I am getting security risk issue when using extjs within my project, specifically eval() is flagged and the alternative to it is using functions, which is again flagged as a risk, due to which I can't make it work.
I am attaching some errors I got before (using eval) and after (using functions).
Please suggest alternatives as using unsafe-eval is not the solution.
I have also tried the latest version (7.4.0) of EXT-Js but It also contains new Function () and Function.prototype.constructor.apply() which is also blocked by CSP.
Related
I have just started a new site where I am using 2sxc version 11.11.4 (started with 11.7.3 and upgraded to see if that would fix it). I have the data and views set up just like I have done on another site using version 10.25.2. On the newer version though, I'm unable to use the remove button/action. I did some searching and found a few references to adding lines to the web config file (https://github.com/2sic/2sxc/issues/1654, https://github.com/2sic/2sxc/issues/2205). I tried this and it worked great.
So, my question: will a fix be implemented for this or will we have to add these lines of code to the web config file on any site we use 2sxc on?
Also, could these lines of code affect any other DNN features, other modules, etc.?
I think you are talking about my solution here
https://github.com/2sic/2sxc/issues/2205#issuecomment-705647892
This is specific to a server where the WebDAV features have been added/enabled in Windows. I do not think its an issue that can or will be fixed in 2sxc.
I do know that it is safe to add those two items in web.config. All its doing is telling ASP.NET to NOT make WebDAV available in this application's (DNN's) context. I am not aware of any DNN feature or modules that need or use WebDAV. Its just something handed down from the server because its installed and its causing a weird change in behavior that makes the DELETE (and other) command types get ignored (IMHO, presumably because they are handled before they get to DNN).
So, I know it's possible to specify a specific javascript engine with react for server side rendering. I just can't seem to find any info on it. Here's a blurb from one of their Github issues that confirms that it's possible:
Have you tried running it with the V8 engine instead? The MS one can be flakey (we had similar issues with it but much early on in our dev cycle). The fact it works on 3 other enviros means there has to be a difference between those and the 4th one. Could be its got a different version IE on the production server for instance? Tricky one to track down hence switching to V8 might be a quicker option.
https://github.com/reactjs/React.NET/issues/188
Anyone know how to do this? I'm seeing inconsistencies between different machines and I think (like, 90%) the cause is different JS engines being used. I'd like to lock it down so only v8 gets used so things are consistent.
You need to call .SetAllowMsieEngine(false) on your ReactJS.NET configuration. For ASP.NET 4, that's in App_Start\ReactConfig.cs by default. For ASP.NET Core, it's in the UseReact call in Startup.cs.
This will force it to use V8, or throw an exception if it fails to load V8 (rather than falling back to MSIE). The most common issues is the ClearScript.V8 directory missing from bin. This should be automatically copied across for ASP.NET 4 sites, but for ASP.NET Core you need to manually modify your build to do it (see http://reactjs.net/2016/08/protected-memory-exceptions-and-dotnet-core.html)
I'm running a Camel application on Liberty Profile server. I'm taking a message from a queue, unmarshalling, mapping then marshalling. This was working fine but now I'm getting an error that JAXBDataBinding method getContextualNamespaceMap is not found.
I think this is because there is an older version of the jar in the server libs but I don't know why it started using it.
IBM Jar: com.ibm.ws.org.apache.cxf-rt-databinding-jaxb.2.6.2_1.0.12
The issue is resolved if I switch to parent last class loading but its a very hacky way to fix it and is not a great option. Any other ideas? I'm thinking some feature or other dependency in my build may have pulled this jar in.
So it does look like getContextualNamespaceMap is only available in newer versions of the org.apache.cxf-rt-databinding-jaxb JAR than what is available in Liberty.
It might be that parentLast is the best option then. (You already know how to do this but it's documented (here). If it leads to some other issues then do follow-up with another question.
I suppose it's conceivable you might be able to look at whatever is packaged within your application and try removing a set of things and picking them up from the Liberty runtime, to avoid running in parentLast mode. E.g. if you are only referencing getContextualNamespaceMap because you have other code in your app but there is some alternative path you could have gone down entirely in the Liberty-provided modules, then in theory you could be OK.
I'm not familiar enough with the code paths in the modules in the CXF or Camel "stack" to guess whether that's a real-world likelihood though.
The javaee7 feature contained a jaxsw version that clashed with the server version. Removing the javaee7 feature has resolved this issue. Remains to be seen whether or not I will to add it back in.
I'm working on an app written in Codename One together with the parse4cn1 library, the combination of which is a real pleasure to use. However, I need support for a few things in parse4cn1 that are not implemented, most importantly ACL and was wondering if Chidiebere has any hints on how to do this (e.g. how did you implement parse4cn1 yourself - from scratch or copying the open source Parse SDK for Android)? If I manage to do something of a decent quality I will try to share back. Thanks in advance
I never got around implementing ACLs (it's still on the TODO list). parse4cn1's interface closes resembles the Parse Android SDK interface and I'll like it to stay that way for convenience. In this case, the interface of interest would be the ParseACL which is documented here.
The actual implementation will need to be done via REST API calls.
Things to bear in mind:
We use the Android SDK API simply for defining methods and signatures for the corresponding class in ParseACL but do not use the SDKs for anything can be be done via REST.
By design, any calls requiring the master key will not be supported in parse4cn1 due to security considerations. If really needed, the functionality should be exposed via server-side cloud code.
Pull requests without unit tests for the added functionality or breaking existing tests will be rejected.
See also the Contributions section of the parse4cn1 github repo.
Good luck with your implementation and I hope to see a PR from you soon ;)
It was implemented from a Java port on top of the REST API's here but was later modified to use the SDK's to allow things like push (which are now no longer relevant).
In the past I just contributed pull a request to the project to get the fixes/features I needed. It was really easy to work with and compile.
I've started writing a simple app using AngularJS + NodeJS to learn more about the stack, and it appears that getting markdown to work is a bit tricky and not that well supported. I'm coming from a ruby background, and I used the redcarpet markdown library, which was pretty standard and straightforward.
I've come across the angular-markdown-directive:
Pros
Simple to setup
Uses ngSanitize to clean user-submitted markdown. This library is supported by the official Angular team.
Cons
It uses showdown under the hood, which seems to have died a while back, but small progress seems to be picking up with the new maintainer. However, it has quite a few outstanding bugs, two particular bug reports dating back to 2013 and 2014 are worrying:
(1) Underscores are apparently interpreted to be italicized (will create malformed links):
https://github.com/showdownjs/showdown/issues/96
(2) Security issue that allows XSS still not patched:
https://github.com/showdownjs/showdown/issues/57
I'm not sure if (2) will be an issue in my case, since ngSanitize may help.
There is another library called markdown-it, but this library handles markdown in Nodejs instead of Angular. But their examples doesn't say much about best security practices.
--
Are there any full examples on how markdown can be securely integrated into a Node/Angular app? angular-markdown-directive seems like a good fit but has some painful problems, and most other markdown libraries are either dying/dead or they gloss over security in a production environment.
I decided to use markdown-it. It's pretty flexible; it actually allows parsing from either server or the client so it's up to you how and where you'd like to parse the markdown.
For me, I've opted to save the markdown text in the database and then parse the markdown on the client, and it works very well.
As for security, markdown-it comes with some built-in security measures, which is very nice. There is also a separate security module that you can use with it that offers additional features.