
{
Name = "Full width (1/1)",
Tag = ContentAreaTags.FullWidth,
LargeScreenWidth = 12,
MediumScreenWidth = 12,
SmallScreenWidth = 12,
ExtraSmallScreenWidth = 12,
Icon = "epi-icon__layout--full"
});
});WS-2015-0017 (Medium) detected in uglify-js-2.3.6.tgz
WS-2015-0017 - Medium Severity Vulnerability
Vulnerable Library - uglify-js-2.3.6.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- handlebars-1.3.0.tgz
- ❌ uglify-js-2.3.6.tgz (Vulnerable Library)
- handlebars-1.3.0.tgz
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
CVSS 2 Score Details (5.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
Step up your Open Source Security Game with WhiteSource here
Add support to specify default display options from within the block
"Is it possible to set the default DisplayOption for Block from inside the Block model, like you can do with the Additional Styles? It would be handy when migrating from another renderer with DisplayOption already set into Block."
Q: what do you think - who would win if you are dropping block with display option (DO1) set via attribute, having also override in method (DO2) into the content area with default display option set to DO3?
A: Tough one. The most inner/specific setting (DO2) should be the winner?
WS-2018-0168 (Medium) detected in dojo-1.9.4.tgz
WS-2018-0168 - Medium Severity Vulnerability
Vulnerable Library - dojo-1.9.4.tgz
Dojo core is a powerful, lightweight library that makes common tasks quicker and easier. Animate elements, manipulate the DOM, and query with easy CSS syntax, all without sacrificing performance.
Library home page: https://registry.npmjs.org/dojo/-/dojo-1.9.4.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/intern-geezer/node_modules/dojo/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- ❌ dojo-1.9.4.tgz (Vulnerable Library)
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Fix potential XSS vulnerability. Since this is in a DOH test that isn't used anymore nor run automatically, the threat is minimal.
Publish Date: 2018-09-26
URL: WS-2018-0168
CVSS 2 Score Details (4.5)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: dojo/dojo@9117ffd
Release Date: 2018-08-10
Fix Resolution: Replace or update the following files: i18nExhaustive.js, unit.html, test-instructions.md
Step up your Open Source Security Game with WhiteSource here
WS-2019-0103 (Medium) detected in handlebars-1.3.0.tgz
WS-2019-0103 - Medium Severity Vulnerability
Vulnerable Library - handlebars-1.3.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_41c0e688-d421-4ea5-a1a5-8c862992cfd1/20190702203750_36821/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_41c0e688-d421-4ea5-a1a5-8c862992cfd1/20190702203750_36821/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- ❌ handlebars-1.3.0.tgz (Vulnerable Library)
- istanbul-0.2.16.tgz
Found in HEAD commit: bc457a9f9b325b3aac41f3b4fa094e51c068820b
Vulnerability Details
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Publish Date: 2019-05-30
URL: WS-2019-0103
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: handlebars-lang/handlebars.js@edc6220
Release Date: 2019-05-30
Fix Resolution: 4.0.13
Step up your Open Source Security Game with WhiteSource here
WS-2019-0064 (High) detected in handlebars-1.3.0.tgz
WS-2019-0064 - High Severity Vulnerability
Vulnerable Library - handlebars-1.3.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- ❌ handlebars-1.3.0.tgz (Vulnerable Library)
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Publish Date: 2019-04-30
URL: WS-2019-0064
CVSS 2 Score Details (8.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/755/versions
Release Date: 2019-04-30
Fix Resolution: 1.0.6-2,4.0.14,4.1.2
Step up your Open Source Security Game with WhiteSource here
WS-2019-0047 (Medium) detected in tar-0.1.20.tgz
WS-2019-0047 - Medium Severity Vulnerability
Vulnerable Library - tar-0.1.20.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
- decompress-0.2.3.tgz
- ❌ tar-0.1.20.tgz (Vulnerable Library)
- decompress-0.2.3.tgz
- digdug-1.4.0.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here
WS-2015-0024 (High) detected in uglify-js-2.3.6.tgz
WS-2015-0024 - High Severity Vulnerability
Vulnerable Library - uglify-js-2.3.6.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- handlebars-1.3.0.tgz
- ❌ uglify-js-2.3.6.tgz (Vulnerable Library)
- handlebars-1.3.0.tgz
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
CVSS 2 Score Details (8.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: mishoo/UglifyJS@905b601
Release Date: 2017-01-31
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
Item container still gets rendered in CMS mode
I have something like this in the HTML head:
@Html.DisplayFor(x => x.HeadContentArea, new { HasContainer = false, HasItemContainer = false })
But the item container still gets rendered in CMS mode.
Since DIVs are invalid elements within the head element, it gets pushed to the body element.
