From 88c16f29a19c903970e3688689ab41669186bf40 Mon Sep 17 00:00:00 2001 From: Carlos Lopez Date: Fri, 9 May 2025 08:12:11 -0500 Subject: [PATCH 1/6] [FIX] web_timeline: Enable XSS filtering with whitelist for safer HTML rendering Before this commit, XSS filtering was disabled, which could introduce potential security risks. This commit adopts a safer approach, similar to PR https://github.com/OCA/web/pull/2525. After this commit, XSS filtering is re-enabled, and a whitelist of allowed HTML elements is provided. --- .../views/timeline/timeline_renderer.esm.js | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/web_timeline/static/src/views/timeline/timeline_renderer.esm.js b/web_timeline/static/src/views/timeline/timeline_renderer.esm.js index c64000c2f9d5..2b0759620ce5 100644 --- a/web_timeline/static/src/views/timeline/timeline_renderer.esm.js +++ b/web_timeline/static/src/views/timeline/timeline_renderer.esm.js @@ -195,7 +195,17 @@ export class TimelineRenderer extends Component { // Delete an item by tapping the delete button top right this.options.editable.remove = true; } - this.options.xss = {disabled: true}; + // Configure XSS filtering options to mitigate potential security risks. + // Disabling XSS filtering can lead to vulnerabilities, as highlighted in: + // - CVE-2020-28487 (https://www.cve.org/CVERecord?id=CVE-2020-28487) + // - https://github.com/visjs/vis-timeline/pull/840 + // The solution is to define a whitelist of allowed HTML elements and attributes. + // TODO: Check if this can be removed when this PR is merged: https://github.com/visjs/vis-timeline/pull/1860 + this.options.xss = { + filterOptions: { + whiteList: this.getXSSWhiteList(), + }, + }; this.timeline = new vis.Timeline(this.canvasRef.el, {}, this.options); this.timeline.on("click", this.on_timeline_click.bind(this)); if (!this.options.onUpdate) { @@ -210,6 +220,23 @@ export class TimelineRenderer extends Component { this.load_initial_data(); }); } + /** + * Returns the XSS whitelist for the timeline library. + * This is used to filter out potentially harmful HTML elements and attributes. + * The white list allows only specific elements and attributes to be rendered. + * This is important for security reasons, as it helps prevent XSS attacks. + * @returns {Object} The XSS white list. + * Key: element name; value: array of allowed attributes. + */ + getXSSWhiteList() { + // Add more elements to the whitelist as needed. + return { + div: ["class", "style"], + span: ["class", "name"], + small: ["class", "name"], + img: ["src", "width", "height", "alt", "loading", "class"], + }; + } /** * Clears and draws the canvas items. From 120db8378a8b3e9d4ebb186667f2f093fbb4e7ee Mon Sep 17 00:00:00 2001 From: OCA-git-bot Date: Fri, 9 May 2025 13:38:01 +0000 Subject: [PATCH 2/6] [BOT] post-merge updates --- README.md | 2 +- web_timeline/README.rst | 76 +++++++++++----------- web_timeline/__manifest__.py | 2 +- web_timeline/static/description/index.html | 6 +- 4 files changed, 43 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index a4e76b7f6203..3a5877ba8754 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ addon | version | maintainers | summary [web_search_with_and](web_search_with_and/) | 17.0.1.0.0 | | Use AND conditions on omnibar search [web_theme_classic](web_theme_classic/) | 17.0.1.0.0 | [![legalsylvain](https://github.com/legalsylvain.png?size=30px)](https://github.com/legalsylvain) | Contrasted style on fields to improve the UI. [web_time_range_menu_custom](web_time_range_menu_custom/) | 17.0.1.0.0 | | Web Time Range Menu Custom -[web_timeline](web_timeline/) | 17.0.1.0.1 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time +[web_timeline](web_timeline/) | 17.0.1.0.2 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time [web_tree_dynamic_colored_field](web_tree_dynamic_colored_field/) | 17.0.1.0.0 | | Allows you to dynamically color fields on tree views [web_tree_many2one_clickable](web_tree_many2one_clickable/) | 17.0.1.0.0 | | Open the linked resource when clicking on their name [web_widget_bokeh_chart](web_widget_bokeh_chart/) | 17.0.1.0.0 | [![LoisRForgeFlow](https://github.com/LoisRForgeFlow.png?size=30px)](https://github.com/LoisRForgeFlow) [![ChrisOForgeFlow](https://github.com/ChrisOForgeFlow.png?size=30px)](https://github.com/ChrisOForgeFlow) | This widget allows to display charts using Bokeh library. diff --git a/web_timeline/README.rst b/web_timeline/README.rst index c4b450fdc631..ee29c86ef1dd 100644 --- a/web_timeline/README.rst +++ b/web_timeline/README.rst @@ -7,7 +7,7 @@ Web timeline !