Merge pull request #364 from dgrammatiko/patch-1

Drop jQuery, fix a number of XSS

Author: roland-d

administrator/components/com_patchtester/src/Controller/StartfetchController.php

@@ -70,7 +70,7 @@ public function execute($task): void
 
         $testsModel = Factory::getApplication()->bootComponent('com_patchtester')->getMVCFactory()->createModel('Tests', 'Administrator', ['ignore_request' => true]);
         try {
-        // Sanity check, ensure there aren't any applied patches
+            // Sanity check, ensure there aren't any applied patches
             if (count($testsModel->getAppliedPatches()) >= 1) {
                 $response = new JsonResponse(new \Exception(Text::_('COM_PATCHTESTER_ERROR_APPLIED_PATCHES'), 500));
                 $this->app->sendHeaders();

administrator/components/com_patchtester/tmpl/fetch/default.php

@@ -10,14 +10,18 @@
 use Joomla\CMS\Factory;
 use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
+use Joomla\CMS\WebAsset\WebAssetManager;
 
 // phpcs:disable PSR1.Files.SideEffects
 \defined('_JEXEC') or die;
 // phpcs:enable PSR1.Files.SideEffects
 
-HTMLHelper::_('jquery.framework');
+/** @var WebAssetManager $wa */
+$wa = $this->document->getWebAssetManager();
+$wa->useScript('com_patchtester.admin-fetcher-modal');
+
 HTMLHelper::_('behavior.core');
-HTMLHelper::_('script', 'com_patchtester/fetcher.js', ['version' => 'auto', 'relative' => true]);
+//HTMLHelper::_('script', 'com_patchtester/fetcher.js', ['version' => 'auto', 'relative' => true]);
 Text::script('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED');
 
 ?>

administrator/components/com_patchtester/tmpl/pulls/default.php

@@ -11,15 +11,17 @@
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Layout\LayoutHelper;
 use Joomla\CMS\Router\Route;
+use Joomla\CMS\WebAsset\WebAssetManager;
 
 // phpcs:disable PSR1.Files.SideEffects
 \defined('_JEXEC') or die;
 // phpcs:enable PSR1.Files.SideEffects
 
-/** @var  \Joomla\Component\Patchtester\Administrator\View\Pulls\PullsHtmlView  $this */
+/** @var  \Joomla\Component\Patchtester\Administrator\View\Pulls\HtmlView  $this */
 
-HTMLHelper::_('stylesheet', 'com_patchtester/octicons.css', ['version' => '3.5.0', 'relative' => true]);
-HTMLHelper::_('script', 'com_patchtester/patchtester.js', ['version' => 'auto', 'relative' => true]);
+/** @var WebAssetManager $wa */
+$wa = $this->document->getWebAssetManager();
+$wa->usePreset('com_patchtester.patchtester');
 
 $listOrder = $this->escape($this->state->get('list.ordering'));
 $listDirn  = $this->escape($this->state->get('list.direction'));

media/com_patchtester/joomla.asset.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "https://developer.joomla.org/schemas/json-schema/web_assets.json",
+  "name": "com_patchtester",
+  "version": "4.3.2",
+  "description": "Joomla CMS",
+  "license": "GPL-2.0-or-later",
+  "assets": [
+    {
+      "name": "com_patchtester.admin-fetcher-modal",
+      "type": "script",
+      "uri": "com_patchtester/fetcher.js",
+      "attributes": {
+        "type": "module",
+        "defer": true
+      }
+    },
+    {
+      "name": "com_patchtester.patchtester",
+      "type": "script",
+      "uri": "com_patchtester/patchtester.js",
+      "attributes": {
+        "type": "module",
+        "defer": true
+      }
+    },
+    {
+      "name": "com_patchtester.octicons",
+      "type": "style",
+      "uri": "com_patchtester/octicons.css"
+    },
+    {
+      "name": "com_patchtester.patchtester",
+      "type": "preset",
+      "dependencies": [
+        "com_patchtester.patchtester#script",
+        "com_patchtester.octicons#style"
+      ]
+    }
+  ]
+}

media/com_patchtester/js/fetcher.js

@@ -1,134 +1,110 @@
 /**
  * Patch testing component for the Joomla! CMS
  *
- * @copyright  Copyright (C) 2011 - 2012 Ian MacLennan, Copyright (C) 2013 - 2018 Open Source Matters, Inc. All rights reserved.
+ * @copyright  Copyright (C) 2023 Open Source Matters, Inc. All rights reserved.
  * @license    GNU General Public License version 2 or later
  */
 
