mvc: stream output not properly cleansed when used in widget.
Since we sanitize api output to the webgui by default, for consistency we should probably do the same when handing streamed data.
Move htmlspecialchars() to Response class to increase readability and, similar to array data, always assume the browser requires escaped data by default.
reported by: Stanislav Fort of Aisle Research
(cherry picked from commit afdeafea59237c10008b6824a421cb065d3a7113)
(cherry picked from commit 14b70ccfec31b22f7dc679c2a0b6c3667a3df90c)
System: High Availability - missed a spot in restartAllAction() to properly check request type.
reported by: Stanislav Fort of Aisle Research
(cherry picked from commit 776ada6493330c65b3b740e9d0ebdd18695f05e8)
firewall: small regression in https://github.com/opnsense/core/commit/7fe2d72f48f723ebdc0e6a2f2a8af0ae93cde1aa, keep pagination when navigation isn't rendered
While this is somewhat unintuitive, the default mode for UIBootgrid
is to always expect pagination request parameters. If navigation is
turned off, these are simply set to null so all results are returned.
The previous commit broke the data fetch for cases where the navigation
was turned off (i.e. local and remote auth for ipsec connections).
the firewall live log is an exception here, as this table is fully
managed with custom logic and therefore doesn't need to use the
default request parameters.
mvc: stream output not properly cleansed when used in widget.
Since we sanitize api output to the webgui by default, for consistency we should probably do the same when handing streamed data.
Move htmlspecialchars() to Response class to increase readability and, similar to array data, always assume the browser requires escaped data by default.
reported by: Stanislav Fort of Aisle Research
Services: Captive Portal - various (style) cleanups
o slightly refactor strip_template.py including our exclude.list to skip library files and internal files.
o replace htdocs_default directory references to use relative paths
o change ServiceController to implement our standard ApiMutableServiceControllerBase and add missing status call
o array() -> [] style fixes
o add jquery-3.5.1.min.js into htdocs_default, keep legacy version for existing templates
(cherry picked from commit d8519a06a8a5b4fd3dd7991ef33d833163dcfff6)
(cherry picked from commit 93f480ccc91a2af8eed0901f171c802e336606e9)
(cherry picked from commit d35f434957d92154623815407a63d59aabd40a6b)
(cherry picked from commit f12340e67af841d60c06933487da27bbf7678fa0)
firewall/automation: Remove rowselect from internal and dataTree (#9173)
* firewall/automation: Toggle rowSelect checkbox off when TreeView is enabled
* Add tabulator rowFormatter and centralize all classes that interact with full rows. Remove onRendered from all cell specific formatters. Hide rowselect checkbox for internal rules as well.
(cherry picked from commit 36b8abff4cff402f1952cf016279aa7ff37cc60e)
mvc: slightly improve replaceInputWithSelector() to support an empty placeholder, which should help for https://github.com/opnsense/core/pull/9158
This change uses a token for the single/manual input, in which case callers may use definitions like:
......
'networks' => [
'label' => gettext("Networks"),
'items' => [
'' => gettext('any'),
'(self)' => gettext("This Firewall")
]
]
.....
When empty is offered, "any" will be choosen in this case. In theory we could change the filter model as well as "any" has no functional meaning anyway, but for simplicty this only changes the javascript part.
(cherry picked from commit 4d3ea7a6e9a553c91114643f9dafdf8fc1c8456e)
bootgrid: simplify custom grid command additions a bit
specifically, the only way to make this work was to capture all
events on a parent element, which isn't all that intuitive. Since
the buttons are still being detached and moved somewhere else,
it is possible for events bound directly after Bootgrid instatiation
to be lost (there is no element to bind to). Therefore, these
events need to be set either before
the Bootgrid exists, or after the 'load.rs.jquery.bootgrid' phase
(cherry picked from commit f8b9a901b136afe1a7cfda46313d75addb3a918f)