Advanced to version 1.5.4.

Replaced the "/next" next URI with the NEXT_URI constant in the test_reorder test of the JournalEntryReorderTestCase test case.
Removed unnecessary f-strings from the test_reorder test of the JournalEntryReorderTestCase test case.
2023-05-18 00:06:16 +08:00 · 2023-05-18 00:06:05 +08:00 · 2023-05-17 23:54:52 +08:00
3 changed files with 20 additions and 6 deletions
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@ -2,6 +2,20 @@ Change Log
 ==========


+Version 1.5.4
+-------------
+
+Released 2023/5/18
+
+Security fixes.
+
+* Added safeguard to the next URI utilities, to prevent Cross-Site
+  Scripting (XSS) attacks.
+* Applied the safe next URI utilities to the test site.
+* Added the ``SameSite`` and ``Secure`` flags to the session cookie
+  of the test site.
+
+
 Version 1.5.3
 -------------

--- a/src/accounting/init.py
+++ b/src/accounting/init.py
@ -24,7 +24,7 @@ from flask_sqlalchemy import SQLAlchemy

 from accounting.utils.user import UserUtilityInterface

-VERSION: str = "1.5.3"
+VERSION: str = "1.5.4"
 """The package version."""
 db: SQLAlchemy = SQLAlchemy()
 """The database instance."""
--- a/tests/test_journal_entry.py
+++ b/tests/test_journal_entry.py
@ -2153,7 +2153,7 @@ class JournalEntryReorderTestCase(unittest.TestCase):
            self.assertEqual(db.session.get(JournalEntry, id_1).no, 1)
            self.assertEqual(db.session.get(JournalEntry, id_2).no, 3)
            self.assertEqual(db.session.get(JournalEntry, id_3).no, 2)
-            self.assertEqual(db.session.get(JournalEntry, id_4).no, 1)
+            self.assertEqual(   db.session.get(JournalEntry, id_4).no, 1)
            self.assertEqual(db.session.get(JournalEntry, id_5).no, 2)

    def test_reorder(self) -> None:
@ -2181,14 +2181,14 @@ class JournalEntryReorderTestCase(unittest.TestCase):
        response = self.client.post(
            f"{PREFIX}/dates/{date.isoformat()}",
            data={"csrf_token": self.csrf_token,
-                  "next": "/next",
+                  "next": NEXT_URI,
                  f"{id_1}-no": "4",
                  f"{id_2}-no": "1",
                  f"{id_3}-no": "5",
                  f"{id_4}-no": "2",
                  f"{id_5}-no": "3"})
        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.headers["Location"], f"/next")
+        self.assertEqual(response.headers["Location"], NEXT_URI)

        with self.app.app_context():
            self.assertEqual(db.session.get(JournalEntry, id_1).no, 4)
@ -2209,12 +2209,12 @@ class JournalEntryReorderTestCase(unittest.TestCase):
        response = self.client.post(
            f"{PREFIX}/dates/{date.isoformat()}",
            data={"csrf_token": self.csrf_token,
-                  "next": "/next",
+                  "next": NEXT_URI,
                  f"{id_2}-no": "3a",
                  f"{id_3}-no": "5",
                  f"{id_4}-no": "2"})
        self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.headers["Location"], f"/next")
+        self.assertEqual(response.headers["Location"], NEXT_URI)

        with self.app.app_context():
            self.assertEqual(db.session.get(JournalEntry, id_1).no, 3)
Author	SHA1	Message	Date
依瑪貓	abe90d3483	Advanced to version 1.5.4.	2023-05-18 00:06:16 +08:00
依瑪貓	65e7dcdf6d	Replaced the "/next" next URI with the NEXT_URI constant in the test_reorder test of the JournalEntryReorderTestCase test case.	2023-05-18 00:06:05 +08:00
依瑪貓	74e414badf	Removed unnecessary f-strings from the test_reorder test of the JournalEntryReorderTestCase test case.	2023-05-17 23:54:52 +08:00