Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Updating production: new concordances #479

Merged
merged 106 commits into from
Oct 14, 2024
Merged

Updating production: new concordances #479

merged 106 commits into from
Oct 14, 2024

Conversation

acholyn
Copy link
Collaborator

@acholyn acholyn commented Oct 14, 2024

No issues reported from research team so will merge into production

acholyn added 30 commits May 3, 2024 14:17
@acholyn
adding missing update ant intro test
8e2e08f
@acholyn
fixing collation - distinguish for fragmentlinks attaching to works a…
d797701 
…nd books
@acholyn
expanding tests to check fragmentlinks
1be404b
@acholyn
changing the json for the site name (have fixed on live site)
f741bb6
@acholyn
basis for new concordance model
08b1875
@acholyn
adding makemigrations check
e47db0c
@acholyn
fixing choices
7e7d74e
@acholyn
updating conditionals so only the approved translation is shown in th…
6b0758e 
…e public view, without "approved"
@acholyn
tweaks to new concordance structure
c3f9e82
@acholyn
splitting up duplication view to several functions
092d270
@acholyn
putting new concordance in new file
08b775f
@acholyn
typo
669fcd8
@acholyn
trying to add starter values via migration
ef241fa
@acholyn
loading concordance starter values + adding to admin
383cb49
@acholyn
updating concordances to have description
8c04145
@acholyn
new form templates
1d6aa29
@acholyn
updates to model and migration
c9d2a22
@acholyn
showing old and new concordances in template
bf6d857
@acholyn
create concordances w new model + linting in forms.py
a52e039
@acholyn
updated mig + model so display_order on PartIdentifier
66b3909
@acholyn
disabling editing of Edition on PartIdentifier in admin
b46ef9e
@acholyn
only show old concordances if they exist
4c574ab
@acholyn
fixing creation with new identifier, updating update view, readding d…
7f8804a 
…eletion for old format + template updates + styling
@acholyn
fixing display of old concordances on ot details
7295aa4
@acholyn
model tests
c35b5ae
@acholyn
fixes for test and creation when [none]
c152273
@acholyn
fixing + tidying non list tests
1b2b78a
@acholyn
updating view tests
3e6360e
@acholyn
update view test (fails)
80af625
@acholyn
setting up search form
a269093
acholyn and others added 28 commits August 29, 2024 14:15
@acholyn
adding brackets to part_format if not there
8932f10
@acholyn
aesthetic, UX and form flow tweaks
0b4db2d
@acholyn
improving help text readability
a2d63e8
@acholyn
fixing new_identifier conditional
4b9a727
@acholyn
separating edition and concordance stages more
beee9e2
@acholyn
passing url params
bb7d71e
@acholyn
tidying + fixing
863ec9d
@acholyn
fixing/updating tests
6ae5b10
@tcouch
Use is_template annotation instead of property for ordering purposes
f9614f3
@tcouch
Make get_part_format a bit more robust
c5f8696
@tcouch
Styling tweaks (optional)
e2c4f8d
@tcouch
Use rem instead of pixels
9e0acf7
@tcouch
Inline list for old concordances
35e2b29
@tcouch
Fix concordance update and create new edition
69316c2
@tcouch
New identifier help text for when part_format is none
4c18be6
@tcouch
Layout tweak
e15a748
@tcouch
Merge pull request #475 from UCL/feature/new-concordances-tc-fixes
2005d1e 
Feature/new concordances tc fixes
@tcouch
Fix edition search test
772c7ae
@acholyn
adding conditional to set display order if none
a083ae7
@acholyn
Merge branch 'feature/new-concordances' of github.com:UCL/frrant into…
5dd62a0 
… feature/new-concordances
@acholyn
set pi display order based on value if empty
7d7fa39
@tcouch
Update migration to remove part_identifier meta options
7373a73
@acholyn
Merge pull request #472 from UCL/feature/new-concordances
ffb0ba3 
Feature/new concordances
@acholyn
updating help text for display order
f8a0b3c
@acholyn
tweaking migration for how concordances are displayed
8153fc6
@acholyn
tweaks to scripts
90d6405
@acholyn
fixing 404 on fetch with concordance search
fc34abb
@acholyn
Merge pull request #476 from UCL/feature/new-concordances
b7a4595 
Feature/new concordances updates
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2024
View reviewed changes
src/rard/research/views/concordance.py
)

options = empty_option + part_options
return HttpResponse(options)

Check warning

Code scanning / CodeQL

Reflected server-side cross-site scripting Medium

Cross-site scripting vulnerability due to a
user-provided value
Loading
.

Copilot Autofix AI about 1 month ago

To fix the reflected server-side cross-site scripting vulnerability, we need to escape the user-provided input before including it in the HTML response. In Django, we can use the django.utils.html.escape function to properly escape any HTML special characters in the user input.

Steps to fix:

  1. Import the escape function from django.utils.html.
  2. Use the escape function to sanitize the part.value before including it in the HTML options.
Suggested changeset 1
src/rard/research/views/concordance.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/rard/research/views/concordance.py b/src/rard/research/views/concordance.py
--- a/src/rard/research/views/concordance.py
+++ b/src/rard/research/views/concordance.py
@@ -1,2 +1,3 @@
 from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
+from django.utils.html import escape
 from django.db import DatabaseError
@@ -49,3 +50,3 @@
         [
-            f'<option value="{part.id}">{part.value}</option>'
+            f'<option value="{part.id}">{escape(part.value)}</option>'
             for part in parts
EOF
@@ -1,2 +1,3 @@
from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
from django.utils.html import escape
from django.db import DatabaseError
@@ -49,3 +50,3 @@
[
f'<option value="{part.id}">{part.value}</option>'
f'<option value="{part.id}">{escape(part.value)}</option>'
for part in parts
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
src/rard/templates/base.html
@@ -123,6 +123,8 @@

<script src="{%static 'js/ckeditor/ckeditor.js'%}"></script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/fuse.js/6.4.6/fuse.min.js"></script>

Check warning

Code scanning / CodeQL

Inclusion of functionality from an untrusted source Medium

Script loaded from content delivery network with no integrity check.
@acholyn acholyn merged commit aeddfbc into production Oct 14, 2024
12 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@acholyn @tcouch