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !! source digest: sha256:2fb5b8c01ee5f36a21f88358b673738a05282e9cf75f10aa33d38565ecfac956 + !! source digest: sha256:e9bbac4931e3b32fa6d5e5e89a0b6ac8486069fc8481ecdfda79714c4b2c987c !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png @@ -133,12 +133,12 @@ render the timeline items. You have to name the template 'timeline-item'. These are the variables available in template rendering: -- ``record``: to access the fields values selected in the timeline - definition. -- ``formatters``: used to format values (see available functions in - ``@web/views/fields/formatters``). -- ``parsers``: used to parse values (see available functions in - ``@web/views/fields/parsers``). +- ``record``: to access the fields values selected in the timeline + definition. +- ``formatters``: used to format values (see available functions in + ``@web/views/fields/formatters``). +- ``parsers``: used to parse values (see available functions in + ``@web/views/fields/parsers``). You also need to declare the view in an action window of the involved model. @@ -243,20 +243,20 @@ create a new record with the dragged start and end date. Known issues / Roadmap ====================== -- Implement a more efficient way of refreshing timeline after a record - update; -- Make ``attrs`` attribute work; -- When grouping by m2m and more than one record is set, the timeline - item appears only on one group. Allow showing in both groups. -- When grouping by m2m and dragging for changing the time or the group, - the changes on the group will not be set, because it could make - disappear the records not related with the changes that we want to - make. When the item is showed in all groups change the value - according the group of the dragged item. -- When an item label does not fit in its date-range box: ✅ the label - correctly overflows the box; ✅ clicking anywhere on the label allows - moving the box; ❌ double-clicking the label outside of the box does - not open that item. +- Implement a more efficient way of refreshing timeline after a record + update; +- Make ``attrs`` attribute work; +- When grouping by m2m and more than one record is set, the timeline + item appears only on one group. Allow showing in both groups. +- When grouping by m2m and dragging for changing the time or the group, + the changes on the group will not be set, because it could make + disappear the records not related with the changes that we want to + make. When the item is showed in all groups change the value according + the group of the dragged item. +- When an item label does not fit in its date-range box: ✅ the label + correctly overflows the box; ✅ clicking anywhere on the label allows + moving the box; ❌ double-clicking the label outside of the box does + not open that item. Bug Tracker =========== @@ -283,28 +283,28 @@ Authors Contributors ------------ -- Laurent Mignon -- Adrien Peiffer -- Leonardo Donelli -- Adrien Didenot -- Thong Nguyen Van -- Murtaza Mithaiwala -- Ammar Officewala -- `Tecnativa `__: +- Laurent Mignon +- Adrien Peiffer +- Leonardo Donelli +- Adrien Didenot +- Thong Nguyen Van +- Murtaza Mithaiwala +- Ammar Officewala +- `Tecnativa `__: - - Pedro M. Baeza - - Alexandre Díaz - - César A. Sánchez - - Carlos López + - Pedro M. Baeza + - Alexandre Díaz + - César A. Sánchez + - Carlos López -- `Onestein `__: +- `Onestein `__: - - Dennis Sluijk - - Anjeel Haria + - Dennis Sluijk + - Anjeel Haria -- `XCG Consulting `__: +- `XCG Consulting `__: - - Houzéfa Abbasbhay + - Houzéfa Abbasbhay Maintainers ----------- diff --git a/web_timeline/__manifest__.py b/web_timeline/__manifest__.py index 317535857fe9..8d0b497d23da 100644 --- a/web_timeline/__manifest__.py +++ b/web_timeline/__manifest__.py @@ -5,7 +5,7 @@ { "name": "Web timeline", "summary": "Interactive visualization chart to show events in time", - "version": "17.0.1.0.1", + "version": "17.0.1.0.2", "development_status": "Production/Stable", "author": "ACSONE SA/NV, " "Tecnativa, " diff --git a/web_timeline/static/description/index.html b/web_timeline/static/description/index.html index 2cb75fe4db53..b7d8805c76ed 100644 --- a/web_timeline/static/description/index.html +++ b/web_timeline/static/description/index.html @@ -367,7 +367,7 @@

