diff --git a/org.adempiere.base/src/org/compiere/model/GridField.java b/org.adempiere.base/src/org/compiere/model/GridField.java
index 936a0864b3..fe9f8a6160 100644
--- a/org.adempiere.base/src/org/compiere/model/GridField.java
+++ b/org.adempiere.base/src/org/compiere/model/GridField.java
@@ -83,7 +83,7 @@ public class GridField
/**
*
*/
- private static final long serialVersionUID = -1871840570764036802L;
+ private static final long serialVersionUID = -5923967271000455417L;
/**
* Field Constructor.
@@ -110,6 +110,7 @@ public class GridField
* GridTab.processDependentFields will check this flag to avoid clearing of lookup field value that just have been set.
**/
private boolean m_lookupEditorSettingValue = false;
+ private boolean m_lockedRecord = false;
/**
* Dispose
@@ -444,6 +445,8 @@ public class GridField
{
if (isVirtualColumn())
return false;
+ if (m_lockedRecord)
+ return false;
// Fields always enabled (are usually not updateable)
if (m_vo.ColumnName.equals("Posted")
|| (m_vo.ColumnName.equals("Record_ID") && m_vo.displayType == DisplayType.Button)) // Zoom
@@ -2507,6 +2510,14 @@ public class GridField
return m_vo.displayType == DisplayType.Button && MColumn.ISTOOLBARBUTTON_Toolbar.equals(m_vo.IsToolbarButton);
}
+ public boolean isLockedRecord() {
+ return m_lockedRecord;
+ }
+
+ public void setLockedRecord(boolean lockedRecord) {
+ this.m_lockedRecord = lockedRecord;
+ }
+
public int getPA_DashboardContent_ID()
{
return m_vo.PA_DashboardContent_ID;
diff --git a/org.adempiere.base/src/org/compiere/model/MOrderLine.java b/org.adempiere.base/src/org/compiere/model/MOrderLine.java
index 04841e5506..fbeeb8c816 100644
--- a/org.adempiere.base/src/org/compiere/model/MOrderLine.java
+++ b/org.adempiere.base/src/org/compiere/model/MOrderLine.java
@@ -311,7 +311,8 @@ public class MOrderLine extends X_C_OrderLine
// Calculate Discount
setDiscount(m_productPrice.getDiscount());
// Set UOM
- setC_UOM_ID(m_productPrice.getC_UOM_ID());
+ if (getC_UOM_ID()==0)
+ setC_UOM_ID(m_productPrice.getC_UOM_ID());
} // setPrice
/**
diff --git a/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java b/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java
index 5650fc14a0..7a33c2340d 100644
--- a/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java
+++ b/org.adempiere.pipo.handlers/src/org/adempiere/pipo2/handler/FieldElementHandler.java
@@ -33,6 +33,7 @@ import org.compiere.model.I_AD_Field;
import org.compiere.model.I_AD_FieldGroup;
import org.compiere.model.I_AD_Reference;
import org.compiere.model.I_AD_Tab;
+import org.compiere.model.I_AD_Val_Rule;
import org.compiere.model.MField;
import org.compiere.model.X_AD_Field;
import org.compiere.model.X_AD_Package_Imp_Detail;
@@ -120,6 +121,12 @@ public class FieldElementHandler extends AbstractElementHandler {
ElementHandler handler = packOut.getHandler(I_AD_Reference.Table_Name);
handler.packOut(packOut,document,null,m_Field.getAD_Reference_ID());
}
+
+ if (m_Field.getAD_Val_Rule_ID() > 0)
+ {
+ ElementHandler handler = packOut.getHandler(I_AD_Val_Rule.Table_Name);
+ handler.packOut(packOut,document,null,m_Field.getAD_Val_Rule_ID());
+ }
}
catch(Exception e)
{
diff --git a/org.adempiere.ui.zk/.classpath b/org.adempiere.ui.zk/.classpath
index 6a9ce5244c..b58918e146 100644
--- a/org.adempiere.ui.zk/.classpath
