Compare commits

..

3 Commits

3 changed files with 20 additions and 6 deletions

View File

@ -2,6 +2,20 @@ Change Log
========== ==========
Version 1.5.4
-------------
Released 2023/5/18
Security fixes.
* Added safeguard to the next URI utilities, to prevent Cross-Site
Scripting (XSS) attacks.
* Applied the safe next URI utilities to the test site.
* Added the ``SameSite`` and ``Secure`` flags to the session cookie
of the test site.
Version 1.5.3 Version 1.5.3
------------- -------------

View File

@ -24,7 +24,7 @@ from flask_sqlalchemy import SQLAlchemy
from accounting.utils.user import UserUtilityInterface from accounting.utils.user import UserUtilityInterface
VERSION: str = "1.5.3" VERSION: str = "1.5.4"
"""The package version.""" """The package version."""
db: SQLAlchemy = SQLAlchemy() db: SQLAlchemy = SQLAlchemy()
"""The database instance.""" """The database instance."""

View File

@ -2181,14 +2181,14 @@ class JournalEntryReorderTestCase(unittest.TestCase):
response = self.client.post( response = self.client.post(
f"{PREFIX}/dates/{date.isoformat()}", f"{PREFIX}/dates/{date.isoformat()}",
data={"csrf_token": self.csrf_token, data={"csrf_token": self.csrf_token,
"next": "/next", "next": NEXT_URI,
f"{id_1}-no": "4", f"{id_1}-no": "4",
f"{id_2}-no": "1", f"{id_2}-no": "1",
f"{id_3}-no": "5", f"{id_3}-no": "5",
f"{id_4}-no": "2", f"{id_4}-no": "2",
f"{id_5}-no": "3"}) f"{id_5}-no": "3"})
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertEqual(response.headers["Location"], f"/next") self.assertEqual(response.headers["Location"], NEXT_URI)
with self.app.app_context(): with self.app.app_context():
self.assertEqual(db.session.get(JournalEntry, id_1).no, 4) self.assertEqual(db.session.get(JournalEntry, id_1).no, 4)
@ -2209,12 +2209,12 @@ class JournalEntryReorderTestCase(unittest.TestCase):
response = self.client.post( response = self.client.post(
f"{PREFIX}/dates/{date.isoformat()}", f"{PREFIX}/dates/{date.isoformat()}",
data={"csrf_token": self.csrf_token, data={"csrf_token": self.csrf_token,
"next": "/next", "next": NEXT_URI,
f"{id_2}-no": "3a", f"{id_2}-no": "3a",
f"{id_3}-no": "5", f"{id_3}-no": "5",
f"{id_4}-no": "2"}) f"{id_4}-no": "2"})
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertEqual(response.headers["Location"], f"/next") self.assertEqual(response.headers["Location"], NEXT_URI)
with self.app.app_context(): with self.app.app_context():
self.assertEqual(db.session.get(JournalEntry, id_1).no, 3) self.assertEqual(db.session.get(JournalEntry, id_1).no, 3)