You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security update for the starter/example webserver that is included with the main project.
The file app.js uses a custom express-like API with a minimal web server which allows DataFormsJS examples to run using Node.js built-in features and no outside dependencies.
A Path traversal vulnerability was found with credit thanks to Hamidreza Hamidi and Jafar Akhoundali.
The issue was decodeURIComponent was called out of order allowing for Proof-of-concept (POC) Path traversal attacks on a local developer machine using URLs such as http://127.0.0.1:8080/..%2fpackage.json or bash 127.0.0.1:8080/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
This impacts the development download of the project but not the NPM published release.
The property jsxLoader.babelUrl was changed and can be set back to unpkg if needed by setting the URL prior to the page being loaded.
All example pages and apps referenced unpkg for React and related libraries.
Even though IE is no longer supported it still works on legacy Windows Servers but unpkg blocks it from downloading CDN content. Given this fact, its possible they may block other browsers in the future so switching to jsDelivr helps avoid issues were code could break and it allows jsxLoader plus all React examples to work out of the box for IE again.
Updated several ImageGallery React and Web Components so that css @media screen and (-ms-high-contrast: active), screen and (-ms-high-contrast: none) {} would only be included if the browser is IE 11.
Edge browser started giving a deprecation warning when using this CSS media query.
Additionally, the main site, the playground site, and many examples were updated to dynamically handle the CSS media query for IE but not other browsers.
The pages were previously using the latest CDN version of Mocha and Chai; however their was a breaking change so now specific CDN versions are used rather than the latest version.
Updated Unit Tests to run from Port 4000 instead of Port 5000 because Port 5000 is now used by default on Mac for AirPlay and was causing a conflict when running tests on a Mac.