Fork Sync Branch 17.0-dev

README.md

@@ -41,7 +41,7 @@ addon | version | maintainers | summary
 [web_search_with_and](web_search_with_and/) | 17.0.1.0.0 |  | Use AND conditions on omnibar search
 [web_theme_classic](web_theme_classic/) | 17.0.1.0.0 | [![legalsylvain](https://github.com/legalsylvain.png?size=30px)](https://github.com/legalsylvain) | Contrasted style on fields to improve the UI.
 [web_time_range_menu_custom](web_time_range_menu_custom/) | 17.0.1.0.0 |  | Web Time Range Menu Custom
-[web_timeline](web_timeline/) | 17.0.1.0.1 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time
+[web_timeline](web_timeline/) | 17.0.1.0.3 | [![tarteo](https://github.com/tarteo.png?size=30px)](https://github.com/tarteo) | Interactive visualization chart to show events in time
 [web_tree_dynamic_colored_field](web_tree_dynamic_colored_field/) | 17.0.1.0.0 |  | Allows you to dynamically color fields on tree views
 [web_tree_many2one_clickable](web_tree_many2one_clickable/) | 17.0.1.0.0 |  | Open the linked resource when clicking on their name
 [web_widget_bokeh_chart](web_widget_bokeh_chart/) | 17.0.1.0.0 | [![LoisRForgeFlow](https://github.com/LoisRForgeFlow.png?size=30px)](https://github.com/LoisRForgeFlow) [![ChrisOForgeFlow](https://github.com/ChrisOForgeFlow.png?size=30px)](https://github.com/ChrisOForgeFlow) | This widget allows to display charts using Bokeh library.

web_time_range_menu_custom/i18n/es.po

@@ -57,31 +57,3 @@ msgstr "Semana"
 #, python-format
 msgid "Year"
 msgstr "Año"
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "day"
-msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "month"
-msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "week"
-msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "year"
-msgstr ""

web_time_range_menu_custom/i18n/it.po

@@ -58,30 +58,18 @@ msgstr "Settimana"
 msgid "Year"
 msgstr "Anno"
 
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
 #, python-format
-msgid "day"
-msgstr "giorno"
+#~ msgid "day"
+#~ msgstr "giorno"
 
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
 #, python-format
-msgid "month"
-msgstr "mese"
+#~ msgid "month"
+#~ msgstr "mese"
 
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
 #, python-format
-msgid "week"
-msgstr "settimana"
+#~ msgid "week"
+#~ msgstr "settimana"
 
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
 #, python-format
-msgid "year"
-msgstr "anno"
+#~ msgid "year"
+#~ msgstr "anno"

web_time_range_menu_custom/i18n/web_time_range_menu_custom.pot

@@ -54,31 +54,3 @@ msgstr ""
 #, python-format
 msgid "Year"
 msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "day"
-msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "month"
-msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "week"
-msgstr ""
-
-#. module: web_time_range_menu_custom
-#. odoo-javascript
-#: code:addons/web_time_range_menu_custom/static/src/xml/date_selector.xml:0
-#, python-format
-msgid "year"
-msgstr ""

web_timeline/README.rst

@@ -7,7 +7,7 @@ Web timeline
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:2fb5b8c01ee5f36a21f88358b673738a05282e9cf75f10aa33d38565ecfac956
+   !! source digest: sha256:8e924b9efca82a984493ec9841bfc34a73d1cff5b32a6ef01d5d8e83176bd6d2
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png
@@ -133,12 +133,12 @@ render the timeline items. You have to name the template
 'timeline-item'. These are the variables available in template
 rendering:
 
--  ``record``: to access the fields values selected in the timeline
-   definition.
--  ``formatters``: used to format values (see available functions in
-   ``@web/views/fields/formatters``).
--  ``parsers``: used to parse values (see available functions in
-   ``@web/views/fields/parsers``).
+- ``record``: to access the fields values selected in the timeline
+  definition.
+- ``formatters``: used to format values (see available functions in
+  ``@web/views/fields/formatters``).
+- ``parsers``: used to parse values (see available functions in
+  ``@web/views/fields/parsers``).
 
 You also need to declare the view in an action window of the involved
 model.
@@ -243,20 +243,20 @@ create a new record with the dragged start and end date.
 Known issues / Roadmap
 ======================
 
--  Implement a more efficient way of refreshing timeline after a record
-   update;
--  Make ``attrs`` attribute work;
--  When grouping by m2m and more than one record is set, the timeline
-   item appears only on one group. Allow showing in both groups.
--  When grouping by m2m and dragging for changing the time or the group,
-   the changes on the group will not be set, because it could make
-   disappear the records not related with the changes that we want to
-   make. When the item is showed in all groups change the value
-   according the group of the dragged item.
--  When an item label does not fit in its date-range box: ✅ the label
-   correctly overflows the box; ✅ clicking anywhere on the label allows
-   moving the box; ❌ double-clicking the label outside of the box does
-   not open that item.
+- Implement a more efficient way of refreshing timeline after a record
+  update;
+- Make ``attrs`` attribute work;
+- When grouping by m2m and more than one record is set, the timeline
+  item appears only on one group. Allow showing in both groups.
+- When grouping by m2m and dragging for changing the time or the group,
+  the changes on the group will not be set, because it could make
+  disappear the records not related with the changes that we want to
+  make. When the item is showed in all groups change the value according
+  the group of the dragged item.
+- When an item label does not fit in its date-range box: ✅ the label
+  correctly overflows the box; ✅ clicking anywhere on the label allows
+  moving the box; ❌ double-clicking the label outside of the box does
+  not open that item.
 