-if (typeof jQuery === 'undefined') {
-    throw new Error('PatchFetcher JavaScript requires jQuery')
-}
-
 if (typeof Joomla === 'undefined') {
     throw new Error('PatchFetcher JavaScript requires the Joomla core JavaScript API')
 }
 
-!function (jQuery, Joomla, window) {
-    'use strict';
-
-    /**
-     * Initialize the PatchFetcher object
-     *
-     * @constructor
-     */
-    var PatchFetcher = function () {
-        var offset = null,
-            progress = null,
-            path = 'index.php?option=com_patchtester&tmpl=component&format=json',
-            lastPage = null,
-            progressBar = jQuery('#progress-bar');
-
-        var initialize = function () {
-            offset = 0;
-            progress = 0;
-            path = path + '&' + jQuery('#patchtester-token').attr('name') + '=1';
-
-            getRequest('startfetch');
-        };
-
-        var getRequest = function (task) {
-            jQuery.ajax({
-                type: 'GET',
-                url: path,
-                data: `task=${task}.${task}`,
-                dataType: 'json',
-                success: function (response, textStatus, xhr) {
-                    try {
-                        if (response === null) {
-                            throw textStatus;
-                        }
-
-                        if (response.error) {
-                            throw response;
-                        }
-
-                        if (response.success === false) {
-                            throw response;
-                        }
-
-                        // Store the last page if it is part of this request and not a boolean false
-                        if (typeof response.data.lastPage !== 'undefined' && response.data.lastPage !== false) {
-                            lastPage = response.data.lastPage;
-                        }
-
-                        // Update the progress bar if we have the data to do so
-                        if (typeof response.data.page !== 'undefined') {
-                            progress = (response.data.page / lastPage) * 100;
-
-                            if (progress < 100) {
-                                progressBar.css('width', progress + '%').attr('aria-valuenow', progress);
-                            } else {
-                                // Both BS2 and BS4 classes are targeted to keep this script simple
-                                progressBar
-                                    .removeClass('bar-success bg-success')
-                                    .addClass('bar-warning bg-warning')
-                                    .css('width', progress + '%')
-                                    .attr('aria-valuemin', 100)
-                                    .attr('aria-valuemax', 200)
-                                    .attr('aria-valuenow', progress);
-                            }
-                        }
-
-                        jQuery('#patchtester-progress-message').html(response.message);
-
-                        if (response.data.header) {
-                            jQuery('#patchtester-progress-header').html(response.data.header);
-                        }
-
-                        if (!response.data.complete) {
-                            // Send another request
-                            getRequest('fetch');
-                        } else {
-                            jQuery('#progress').remove();
-                            jQuery('#modal-sync  button.btn-close', window.parent.document).trigger('click');
-                        }
-                    } catch (error) {
-                        try {
-                            if (response.error || response.success === false) {
-                                jQuery('#patchtester-progress-header').text(Joomla.JText._('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED'));
-                                jQuery('#patchtester-progress-message').html(response.message);
-                            }
-                        } catch (ignore) {
-                            if (error === '') {
-                                error = Joomla.JText._('COM_PATCHTESTER_NO_ERROR_RETURNED');
-                            }
-
-                            jQuery('#patchtester-progress-header').text(Joomla.JText._('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED'));
-                            jQuery('#patchtester-progress-message').html(error);
-                            jQuery('#progress').remove();
-                        }
-                    }
-                    return true;
-                },
-                error: function (jqXHR, textStatus, errorThrown) {
-                    var json = (typeof jqXHR === 'object' && jqXHR.responseText) ? jqXHR.responseText : null;
-                    jQuery('#patchtester-progress-header').text(Joomla.JText._('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED'));
-                    jQuery('#patchtester-progress-message').html(json);
