Release 2.0.13 (#3955)

- added missing escape to prevent HTML injection
- added missing color attribute
- upgrade theme
  - use dropdown submenu if title is set, otherwise dropdown tends to get too long
  - allow to use card-table instead of card-body
  - added `required` attribute to username and password field
- fix pagination back to page 1
- prevent tag name too long
- re-add missing user preferences link

assets/js/forms/KimaiFormSelect.js

@@ -115,18 +115,24 @@ export default class KimaiFormSelect extends KimaiFormPlugin {
         if (node.dataset['renderer'] !== undefined && node.dataset['renderer'] === 'color') {
             options.render = {...render, ...{
                 option: function(data, escape) {
-                    let color = data.value;
+                    let item = '<div class="list-group-item border-0 p-1 ps-2 text-nowrap">';
                     if (data.color !== undefined) {
-                        color = data.color;
+                        item += '<span style="background-color:' + data.color + '" class="color-choice-item">&nbsp;</span>';
+                    } else {
+                        item += '<span class="color-choice-item">&nbsp;</span>';
                     }
-                    return '<div class="list-group-item border-0 p-1 ps-2 text-nowrap"><span style="background-color:' + color + '" class="color-choice-item">&nbsp;</span>' + escape(data.text) + '</div>';
+                    item += escape(data.text) + '</div>';
+                    return item;
                 },
                 item: function(data, escape) {
-                    let color = data.value;
+                    let item = '<div class="text-nowrap">';
                     if (data.color !== undefined) {
-                        color = data.color;
+                        item += '<span style="background-color:' + data.color + '" class="color-choice-item">&nbsp;</span>';
+                    } else {
+                        item += '<span class="color-choice-item">&nbsp;</span>';
                     }
-                    return '<div class="text-nowrap"><span style="background-color:' + color + '" class="color-choice-item">&nbsp;</span>' + escape(data.text) + '</div>';
+                    item += escape(data.text) + '</div>';
+                    return item;
                 }
             }};
         } else {

assets/js/forms/KimaiTeamForm.js

@@ -65,18 +65,20 @@ export default class KimaiTeamForm extends KimaiFormPlugin {
      */
     _createMember(option)
     {
+        /** @type {KimaiEscape} ESCAPER */
+        const ESCAPER = this.getPlugin('escape');
         const prototype = this._getPrototype();
         let counter = prototype.dataset['widgetCounter'] || prototype.childNodes.length;
         let newWidget = prototype.dataset['prototype'];
 
         newWidget = newWidget.replace(/__name__/g, counter);
 
         newWidget = newWidget.replace(/#000000/g, KimaiColor.calculateContrastColor(option.dataset.color));
-        newWidget = newWidget.replace(/__DISPLAY__/g, option.dataset.display);
+        newWidget = newWidget.replace(/__DISPLAY__/g, ESCAPER.escapeForHtml(option.dataset.display));
         newWidget = newWidget.replace(/__COLOR__/g, option.dataset.color);
-        newWidget = newWidget.replace(/__INITIALS__/g, option.dataset.initials);
-        newWidget = newWidget.replace(/__TITLE__/g, option.dataset.title);
-        newWidget = newWidget.replace(/__USERNAME__/g, option.text);
+        newWidget = newWidget.replace(/__INITIALS__/g, ESCAPER.escapeForHtml(option.dataset.initials));
+        newWidget = newWidget.replace(/__TITLE__/g, ESCAPER.escapeForHtml(option.dataset.title));
+        newWidget = newWidget.replace(/__USERNAME__/g, ESCAPER.escapeForHtml(option.text));
 
         prototype.dataset['widgetCounter'] = (++counter).toString();
 

assets/js/plugins/KimaiToolbar.js

@@ -163,7 +163,12 @@ export default class KimaiToolbar extends KimaiPlugin {
             event.preventDefault();
             event.stopPropagation();
             let urlParts = target.href.split('/');
-            pager.value = urlParts[urlParts.length-1];
+            let pageNumber = urlParts[urlParts.length - 1];
+            // page number usually is the default value and is therefor missing from the URL
+            if (!/\d/.test(pageNumber)) {
+                pageNumber = 1;
+            }
+            pager.value = pageNumber;
             pager.dispatchEvent(new Event('change'));
             document.dispatchEvent(new Event('pagination-change'));
             return false;

composer.json

@@ -34,7 +34,7 @@
         "friendsofsymfony/rest-bundle": "^3.0",
         "gedmo/doctrine-extensions": "^3.6",
         "jms/serializer-bundle": "^5.0",
-        "kevinpapst/tabler-bundle": "dev-main",
+        "kevinpapst/tabler-bundle": "^0.14",
         "league/csv": "^9.4",
         "mpdf/mpdf": "^8.0",
         "nelmio/api-doc-bundle": "^4.0",

phpstan.neon

@@ -1310,41 +1310,11 @@ parameters:
             count: 1
             path: src/Controller/Reporting/ProjectViewController.php
 
