diff --git a/README.md b/README.md index a4e76b7f6203..fd98dc6d9b98 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ addon | version | maintainers | summary [web_search_with_and](web_search_with_and/) | 17.0.1.0.0 | | Use AND conditions on omnibar search [web_theme_classic](web_theme_classic/) | 17.0.1.0.0 | [![legalsylvain](https://github.com/legalsylvain.png?size=30px)](https://github.com/legalsylvain) | Contrasted style on fields to improve the UI. [web_time_range_menu_custom](web_time_range_menu_custom/) | 17.0.1.0.0 | | Web Time Range Menu Custom -[web_timeline](web_timeline/) | 17.0.1.0.1 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time +[web_timeline](web_timeline/) | 17.0.1.0.3 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time [web_tree_dynamic_colored_field](web_tree_dynamic_colored_field/) | 17.0.1.0.0 | | Allows you to dynamically color fields on tree views [web_tree_many2one_clickable](web_tree_many2one_clickable/) | 17.0.1.0.0 | | Open the linked resource when clicking on their name [web_widget_bokeh_chart](web_widget_bokeh_chart/) | 17.0.1.0.0 | [![LoisRForgeFlow](https://github.com/LoisRForgeFlow.png?size=30px)](https://github.com/LoisRForgeFlow) [![ChrisOForgeFlow](https://github.com/ChrisOForgeFlow.png?size=30px)](https://github.com/ChrisOForgeFlow) | This widget allows to display charts using Bokeh library. diff --git a/web_time_range_menu_custom/i18n/es.po b/web_time_range_menu_custom/i18n/es.po index e0742b46ec25..46d7912217e6 100644 --- a/web_time_range_menu_custom/i18n/es.po +++ b/web_time_range_menu_custom/i18n/es.po @@ -57,31 +57,3 @@ msgstr "Semana" #, python-format msgid "Year" msgstr "Año" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "day" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "month" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "week" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "year" -msgstr "" diff --git a/web_time_range_menu_custom/i18n/it.po b/web_time_range_menu_custom/i18n/it.po index e985bd2435f0..3663722dbaf6 100644 --- a/web_time_range_menu_custom/i18n/it.po +++ b/web_time_range_menu_custom/i18n/it.po @@ -58,30 +58,18 @@ msgstr "Settimana" msgid "Year" msgstr "Anno" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "day" -msgstr "giorno" +#~ msgid "day" +#~ msgstr "giorno" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "month" -msgstr "mese" +#~ msgid "month" +#~ msgstr "mese" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "week" -msgstr "settimana" +#~ msgid "week" +#~ msgstr "settimana" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "year" -msgstr "anno" +#~ msgid "year" +#~ msgstr "anno" diff --git a/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot b/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot index ffaef2f46674..82733113350f 100644 --- a/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot +++ b/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot @@ -54,31 +54,3 @@ msgstr "" #, python-format msgid "Year" msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "day" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "month" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "week" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "year" -msgstr "" diff --git a/web_timeline/README.rst b/web_timeline/README.rst index c4b450fdc631..4f53aaec1bac 100644 --- a/web_timeline/README.rst +++ b/web_timeline/README.rst @@ -7,7 +7,7 @@ Web timeline !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !! source digest: sha256:2fb5b8c01ee5f36a21f88358b673738a05282e9cf75f10aa33d38565ecfac956 + !! source digest: sha256:8e924b9efca82a984493ec9841bfc34a73d1cff5b32a6ef01d5d8e83176bd6d2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png @@ -133,12 +133,12 @@ render the timeline items. You have to name the template 'timeline-item'. These are the variables available in template rendering: -- ``record``: to access the fields values selected in the timeline - definition. -- ``formatters``: used to format values (see available functions in - ``@web/views/fields/formatters``). -- ``parsers``: used to parse values (see available functions in - ``@web/views/fields/parsers``). +- ``record``: to access the fields values selected in the timeline + definition. +- ``formatters``: used to format values (see available functions in + ``@web/views/fields/formatters``). +- ``parsers``: used to parse values (see available functions in + ``@web/views/fields/parsers``). You also need to declare the view in an action window of the involved model. @@ -243,20 +243,20 @@ create a new record with the dragged start and end date. Known issues / Roadmap ====================== -- Implement a more efficient way of refreshing timeline after a record - update; -- Make ``attrs`` attribute work; -- When grouping by m2m and more than one record is set, the timeline - item appears only on one group. Allow showing in both groups. -- When grouping by m2m and dragging for changing the time or the group, - the changes on the group will not be set, because it could make - disappear the records not related with the changes that we want to - make. When the item is showed in all groups change the value - according the group of the dragged item. -- When an item label does not fit in its date-range box: ✅ the label - correctly overflows the box; ✅ clicking anywhere on the label allows - moving the box; ❌ double-clicking the label outside of the box does - not open that item. +- Implement a more efficient way of refreshing timeline after a record + update; +- Make ``attrs`` attribute work; +- When grouping by m2m and more than one record is set, the timeline + item appears only on one group. Allow showing in both groups. +- When grouping by m2m and dragging for changing the time or the group, + the changes on the group will not be set, because it could make + disappear the records not related with the changes that we want to + make. When the item is showed in all groups change the value according + the group of the dragged item. +- When an item label does not fit in its date-range box: ✅ the label + correctly overflows the box; ✅ clicking anywhere on the label allows + moving the box; ❌ double-clicking the label outside of the box does + not open that item. Bug Tracker =========== @@ -283,28 +283,28 @@ Authors Contributors ------------ -- Laurent Mignon -- Adrien Peiffer -- Leonardo Donelli -- Adrien Didenot -- Thong Nguyen Van -- Murtaza Mithaiwala -- Ammar Officewala -- `Tecnativa `__: +- Laurent Mignon +- Adrien Peiffer +- Leonardo Donelli +- Adrien Didenot +- Thong Nguyen Van +- Murtaza Mithaiwala +- Ammar Officewala +- `Tecnativa `__: - - Pedro M. Baeza - - Alexandre Díaz - - César A. Sánchez - - Carlos López + - Pedro M. Baeza + - Alexandre Díaz + - César A. Sánchez + - Carlos López -- `Onestein `__: +- `Onestein `__: - - Dennis Sluijk - - Anjeel Haria + - Dennis Sluijk + - Anjeel Haria -- `XCG Consulting `__: +- `XCG Consulting `__: - - Houzéfa Abbasbhay + - Houzéfa Abbasbhay Maintainers ----------- diff --git a/web_timeline/__manifest__.py b/web_timeline/__manifest__.py index 317535857fe9..db83468d2d52 100644 --- a/web_timeline/__manifest__.py +++ b/web_timeline/__manifest__.py @@ -5,7 +5,7 @@ { "name": "Web timeline", "summary": "Interactive visualization chart to show events in time", - "version": "17.0.1.0.1", + "version": "17.0.1.0.3", "development_status": "Production/Stable", "author": "ACSONE SA/NV, " "Tecnativa, " diff --git a/web_timeline/static/description/index.html b/web_timeline/static/description/index.html index 2cb75fe4db53..5d099eafedb0 100644 --- a/web_timeline/static/description/index.html +++ b/web_timeline/static/description/index.html @@ -367,7 +367,7 @@

