• last updated 21 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix tests for those cases when main site and even the automated test package are named differently than upstream

Fix test for those instances that named their main site some custom value

Make test independent from server configuration (e.g. proxy redirects) by providing hardcoded values

Limit test to installed packages

CSP: add default rules for form-action and frame-ancestors

Fix behavior for site_node::exists_p when called with "/" (issue #3385)

Added documentation for parameter "-url".

Add proc ad_html_text_convertable_p as deprecated to improve backwards compatibility

The old name ad_html_text_convertable_p contained a spelling

error and was replaced by ad_html_text_convertible_p.

Add remarks about "correct" usage of ad_decode in proc doc

improve spelling

  1. … 12 more files in changeset.
improve spelling

  1. … 2 more files in changeset.
improve spelling

  1. … 4 more files in changeset.
Replace ad_decode idioms

Replace ad_decode idioms

CSP: add connect-src default rule

Add '-delete' flag to 'ad_parameter_cache' in 'parameter::set_value', to delete the value from cache before setting, making the value coherent amongst threads (thanks Antonio for the fix).

keep chain on session_ids in case the sessions change

Default value for "sign" in export vars should be empty, and not "0"

- relax strict error handling on export_vars_sign for the time being

Fix regression in 'if_no_rows' idiom for db_foreach, document alternative syntax, create a test for db_foreach main functionalities

- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)

- use "-samesite strict" per default on signed cookies

Background from NaviServer commit:

ns_setcookie: add flag "-samesite" with values "strict|lax|none"

When the flag is set it prevents the browser from

sending this cookie along with cross-site requests to mitigate cross site

scripting attacks. Permissible values are [term strict], [term lax],

or [term none] (default). While the value [term strict] prevents

sending the cookie to the target site in all cross-site browsing

context, the value of [term lax] allows sending the cookie when the

user clicks on regular links. For details, see

https://www.owasp.org/index.php/SameSite

This cookie flag is not yet part of an RFC, but most major browsers

support it. Browsers that do not support it, ignore the flag

silently (see https://caniuse.com/#search=samesite).

Although most cookies should probably use the flags, in order to

provide backward compatibility, the flag can't be activated by

default on all cookies.

activate warnings in case the old IE bug is still around

ad_sign: generalize last ad_sign handling to

allow user and csrf binding

  1. … 3 more files in changeset.
ad_sign: new optional parameter "user_binding"

The parameter user_binding allows to bind a signature to a user.

When the value is "-1" only the user who created the signature can

obtain the value again. A value of 0 (default) means no user binding.

The permissible values might be extended in the future.

bump version number to 5.10.0d24

  1. … 1 more file in changeset.
Bring files on oacs-5-10 in sync with HEAD

  1. … 158 more files in changeset.
Whitespace changes + editor hints

  1. … 19 more files in changeset.
Replace/remove deprecated proc 'db_null' and update doc accordingly

  1. … 30 more files in changeset.
Deprecate 'db_nullify_empty_string', essentially just returning the same string it receives

Deprecate 'db_null'

parameter::get_from_package_key: check as well in "global" package parameter

and make clear, that lookup from non-singleton packages does not make

sense.

fix typos