CVE-2015-8857 (High) detected in uglify-js-2.3.6.tgz
CVE-2015-8857 - High Severity Vulnerability
Vulnerable Library - uglify-js-2.3.6.tgz
JavaScript parser, mangler/compressor and beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/uglify-js/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- handlebars-1.3.0.tgz
- ❌ uglify-js-2.3.6.tgz (Vulnerable Library)
- handlebars-1.3.0.tgz
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
Step up your Open Source Security Game with WhiteSource here
Create support for adding new display modes from code
WS-2019-0100 (Medium) detected in fstream-0.1.31.tgz
WS-2019-0100 - Medium Severity Vulnerability
Vulnerable Library - fstream-0.1.31.tgz
Advanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-0.1.31.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/fstream/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
- decompress-0.2.3.tgz
- tar-0.1.20.tgz
- ❌ fstream-0.1.31.tgz (Vulnerable Library)
- tar-0.1.20.tgz
- decompress-0.2.3.tgz
- digdug-1.4.0.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.
Publish Date: 2019-05-23
URL: WS-2019-0100
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/886
Release Date: 2019-05-23
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
Add default block display mode on content area
It would be great if default width of the block could be added for content area. The setting could be configured through attribute on content are property like:
[DefaultDisplayMode("one-third")
public virtual ContentArea ContentArea {get;set;}
If "one-third" does not exist, fallback to full width.
CVE-2015-8860 (High) detected in tar-0.1.20.tgz
CVE-2015-8860 - High Severity Vulnerability
Vulnerable Library - tar-0.1.20.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-0.1.20.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/tar/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
- decompress-0.2.3.tgz
- ❌ tar-0.1.20.tgz (Vulnerable Library)
- decompress-0.2.3.tgz
- digdug-1.4.0.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Publish Date: 2017-01-23
URL: CVE-2015-8860
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8860
Release Date: 2017-01-23
Fix Resolution: 2.0.0
Step up your Open Source Security Game with WhiteSource here
Look for a way to add support for EPiServer.Forms elements
NullReferenceException when content does not exist in target langauge
If ContentArea is rendered in Language A and contains item B, that does not have translation in target language A, you will get null reference exception.
Support more elegant way to add new display options on top of existing ones
CVE-2016-10540 (High) detected in minimatch-0.3.0.tgz, minimatch-0.4.0.tgz
CVE-2016-10540 - High Severity Vulnerability
Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-0.4.0.tgz
minimatch-0.3.0.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/fileset/node_modules/glob/node_modules/minimatch/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- fileset-0.1.8.tgz
- glob-3.2.11.tgz
- ❌ minimatch-0.3.0.tgz (Vulnerable Library)
- glob-3.2.11.tgz
- fileset-0.1.8.tgz
- istanbul-0.2.16.tgz
minimatch-0.4.0.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.4.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/fileset/node_modules/minimatch/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- fileset-0.1.8.tgz
- ❌ minimatch-0.4.0.tgz (Vulnerable Library)
- fileset-0.1.8.tgz
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
BlockIndex and GetDisplayOption helper does not return any value
I'm trying to get the block index and selected display option for a block, but the block index always returns -1 och GetDisplayOption() returns an empty string.
I'm using in the html helpers in the view, like so:
@Html.GetDisplayOption(Model)
@Html.BlockIndex()
Any idea why this is?
I'm using Episerver 11.13.2.
If you select "Automatic" display option for the block, "row" div is not rendered
var tagExists = itemInfos.Any(ii => !string.IsNullOrEmpty(ii.Tag));
if (!tagExists)
{
base.RenderContentAreaItems(htmlHelper, items);
return;
}
Backward compatibillity
Hey Valdis,
was runing on version 4.0.1, after upgrading to latest 4.3 make some init modules to fail.
missing objects:
DisplayModeFallbackProviderInitModule
SwapRendererInitModule
RowSupportEnabled
AutoAddRow
...For()
.Use()
.SetProperty(i => i.RowSupportEnabled = false)
.SetProperty(i => i.AutoAddRow = false));
Sorry, asking before looking for answers. Stressed
Also is any of this breaking changes?
Regards Luc
Add fluent config API
Add row support
Not able to disable the row settings.
I upgraded this module to 5.2 version for EPI 11 and initialize this using the below article.
https://github.com/valdisiljuconoks/EPiBootstrapArea/blob/master/README.md#available-configuration-options
I make below properties to false but it still adding the row class on each ContentArea.
ctx.RowSupportEnabled = false;
ctx.AutoAddRow = false;
Please provide any insight on this.
Thanks
Ravindra
CVE-2018-16487 (High) detected in lodash-2.4.2.tgz
CVE-2018-16487 - High Severity Vulnerability
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/lodash/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
- decompress-0.2.3.tgz
- map-key-0.1.5.tgz
- ❌ lodash-2.4.2.tgz (Vulnerable Library)
- map-key-0.1.5.tgz
- decompress-0.2.3.tgz
- digdug-1.4.0.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
Add support for [DefaultDisplayOptionForTag] for Content Area property
...