-                    jQuery('#progress').remove();
-                }
-            });
-        };
-
-        initialize();
-    };
-
-    jQuery(function () {
-        new PatchFetcher();
-
-        if (typeof window.parent.SqueezeBox === 'object') {
-            jQuery(window.parent.SqueezeBox).on('close', function () {
-                window.parent.location.reload(true);
-            });
+const defaultSettings = {
+    progress: null,
+    lastPage: null,
+    baseURL: `${Joomla.getOptions('system.paths').baseFull}index.php?option=com_patchtester&tmpl=component&format=json`,
+};
+
+class PatchFetcher {
+  constructor(settings = defaultSettings) {
+    this.url = new URL(settings.baseURL);
+    this.progress = settings.progress;
+    this.lastPage = settings.lastPage;
+
+    this.progressBar = document.getElementById('progress-bar');
+    this.url.searchParams.append(document.getElementById('patchtester-token').getAttribute('name'), 1);
+
+    this.request('startfetch');
+  }
+
+  request(task) {
+    this.url.searchParams.append('task', `${task}.${task}`);
+
+    Joomla.request({
+      url: this.url.toString(),
+      method: 'GET',
+      headers: { 'Content-Type': 'application/json' },
+      perform: true,
+      onSuccess: (response) => {
+        response = JSON.parse(response)
+        try {
+          if (response === null || response.error || response.success === false) {
+            throw response;
+          }
+          // {"success":true,"message":"Processing page 1 of GitHub data","messages":null,"data":{"complete":false,"header":"Processing data from GitHub"}}
+          // Store the last page if it is part of this request and not a boolean false
+          if (typeof response.data.lastPage !== 'undefined' && response.data.lastPage !== false) {
+            this.lastPage = response.data.lastPage;
+          }
+
+          // Update the progress bar if we have the data to do so
+          if (typeof response.data.page !== 'undefined') {
+            this.progress = (response.data.page / this.lastPage) * 100;
+
+            if (this.progress < 100) {
+              this.progressBar.style.width = `${this.progress}%`;
+              this.progressBar.setAttribute('aria-valuenow', this.progress);
+            } else {
+              // Both BS2 and BS4 classes are targeted to keep this script simple
+              this.progressBar.classList.remove(['bar-success', 'bg-success']);
+              this.progressBar.classList.remove(['bar-warning', 'bg-warning']);
+              this.progressBar.style.width = `${this.progress}%`;
+              this.progressBar.setAttribute('aria-valuemin', 100);
+              this.progressBar.setAttribute('aria-valuemax', 200);
+              this.progressBar.setAttribute('aria-valuenow', this.progress);
+            }
+          }
+
+          document.getElementById('patchtester-progress-message').innerHTML = Joomla.sanitizeHtml(response.message);
+
+          if (response.data.header) {
+            document.getElementById('patchtester-progress-header').innerHTML = Joomla.sanitizeHtml(response.data.header);
+          }
+
+          if (!response.data.complete) {
+            this.url.searchParams.append(document.querySelector('#patchtester-token').getAttribute('name'), 1);
+            this.url.searchParams.append('task', `${task}.${task}`);
+            this.request('fetch');
+          } else {
+            document.getElementById('progress').remove();
+            window.parent.document.querySelector('#modal-sync button.btn-close').click();
+          }
+        } catch (error) {
+          try {
+            if (response.error || response.success === false) {
+              document.getElementById('patchtester-progress-header').innerText(Joomla.JText._('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED'));
+              document.getElementById('patchtester-progress-message').innerHTML = Joomla.sanitizeHtml(response.message);
+            }
+          } catch (ignore) {
+            if (error === '') {
+              error = Joomla.JText._('COM_PATCHTESTER_NO_ERROR_RETURNED');
+            }
+
+            document.getElementById('patchtester-progress-header').innerText(Joomla.JText._('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED'));
+            document.getElementById('patchtester-progress-message').innerHTML = Joomla.sanitizeHtml(error);
+            document.getElementById('progress').remove();
+          }
         }
+        return true;
+      },
+      onError: (jqXHR) => {
+        const json = (typeof jqXHR === 'object' && jqXHR.responseText) ? jqXHR.responseText : null;
+        document.getElementById('patchtester-progress-header').innerText(Joomla.JText._('COM_PATCHTESTER_FETCH_AN_ERROR_HAS_OCCURRED'));
+        document.getElementById('patchtester-progress-message').innerHTML = Joomla.sanitizeHtml(json);
+        document.getElementById('progress').remove();
+      }
     });
-}(jQuery, Joomla, window);
+  }
+}
+
+new PatchFetcher();