Web timeline

!! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -!! source digest: sha256:2fb5b8c01ee5f36a21f88358b673738a05282e9cf75f10aa33d38565ecfac956 +!! source digest: sha256:e9bbac4931e3b32fa6d5e5e89a0b6ac8486069fc8481ecdfda79714c4b2c987c !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->

Production/Stable License: AGPL-3 OCA/web Translate me on Weblate Try me on Runboat

Define a new view displaying events in an interactive visualization @@ -623,8 +623,8 @@

Known issues / Roadmap

  • When grouping by m2m and dragging for changing the time or the group, the changes on the group will not be set, because it could make disappear the records not related with the changes that we want to -make. When the item is showed in all groups change the value -according the group of the dragged item.
    • +make. When the item is showed in all groups change the value according +the group of the dragged item.
  • When an item label does not fit in its date-range box: ✅ the label correctly overflows the box; ✅ clicking anywhere on the label allows moving the box; ❌ double-clicking the label outside of the box does From 4be12292d70fd4affc2bdf45cdc34474a2b4b24e Mon Sep 17 00:00:00 2001 From: Carlos Lopez Date: Tue, 13 May 2025 05:58:57 -0500 Subject: [PATCH 3/6] [FIX] web_timeline: Add element to XSS whitelist for safer HTML rendering --- web_timeline/static/src/views/timeline/timeline_renderer.esm.js | 1 + 1 file changed, 1 insertion(+) diff --git a/web_timeline/static/src/views/timeline/timeline_renderer.esm.js b/web_timeline/static/src/views/timeline/timeline_renderer.esm.js index 2b0759620ce5..916aff6afacc 100644 --- a/web_timeline/static/src/views/timeline/timeline_renderer.esm.js +++ b/web_timeline/static/src/views/timeline/timeline_renderer.esm.js @@ -231,6 +231,7 @@ export class TimelineRenderer extends Component { getXSSWhiteList() { // Add more elements to the whitelist as needed. return { + b: [], div: ["class", "style"], span: ["class", "name"], small: ["class", "name"], From 7aa82acf0c62fd14f5b3b3d0c0cf668fafa0ed96 Mon Sep 17 00:00:00 2001 From: oca-ci Date: Tue, 13 May 2025 11:25:10 +0000 Subject: [PATCH 4/6] [UPD] Update web_time_range_menu_custom.pot --- .../i18n/web_time_range_menu_custom.pot | 28 ------------------- 1 file changed, 28 deletions(-) diff --git a/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot b/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot index ffaef2f46674..82733113350f 100644 --- a/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot +++ b/web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot @@ -54,31 +54,3 @@ msgstr "" #, python-format msgid "Year" msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "day" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "month" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "week" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "year" -msgstr "" From 59b0f98b72790ef246e726243ef00d22c2f17257 Mon Sep 17 00:00:00 2001 From: OCA-git-bot Date: Tue, 13 May 2025 11:28:41 +0000 Subject: [PATCH 5/6] [BOT] post-merge updates --- README.md | 2 +- web_timeline/README.rst | 2 +- web_timeline/__manifest__.py | 2 +- web_timeline/static/description/index.html | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3a5877ba8754..fd98dc6d9b98 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ addon | version | maintainers | summary [web_search_with_and](web_search_with_and/) | 17.0.1.0.0 | | Use AND conditions on omnibar search [web_theme_classic](web_theme_classic/) | 17.0.1.0.0 | [![legalsylvain](https://github.com/legalsylvain.png?size=30px)](https://github.com/legalsylvain) | Contrasted style on fields to improve the UI. [web_time_range_menu_custom](web_time_range_menu_custom/) | 17.0.1.0.0 | | Web Time Range Menu Custom -[web_timeline](web_timeline/) | 17.0.1.0.2 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time +[web_timeline](web_timeline/) | 17.0.1.0.3 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time [web_tree_dynamic_colored_field](web_tree_dynamic_colored_field/) | 17.0.1.0.0 | | Allows you to dynamically color fields on tree views [web_tree_many2one_clickable](web_tree_many2one_clickable/) | 17.0.1.0.0 | | Open the linked resource when clicking on their name [web_widget_bokeh_chart](web_widget_bokeh_chart/) | 17.0.1.0.0 | [![LoisRForgeFlow](https://github.com/LoisRForgeFlow.png?size=30px)](https://github.com/LoisRForgeFlow) [![ChrisOForgeFlow](https://github.com/ChrisOForgeFlow.png?size=30px)](https://github.com/ChrisOForgeFlow) | This widget allows to display charts using Bokeh library. diff --git a/web_timeline/README.rst b/web_timeline/README.rst index ee29c86ef1dd..4f53aaec1bac 100644 --- a/web_timeline/README.rst +++ b/web_timeline/README.rst @@ -7,7 +7,7 @@ Web timeline !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !! source digest: sha256:e9bbac4931e3b32fa6d5e5e89a0b6ac8486069fc8481ecdfda79714c4b2c987c + !! source digest: sha256:8e924b9efca82a984493ec9841bfc34a73d1cff5b32a6ef01d5d8e83176bd6d2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png diff --git a/web_timeline/__manifest__.py b/web_timeline/__manifest__.py index 8d0b497d23da..db83468d2d52 100644 --- a/web_timeline/__manifest__.py +++ b/web_timeline/__manifest__.py @@ -5,7 +5,7 @@ { "name": "Web timeline", "summary": "Interactive visualization chart to show events in time", - "version": "17.0.1.0.2", + "version": "17.0.1.0.3", "development_status": "Production/Stable", "author": "ACSONE SA/NV, " "Tecnativa, " diff --git a/web_timeline/static/description/index.html b/web_timeline/static/description/index.html index b7d8805c76ed..5d099eafedb0 100644 --- a/web_timeline/static/description/index.html +++ b/web_timeline/static/description/index.html @@ -367,7 +367,7 @@