[DefaultDisplayOptionForTag("...", "...")]
public virtual ContentArea MyContentArea { get; set; }
CVE-2018-3721 (Medium) detected in lodash-2.4.2.tgz
CVE-2018-3721 - Medium Severity Vulnerability
Vulnerable Library - lodash-2.4.2.tgz
A utility library delivering consistency, customization, performance, & extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/lodash/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- digdug-1.4.0.tgz
- decompress-0.2.3.tgz
- map-key-0.1.5.tgz
- ❌ lodash-2.4.2.tgz (Vulnerable Library)
- map-key-0.1.5.tgz
- decompress-0.2.3.tgz
- digdug-1.4.0.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with WhiteSource here
Add rowsupport feature to form elements
When using your renderer in edit mode, all form elements are nicely wrapped in row elements and it works beautifully. Once not in edit mode, those rows are gone and I cannot find a way to enable them anymore. I tried applying rowsupport specifically on the field that contains the form:
@Html.PropertyFor(m => m.MainContentArea, new { rowsupport = true })
But that wraps the entire form in a row, breaking my layout. It does nothing with the form elements. I tried playing with the global settings to no success. Only use this feature on forms right now, so I cant turn it on everywhere yet because my blocks do not support bootstrap layouts. Any ideas?
Missing translations
Missing translations for registered display options. Should display English ones does not exist in resources.
Add support for CMS 11
Add support to only use on Forms (not override ContentAreaRenderer globally)
We used EPiBootstrapArea on an EPi 10-project.
I guess we have a special case that not plays well with this Nuget-package, at least on current version. We are using our custom renderer as ContentAreaRenderer in the Initialization, and EPiBootstrapArea-renderer was only used on Forms (overridden forms ascx in Views/Shared/ElementBlocks.
When we updated to EPi 11 and this Nuget-package the EPiBootstrapArea-renderer took over our instead of our custom renderer and messed rendering all over our site. So we had to override that, so our renderer was used as default ContentAreaRenderer.
But then the we couldn't get forms rendering to work, since @Html.RenderFormElements couldn't lookup and use the EPiBootstrapArea-renderer (the Exception about not correct renderer is thrown).
We would really appreciate if we could use this on forms only, so we don't need to override ContentAreaRenderer after EPiBootstrapArea has registered its renderer for ContentAreaRenderer and that @Html.RenderFormElements could be modified to lookup the EPiBootstrapArea:s renderer-instance differently if not registered as the implementation of ContentAreaRenderer.
Maybe register as a singleton for its own type and on RenderFormElements look up as you do, but instead of throw try to lookup the own type, and if that not working throwing an Exception that the EPiBootstrapArea isn't registered in known ways?
WS-2015-0003 (Medium) detected in handlebars-1.3.0.tgz
WS-2015-0003 - Medium Severity Vulnerability
Vulnerable Library - handlebars-1.3.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-1.3.0.tgz
Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/package.json
Path to vulnerable library: /tmp/WhiteSource-ArchiveExtractor_747f4581-142b-405b-87f3-701147633521/20190625174422_45091/git_depth_0/EPiBootstrapArea/src/EPiBootstrapArea.Forms/modules/_protected/Shell/Shell/11.1.0.0/ClientResources/lib/xstyle/node_modules/handlebars/package.json
Dependency Hierarchy:
- intern-geezer-2.2.3.tgz (Root Library)
- istanbul-0.2.16.tgz
- ❌ handlebars-1.3.0.tgz (Vulnerable Library)
- istanbul-0.2.16.tgz
Found in HEAD commit: 52d4afe13ec5c110f32d28c464a838e35746114d
Vulnerability Details
Quoteless Attributes in Templates can lead to Content Injection
Publish Date: 2015-12-14
URL: WS-2015-0003
CVSS 2 Score Details (5.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/61
Release Date: 2015-12-14
Fix Resolution: If you are unable to upgrade to version 4.0.0 or greater you can add quotes to your attributes in your handlebar templates.
Step up your Open Source Security Game with WhiteSource here
EditContainerClass does not seem to work with EPiBootstrapArea
We're having problems with specifying a class which should only be displayed on the container if in edit mode.
By default EPiServer offers the property EditContainerClass for this purpose:
`
@Html.PropertyFor(x => x.MainContentArea, new { EditContainerClass ="editor-overflow-hidden" })
However, it seems to me that this property is swallowed by EPiBootstrapArea. Workaround is to have an if statement in the view which checks if in edit mode, if so use CssClass. CssClass seems to flow through EPiBootstrapArea correctly.
Add support for specifying custom display mode provider
It would be nice to be able to define a custom display mode provider, and assign it to a ContentArea type so I can have only the display modes I've set up for that particular ContentArea.
DisplayModeFallbackProviderInitModule decorator attribute replacement?
@valdisiljuconoks -- when I updated to your latest version from 4.0.0 I lost the [DisplayModeFallbackProviderInitModule] decorator type attribute. I couldn't find where it might've moved in your newer versions, and it was still referenced in your readme. Help? :)
Add support for custom CSS class
DisplayOptionProvider should be able to provide its own custom classes for any screen size.
Add support for skipping wrapper rendering
It would be useful to be able to skip rendering the wrapper elements, and have the plugin render only the block contents.
Add support for EPiServer Forms as well
Created as new issue apart from #29
Add custom class to "row" element
Add support for specifying custom CSS classes for row element.
@Html.PropertyFor(m => m.MainContentArea, new { rowsupport = true, rowclass = "extra-row-class" })
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.