+++ b/org.adempiere.ui.zk/.classpath
@@ -9,5 +9,6 @@
+
diff --git a/org.adempiere.ui.zk/META-INF/MANIFEST.MF b/org.adempiere.ui.zk/META-INF/MANIFEST.MF
index 6376ff9d1f..3bb82eb2bb 100644
--- a/org.adempiere.ui.zk/META-INF/MANIFEST.MF
+++ b/org.adempiere.ui.zk/META-INF/MANIFEST.MF
@@ -55,7 +55,8 @@ Import-Package: groovy.transform.stc;version="2.4.7",
DynamicImport-Package: action.images
Bundle-ClassPath: .,
WEB-INF/lib/ckez.jar,
- WEB-INF/lib/daisydiff.jar
+ WEB-INF/lib/daisydiff.jar,
+ WEB-INF/lib/owasp-java-html-sanitizer.jar
Export-Package: fi.jawsy.jawwa.zk.atmosphere,
metainfo.zk,
org.adempiere.webui,
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
index 4dea40686c..3dc308523f 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WHtmlEditor.java
@@ -194,7 +194,7 @@ public class WHtmlEditor extends WEditor implements ContextMenuListener
adwindowContent.hideBusyMask();
}
if (!dialog.isCancelled()) {
- box.setContent(dialog.getText());
+ box.setContent(WTextEditorDialog.sanitize(dialog.getText()));
String newText = box.getContent();
ValueChangeEvent changeEvent = new ValueChangeEvent(WHtmlEditor.this, WHtmlEditor.this.getColumnName(), oldValue, newText);
WHtmlEditor.super.fireValueChange(changeEvent);
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java
index 14f0bee057..338e798d75 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/editor/WTableDirEditor.java
@@ -42,8 +42,10 @@ import org.compiere.model.GridField;
import org.compiere.model.GridTable;
import org.compiere.model.Lookup;
import org.compiere.model.MBPartnerLocation;
+import org.compiere.model.MColumn;
import org.compiere.model.MLocation;
import org.compiere.model.MLookup;
+import org.compiere.model.MRole;
import org.compiere.model.MTable;
import org.compiere.util.CCache;
import org.compiere.util.CLogger;
@@ -319,18 +321,40 @@ ContextMenuListener, IZoomableEditor
if (value instanceof Integer && gridField != null && gridField.getDisplayType() != DisplayType.ID &&
(gridTab==null || !gridTab.getTableModel().isImporting())) // for IDs is ok to be out of the list
{
- getComponent().setValue(null);
- if (curValue == null)
- curValue = value;
- ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null);
- super.fireValueChange(changeEvent);
- oldValue = null;
+ //if it is problem with record lock, just keep value (no trigger change) and set field readonly
+ MRole role = MRole.getDefault(Env.getCtx(), false);
+ MColumn col = MColumn.get(Env.getCtx(), gridField.getAD_Column_ID());
+ int refTableID = -1;
+ if (col.get_ID() > 0) {
+ String refTable = col.getReferenceTableName();
+ MTable table = MTable.get(Env.getCtx(), refTable);
+ refTableID = table.getAD_Table_ID();
+ }
+ if (refTableID > 0 && ! role.isRecordAccess(refTableID, (int)value, false))
+ {
+ oldValue = value;
+ setReadWrite(false);
+ gridField.setLockedRecord(true);
+ }
+ else
+ {
+ getComponent().setValue(null);
+ if (curValue == null)
+ curValue = value;
+ ValueChangeEvent changeEvent = new ValueChangeEvent(this, this.getColumnName(), curValue, null);
+ super.fireValueChange(changeEvent);
+ oldValue = null;
+ if (gridField!=null)
+ gridField.setLockedRecord(false);
+ }
}
}
}
else
{
oldValue = value;
+ if (gridField!=null)
+ gridField.setLockedRecord(false);
}
}
else
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java