    Web timeline

    !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -!! source digest: sha256:e9bbac4931e3b32fa6d5e5e89a0b6ac8486069fc8481ecdfda79714c4b2c987c +!! source digest: sha256:8e924b9efca82a984493ec9841bfc34a73d1cff5b32a6ef01d5d8e83176bd6d2 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->

    Production/Stable License: AGPL-3 OCA/web Translate me on Weblate Try me on Runboat

    Define a new view displaying events in an interactive visualization From b25d9a07d288ac9a62b40847e7932d8015e59089 Mon Sep 17 00:00:00 2001 From: Weblate Date: Tue, 13 May 2025 11:28:51 +0000 Subject: [PATCH 6/6] Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: web-17.0/web-17.0-web_time_range_menu_custom Translate-URL: https://translation.odoo-community.org/projects/web-17-0/web-17-0-web_time_range_menu_custom/ --- web_time_range_menu_custom/i18n/es.po | 28 --------------------------- web_time_range_menu_custom/i18n/it.po | 28 ++++++++------------------- 2 files changed, 8 insertions(+), 48 deletions(-) diff --git a/web_time_range_menu_custom/i18n/es.po b/web_time_range_menu_custom/i18n/es.po index e0742b46ec25..46d7912217e6 100644 --- a/web_time_range_menu_custom/i18n/es.po +++ b/web_time_range_menu_custom/i18n/es.po @@ -57,31 +57,3 @@ msgstr "Semana" #, python-format msgid "Year" msgstr "Año" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "day" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "month" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "week" -msgstr "" - -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 -#, python-format -msgid "year" -msgstr "" diff --git a/web_time_range_menu_custom/i18n/it.po b/web_time_range_menu_custom/i18n/it.po index e985bd2435f0..3663722dbaf6 100644 --- a/web_time_range_menu_custom/i18n/it.po +++ b/web_time_range_menu_custom/i18n/it.po @@ -58,30 +58,18 @@ msgstr "Settimana" msgid "Year" msgstr "Anno" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "day" -msgstr "giorno" +#~ msgid "day" +#~ msgstr "giorno" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "month" -msgstr "mese" +#~ msgid "month" +#~ msgstr "mese" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "week" -msgstr "settimana" +#~ msgid "week" +#~ msgstr "settimana" -#. module: web_time_range_menu_custom -#. odoo-javascript -#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0 #, python-format -msgid "year" -msgstr "anno" +#~ msgid "year" +#~ msgstr "anno"