-        -
-            message: "#^Cannot call method modify\\(\\) on DateTime\\|null\\.$#"
-            count: 4
-            path: src/Controller/Reporting/ReportUsersMonthController.php
-
-        -
-            message: "#^Cannot clone non\\-object variable \\$start of type DateTime\\|null\\.$#"
-            count: 3
-            path: src/Controller/Reporting/ReportUsersMonthController.php
-
         -
             message: "#^Method App\\\\Controller\\\\Reporting\\\\ReportUsersMonthController\\:\\:getData\\(\\) return type has no value type specified in iterable type array\\.$#"
             count: 1
             path: src/Controller/Reporting/ReportUsersMonthController.php
 
-        -
-            message: "#^Parameter \\#1 \\$begin of class App\\\\Model\\\\DailyStatistic constructor expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/ReportUsersMonthController.php
-
-        -
-            message: "#^Parameter \\#1 \\$begin of method App\\\\Timesheet\\\\TimesheetStatisticService\\:\\:getDailyStatistics\\(\\) expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/ReportUsersMonthController.php
-
-        -
-            message: "#^Parameter \\#2 \\$end of class App\\\\Model\\\\DailyStatistic constructor expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/ReportUsersMonthController.php
-
-        -
-            message: "#^Parameter \\#2 \\$end of method App\\\\Timesheet\\\\TimesheetStatisticService\\:\\:getDailyStatistics\\(\\) expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/ReportUsersMonthController.php
-
         -
             message: "#^Parameter \\#3 \\$users of method App\\\\Timesheet\\\\TimesheetStatisticService\\:\\:getDailyStatistics\\(\\) expects array\\<App\\\\Entity\\\\User\\>, iterable\\<App\\\\Entity\\\\User\\> given\\.$#"
             count: 1
@@ -1385,51 +1355,11 @@ parameters:
             count: 1
             path: src/Controller/Reporting/ReportUsersYearController.php
 
-        -
-            message: "#^Cannot call method modify\\(\\) on DateTime\\|null\\.$#"
-            count: 4
-            path: src/Controller/Reporting/UserMonthController.php
-
-        -
-            message: "#^Cannot clone non\\-object variable \\$start of type DateTime\\|null\\.$#"
-            count: 3
-            path: src/Controller/Reporting/UserMonthController.php
-
         -
             message: "#^Method App\\\\Controller\\\\Reporting\\\\UserMonthController\\:\\:getData\\(\\) return type has no value type specified in iterable type array\\.$#"
             count: 1
             path: src/Controller/Reporting/UserMonthController.php
 
-        -
-            message: "#^Parameter \\#1 \\$begin of class App\\\\Model\\\\DailyStatistic constructor expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/UserMonthController.php
-
-        -
-            message: "#^Parameter \\#1 \\$begin of method App\\\\Controller\\\\Reporting\\\\AbstractUserReportController\\:\\:prepareReport\\(\\) expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/UserMonthController.php
-
-        -
-            message: "#^Parameter \\#2 \\$end of class App\\\\Model\\\\DailyStatistic constructor expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/UserMonthController.php
-
-        -
-            message: "#^Parameter \\#2 \\$end of method App\\\\Controller\\\\Reporting\\\\AbstractUserReportController\\:\\:prepareReport\\(\\) expects DateTime, DateTime\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/UserMonthController.php
-
-        -
-            message: "#^Parameter \\#3 \\$user of class App\\\\Model\\\\DailyStatistic constructor expects App\\\\Entity\\\\User, App\\\\Entity\\\\User\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/UserMonthController.php
-
-        -
-            message: "#^Parameter \\#3 \\$user of method App\\\\Controller\\\\Reporting\\\\AbstractUserReportController\\:\\:prepareReport\\(\\) expects App\\\\Entity\\\\User, App\\\\Entity\\\\User\\|null given\\.$#"
-            count: 1
-            path: src/Controller/Reporting/UserMonthController.php
-
         -
             message: "#^Method App\\\\Controller\\\\Reporting\\\\UserWeekController\\:\\:getData\\(\\) return type has no value type specified in iterable type array\\.$#"
             count: 1