index c6c69854d6..ae18b97904 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/panel/WAttachment.java
@@ -482,6 +482,7 @@ public class WAttachment extends Window implements EventListener
AMedia media = new AMedia(entry.getName(), null, contentType, entry.getData());
preview.setContent(media);
+ preview.setClientAttribute("sandbox", "");
preview.setVisible(true);
preview.invalidate();
}
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java
index 85e3c6fc14..b8ec742919 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WMediaDialog.java
@@ -237,7 +237,9 @@ public class WMediaDialog extends Window implements EventListener
AMedia media = createMedia();
preview.setContent(media);
+ preview.setClientAttribute("sandbox", "");
preview.setVisible(true);
+ preview.invalidate();
}
catch (Exception e)
{
diff --git a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
index 3ee0513e6c..ea62e8ead3 100644
--- a/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
+++ b/org.adempiere.ui.zk/WEB-INF/src/org/adempiere/webui/window/WTextEditorDialog.java
@@ -28,6 +28,8 @@ import org.adempiere.webui.component.Window;
import org.adempiere.webui.theme.ThemeManager;
import org.adempiere.webui.util.ZKUpdateUtil;
import org.compiere.util.Language;
+import org.owasp.html.PolicyFactory;
+import org.owasp.html.Sanitizers;
import org.zkforge.ckez.CKeditor;
import org.zkoss.zk.au.out.AuScript;
import org.zkoss.zk.ui.event.Event;
@@ -48,7 +50,7 @@ public class WTextEditorDialog extends Window implements EventListener{
/**
*
*/
- private static final long serialVersionUID = 1188165765430615546L;
+ private static final long serialVersionUID = -1857623453350849161L;
private boolean editable;
private int maxSize;
@@ -186,7 +188,7 @@ public class WTextEditorDialog extends Window implements EventListener{
}
public void onEditorCallback(Event event) {
- text = (String) event.getData();
+ text = sanitize((String) event.getData());
detach();
}
@@ -264,4 +266,14 @@ public class WTextEditorDialog extends Window implements EventListener{
return text;
}
+ public static String sanitize(String untrustedHTML) {
+ final PolicyFactory policy = Sanitizers.BLOCKS
+ .and(Sanitizers.FORMATTING)
+ .and(Sanitizers.IMAGES)
+ .and(Sanitizers.LINKS)
+ .and(Sanitizers.STYLES)
+ .and(Sanitizers.TABLES);
+ return policy.sanitize(untrustedHTML);
+ }
+
}
diff --git a/org.adempiere.ui.zk/WEB-INF/web.xml b/org.adempiere.ui.zk/WEB-INF/web.xml
index 15898c060e..3f001c5015 100644
--- a/org.adempiere.ui.zk/WEB-INF/web.xml
+++ b/org.adempiere.ui.zk/WEB-INF/web.xml
@@ -85,6 +85,10 @@
+
+ true
+ true
+
60
diff --git a/org.adempiere.ui.zk/build.properties b/org.adempiere.ui.zk/build.properties
index 8f0c6267a2..aba88e9ea0 100644
--- a/org.adempiere.ui.zk/build.properties
+++ b/org.adempiere.ui.zk/build.properties
@@ -35,6 +35,7 @@ bin.includes = META-INF/,\
pdf.js/,\
WEB-INF/lib/ckez.jar,\
WEB-INF/lib/daisydiff.jar,\
+ WEB-INF/lib/owasp-java-html-sanitizer.jar,\
.
src.includes = WEB-INF/tld/,\
WEB-INF/web.xml,\
diff --git a/org.adempiere.ui.zk/pom.xml b/org.adempiere.ui.zk/pom.xml
index 9a5c585a2d..0170c5d605 100644
--- a/org.adempiere.ui.zk/pom.xml
+++ b/org.adempiere.ui.zk/pom.xml
@@ -62,6 +62,11 @@
ckez
4.7.0.0
+
+ com.googlecode.owasp-java-html-sanitizer
+ owasp-java-html-sanitizer
+ 20190503.1
+
WEB-INF/lib
true