Web timeline

!! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -!! source digest: sha256:2fb5b8c01ee5f36a21f88358b673738a05282e9cf75f10aa33d38565ecfac956 +!! source digest: sha256:8e924b9efca82a984493ec9841bfc34a73d1cff5b32a6ef01d5d8e83176bd6d2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->

Production/Stable License: AGPL-3 OCA/web Translate me on Weblate Try me on Runboat

Define a new view displaying events in an interactive visualization @@ -623,8 +623,8 @@

Known issues / Roadmap

  • When grouping by m2m and dragging for changing the time or the group, the changes on the group will not be set, because it could make disappear the records not related with the changes that we want to -make. When the item is showed in all groups change the value -according the group of the dragged item.
    • +make. When the item is showed in all groups change the value according +the group of the dragged item.
  • When an item label does not fit in its date-range box: ✅ the label correctly overflows the box; ✅ clicking anywhere on the label allows moving the box; ❌ double-clicking the label outside of the box does diff --git a/web_timeline/static/src/views/timeline/timeline_renderer.esm.js b/web_timeline/static/src/views/timeline/timeline_renderer.esm.js index c64000c2f9d5..916aff6afacc 100644 --- a/web_timeline/static/src/views/timeline/timeline_renderer.esm.js +++ b/web_timeline/static/src/views/timeline/timeline_renderer.esm.js @@ -195,7 +195,17 @@ export class TimelineRenderer extends Component { // Delete an item by tapping the delete button top right this.options.editable.remove = true; } - this.options.xss = {disabled: true}; + // Configure XSS filtering options to mitigate potential security risks. + // Disabling XSS filtering can lead to vulnerabilities, as highlighted in: + // - CVE-2020-28487 (https://www.cve.org/CVERecord?id=CVE-2020-28487) + // - https://github.com/visjs/vis-timeline/pull/840 + // The solution is to define a whitelist of allowed HTML elements and attributes. + // TODO: Check if this can be removed when this PR is merged: https://github.com/visjs/vis-timeline/pull/1860 + this.options.xss = { + filterOptions: { + whiteList: this.getXSSWhiteList(), + }, + }; this.timeline = new vis.Timeline(this.canvasRef.el, {}, this.options); this.timeline.on("click", this.on_timeline_click.bind(this)); if (!this.options.onUpdate) { @@ -210,6 +220,24 @@ export class TimelineRenderer extends Component { this.load_initial_data(); }); } + /** + * Returns the XSS whitelist for the timeline library. + * This is used to filter out potentially harmful HTML elements and attributes. + * The white list allows only specific elements and attributes to be rendered. + * This is important for security reasons, as it helps prevent XSS attacks. + * @returns {Object} The XSS white list. + * Key: element name; value: array of allowed attributes. + */ + getXSSWhiteList() { + // Add more elements to the whitelist as needed. + return { + b: [], + div: ["class", "style"], + span: ["class", "name"], + small: ["class", "name"], + img: ["src", "width", "height", "alt", "loading", "class"], + }; + } /** * Clears and draws the canvas items.