 Bug Tracker
 ===========
@@ -283,28 +283,28 @@ Authors
 Contributors
 ------------
 
--  Laurent Mignon <laurent.mignon@acsone.eu>
--  Adrien Peiffer <adrien.peiffer@acsone.eu>
--  Leonardo Donelli <donelli@webmonks.it>
--  Adrien Didenot <adrien.didenot@horanet.com>
--  Thong Nguyen Van <thongnv@trobz.com>
--  Murtaza Mithaiwala <mmithaiwala@opensourceintegrators.com>
--  Ammar Officewala <aofficewala@opensourceintegrators.com>
--  `Tecnativa <https://www.tecnativa.com>`__:
+- Laurent Mignon <laurent.mignon@acsone.eu>
+- Adrien Peiffer <adrien.peiffer@acsone.eu>
+- Leonardo Donelli <donelli@webmonks.it>
+- Adrien Didenot <adrien.didenot@horanet.com>
+- Thong Nguyen Van <thongnv@trobz.com>
+- Murtaza Mithaiwala <mmithaiwala@opensourceintegrators.com>
+- Ammar Officewala <aofficewala@opensourceintegrators.com>
+- `Tecnativa <https://www.tecnativa.com>`__:
 
-   -  Pedro M. Baeza
-   -  Alexandre Díaz
-   -  César A. Sánchez
-   -  Carlos López
+  - Pedro M. Baeza
+  - Alexandre Díaz
+  - César A. Sánchez
+  - Carlos López
 
--  `Onestein <https://www.onestein.nl>`__:
+- `Onestein <https://www.onestein.nl>`__:
 
-   -  Dennis Sluijk <d.sluijk@onestein.nl>
-   -  Anjeel Haria
+  - Dennis Sluijk <d.sluijk@onestein.nl>
+  - Anjeel Haria
 
--  `XCG Consulting <https://xcg-consulting.fr>`__:
+- `XCG Consulting <https://xcg-consulting.fr>`__:
 
-   -  Houzéfa Abbasbhay
+  - Houzéfa Abbasbhay
 
 Maintainers
 -----------

web_timeline/__manifest__.py

@@ -5,7 +5,7 @@
 {
     "name": "Web timeline",
     "summary": "Interactive visualization chart to show events in time",
-    "version": "17.0.1.0.1",
+    "version": "17.0.1.0.3",
     "development_status": "Production/Stable",
     "author": "ACSONE SA/NV, "
     "Tecnativa, "

web_timeline/static/description/index.html

@@ -367,7 +367,7 @@ <h1 class="title">Web timeline</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:2fb5b8c01ee5f36a21f88358b673738a05282e9cf75f10aa33d38565ecfac956
+!! source digest: sha256:8e924b9efca82a984493ec9841bfc34a73d1cff5b32a6ef01d5d8e83176bd6d2
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Production/Stable" src="https://img.shields.io/badge/maturity-Production%2FStable-green.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/web/tree/17.0/web_timeline"><img alt="OCA/web" src="https://img.shields.io/badge/github-OCA%2Fweb-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/web-17-0/web-17-0-web_timeline"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/web&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>Define a new view displaying events in an interactive visualization
@@ -623,8 +623,8 @@ <h1><a class="toc-backref" href="#toc-entry-3">Known issues / Roadmap</a></h1>
 <li>When grouping by m2m and dragging for changing the time or the group,
 the changes on the group will not be set, because it could make
 disappear the records not related with the changes that we want to
-make. When the item is showed in all groups change the value
-according the group of the dragged item.</li>
+make. When the item is showed in all groups change the value according
+the group of the dragged item.</li>
 <li>When an item label does not fit in its date-range box: ✅ the label
 correctly overflows the box; ✅ clicking anywhere on the label allows
 moving the box; ❌ double-clicking the label outside of the box does

web_timeline/static/src/views/timeline/timeline_renderer.esm.js

@@ -195,7 +195,17 @@ export class TimelineRenderer extends Component {
             // Delete an item by tapping the delete button top right
             this.options.editable.remove = true;
         }
-        this.options.xss = {disabled: true};
+        // Configure XSS filtering options to mitigate potential security risks.
+        // Disabling XSS filtering can lead to vulnerabilities, as highlighted in:
+        // - CVE-2020-28487 (https://www.cve.org/CVERecord?id=CVE-2020-28487)
+        // - https://github.com/visjs/vis-timeline/pull/840
+        // The solution is to define a whitelist of allowed HTML elements and attributes.
+        // TODO: Check if this can be removed when this PR is merged: https://github.com/visjs/vis-timeline/pull/1860
+        this.options.xss = {
+            filterOptions: {
+                whiteList: this.getXSSWhiteList(),
+            },
+        };
         this.timeline = new vis.Timeline(this.canvasRef.el, {}, this.options);
         this.timeline.on("click", this.on_timeline_click.bind(this));
         if (!this.options.onUpdate) {
@@ -210,6 +220,24 @@ export class TimelineRenderer extends Component {
             this.load_initial_data();
         });
     }
+    /**
+     * Returns the XSS whitelist for the timeline library.
+     * This is used to filter out potentially harmful HTML elements and attributes.
+     * The white list allows only specific elements and attributes to be rendered.
+     * This is important for security reasons, as it helps prevent XSS attacks.
+     * @returns {Object} The XSS white list.
+     * Key: element name; value: array of allowed attributes.
+     */
+    getXSSWhiteList() {
+        // Add more elements to the whitelist as needed.
+        return {
+            b: [],
+            div: ["class", "style"],
+            span: ["class", "name"],
+            small: ["class", "name"],
+            img: ["src", "width", "height", "alt", "loading", "class"],
+        };
+    }
 
     /**
      * Clears and draws the canvas items.