-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating tables dynamically using jQuery does not work in WET v4.0.44+ #9293
Comments
Yes and that is intentional. As documented in the release note of v4.0.44, in the section "Special notes": Since v4.0.44 we patched directly jQuery which has improved the security not just of wet-boew but also to any custom javascript code that leverage jQuery. If you want to discuss further, please join us at one of our weekly live support from 13h to 16h Estern time every Tuesday afternoon. You will find the meeting link here: https://github.com/wet-boew/wet-boew/wiki/WET-BOEW-Code-sprint Cheers |
So you've intentionally broken jQuery and labeled it as "wontfix"? Thanks for your help. Now we are forced to fix thousands of lines of code or not upgrade WET to 4.0.44. |
@adam2 it was a security patch to prevent XSS attack. If you want, we can discuss more about your use case during one of our weekly Tuesday afternoon live support. Or alternatively you can find my contact information in GCDirectory and we will coordinate a meeting to discuss further. |
@adam2 I didn't saw you at our weekly office hours 😞. Have you tried to use a different and more recent version of jQuery to run with your custom code while keeping our patched version. I do think the data table plugin are compatible with jQuery 3.x. |
Hi, I'm sorry, I've been busy with other work. For now our team is satisfied staying on WET/CDTS 4.0.43. We will have to find a new solution in the future, if the bug is not fixed in WET. This changes breaks 3 applications that we know about, one of them very seriously. I'm not sure what the solution will entail, but I think we will need to override or remove the DOMPurify fix one way or another. Maybe using a more modern version of jQuery to get their XSS fix, but who knows what else that will break in WET. Hopefully we can do all this while still using CDTS. If not, the scope of the problem for us increases. Adam |
For future refence to anyone viewing this bug: This is the jQuery XSS bug which I think the WET team were trying to fix when they broke jQuery (CVE-2020-11023): This is the commit that caused the bug: This is the bug in DOMPurify which removes tr/td elements, where the DOMPurify people say they won't/can't fix it either: |
I've just encountered this issue while upgrading to v4.0.44. In one place, I was simply able to use innerHTML instead, but this takes away much of the usability of jQuery in many other settings. I'll need to do a lot more testing. It would be great if there was some way to opt out of this, for data known to be fully sanitized, or known to not take any input from the URL or similar. |
Hi, I found this workaround which is simple enough to implement on our pages. The script block has to be placed in-between the jquery.min.js script and the wet-boew.js script. Maybe you want to put it in its own script file. I tested it with IE11, Edge, Firefox and Chrome. The premise is that you use Object.defineProperty to define a getter/setter for the jQuery functions that WET-BOEW is overriding, but the setter will not let WET update the function/property. This removes most of the jQuery overrides that WET has implemented, but not all of them. You can still use DOMPurify as well, if you want to sanitize untrusted code yourself.
There are shorter methods I looked at, like using Object.assign, but that doesn't work in IE11. I also looked at |
I see that there is an exception if using wb-tables DataTables plugin. This was committed here: 581e165 |
I am upgrading our intranet apps from wet v4.043 to v4.0.75, both tables of class table and w-tables do not allow me to add new row dynamically using jquery. Any or tags are removed even if I remove class table or w-tables from the table tag. Has this issue been fixed? Thanks |
this statement
generate empty tbody |
after modifiying:
Then wait for wb-tables to be ready:
A row is added. I'm not sure why |
I submitted a pull request. |
@mercury64 your proposed fix works . Thanks |
Can we also update jquery-fix to fix the following case:
Change to dataTableAllowedTag does not help to fix this case. This above proposed solution #9293 (comment) does fix this issue <script> (function(){ const jQueryOriginalFunctions = { append: jQuery.fn.append, prepend: jQuery.fn.prepend, before: jQuery.fn.before, after: jQuery.fn.after, replaceWith: jQuery.fn.replaceWith, init: jQuery.fn.init, html: jQuery.html }; // Prevent WET-BOEW for overriding these functions without causing a TypeError in the WET-BOEW code Object.defineProperty(jQuery.fn, "append", {get:function(){return jQueryOriginalFunctions.append;}, set:function(){}}); Object.defineProperty(jQuery.fn, "prepend", {get:function(){return jQueryOriginalFunctions.prepend;}, set:function(){}}); Object.defineProperty(jQuery.fn, "before", {get:function(){return jQueryOriginalFunctions.before;}, set:function(){}}); Object.defineProperty(jQuery.fn, "after", {get:function(){return jQueryOriginalFunctions.after;}, set:function(){}}); Object.defineProperty(jQuery.fn, "replaceWith", {get:function(){return jQueryOriginalFunctions.replaceWith;}, set:function(){}}); Object.defineProperty(jQuery, "html", {get:function(){return jQueryOriginalFunctions.html;}, set:function(){}}); })(); </script> |
I'd recommend using the DataTable API instead of appending directly onto the table. This works for what you are trying to accomplish:
|
Not a big Javascript programmer but what if we did something like this instead. in the case of DataTables check if the tag is within the HTML not the HTML is equal to the tag. Could go a step further and not within but starts with?
|
> "<tbody/>",
> "<tr/>",
> "<td />",
> "<td/>",
> "<tr>",
> "<td>" The only tags that would be acceptable is tr and td. How is that the HTML tags |
I realize that those tags are weird but I left them in the code as they where already there didn't want to break some existing test/use case that may of prompted the authors to put those tags in, and I added tr and td, and a function that checks if the tags in that list are in the html before DOMPurify Sanitation.
I replaced
with
and added the new checkDataTableAllowedTags function that checks for the existence of the Tag in html instead of checking for an exact match of the html = tag. Your Pull request doesn't work in my case as the row.child method is appending
And that gets stripped out by DOMPurify as it doesn't match anything in dataTableAllowedTag Hence my proposed changes. Adding that full string to dataTableAllowedTag also solved my specific issue, but what else will DOMPurify break, in complex dataTable processing and extension.
|
Hi,
I've found a bug in WET v4.0.44+. I initially reported this bug to the CDTS group, but I can reproduce it using standard WET files as well.
wet-boew/cdts-sgdc#434
The issue is that when using jQuery to dynamically create an HTML table, it doesn't work in WET 4.0.44+. Some "tr" and "td" elements you would expect to be added are not being added. It's as if the jQuery append function isn't working properly, or something is stripping those elements from the DOM after they are added. It is difficult to explain, so I made a demo page which make the problem more obvious. Please see the attached HTML file. The page is based on the WET documentation index page which is using v4.0.47.2. This bug did not exist in WET 4.0.43.
Please let me know if you have any questions.
Thanks,
Adam
wet-jquery-tables-bug.html.txt
The text was updated successfully, but these errors were encountered: