@sgiehl opened this Issue on March 11th 2013 Member

We need to do an update of JQuery and JQueryUI.

JQuery 1.7.2 -> 1.9.1
JQueryUI 1.8.22 -> 1.10.2

As the last update was quite a long time ago, there might be some code changes required...

@BeezyT commented on April 3rd 2013 Member

Attachment: After searching, the default jQuery UI style shows up
Website selector style.png

@mattab commented on April 4th 2013 Owner
@mattab commented on April 4th 2013 Owner
@mattab commented on April 4th 2013 Owner
@BeezyT commented on April 4th 2013 Member

Attachment: chart before (without line on the left)
chart before.png

@BeezyT commented on April 4th 2013 Member

Attachment: chart after (with line on the left)
chart after.png

@sgiehl commented on March 11th 2013 Member

Note to myself: Have a look at https://github.com/jquery/jquery-migrate/#readme

@sgiehl commented on March 11th 2013 Member

The history plugin we are using doesn't work with new jquery version. Unfortunatly it is not maintained anymore (see http://tkyk.github.com/jquery-history-plugin/). I'll try to fix that plugin or look for something to use instead

@sgiehl commented on March 14th 2013 Member

It might also be possible to remove the jquery.tooltip plugin. It is not maintained anymore and jquery ui has now also a tooltip widget included...

@sgiehl commented on March 17th 2013 Member

We will also have to update jqplot. As the old version doesn't work with new jquery

@gka commented on March 20th 2013 Member

FYI: I tried to upgrade while working on the map widget, but that opened a door to hell so I stopped it after two lost hours or so.

@sgiehl commented on March 30th 2013 Member

In 5e59c5948d2d28213bd29201bedeac2d8159d304: refs #3813 jquery, jqueryui & jqplot update + some fixes

@sgiehl commented on March 30th 2013 Member

In ab52eb72aa0b3d56c1d8c2c25a51021b8997798e: refs #3813 jqueryui css update + dialog fixes

@sgiehl commented on March 30th 2013 Member

In 5667e914cec6efce5b7663ef881ce47e27b0fc21: refs #3813 widget reload on changing column layout was broken

@sgiehl commented on March 30th 2013 Member

In f3806a26b79dcc9b6157c14699558825e06e1eb6: refs #3813 readding jQuery.browser plugin, as it has been removed in 1.9

@sgiehl commented on March 30th 2013 Member

In b5ab89c24e653e413e1deb2e20cb76eef5a007e1: refs #3813 css files in libs folder should always be included first, so they can be overwritten in piwik css as clean as possible

@sgiehl commented on March 30th 2013 Member

In 237517a6ffdbe330e9daacd2bba909560473eac8: refs #3813 use piwik tooltip styling for map tooltips

@sgiehl commented on March 30th 2013 Member

In f61bbbccd64138fc1881c7abfffa1b4260205192: refs #3813 use jqueryui tooltip plugin instead of piwiks selfmade one for datatables

@sgiehl commented on March 30th 2013 Member

In ed557581ddd922b6aab93e947e15e6999efef80f: refs #3813 use jqueryui tooltip plugin instead of piwiks selfmade one for transitions

@sgiehl commented on March 30th 2013 Member

In 7c584814f25a496da8953ad9a772d6f970864be8: refs #3813 use jqueryui tooltip plugin instead of piwiks selfmade one for overlay

@sgiehl commented on March 30th 2013 Member

In 82de4cc60d1d385c12dcbe6799f4d3a7ada2ba6e: refs #3813 use jqueryui tooltip plugin instead of piwiks selfmade one for jqplot graphs

@sgiehl commented on March 30th 2013 Member

In b823598f1a8274a94f35021a36c071fef22a7912: refs #3813 removing now unused piwik tooltip.js

@sgiehl commented on March 30th 2013 Member

In 0048ce3cf4e40695f3c673d2ae84eddb759c14ff: refs #3813 minified jqplot

@sgiehl commented on March 30th 2013 Member

In 670a0d295ddc292ea1194aff0dd307b23d59cd12: refs #3813 upgrade to jQueryUI 1.10.2

@sgiehl commented on March 30th 2013 Member

In f56307346e2ab68a47be17bec7f991b83740aab8: refs #3813 fixed language selector: always use form to post data, as token_auth is required for users so setting a correct link is obsolete now

@BeezyT commented on March 30th 2013 Member

In 7fd5e006a9b0803c832523af1acfa403c8f44896: refs #3813 polishing tooltip a little: using arial and same font size for title as table headings

@BeezyT commented on March 30th 2013 Member

Stefan, did you use fade-in for showing the tooltip on purpose? IMHO, it's not ideal in some cases.

For example:

  • When you open a row action popover, the tip stays there for a second and fades out quite slowly. This looks a little broken because it's above the popover background.
  • In Transitions, when an item on the left or right has multiple lines and you move the mouse from one line to the next, the tip fades out an in. (Tested in Chrome and Safari)
  • While fading, the tooltip moves not really fluidly. To me, that feels like you have to be careful not to break it when using the UI.
  • In Transitions, when you hover an item in the center, it says X% of all page views. When you leave the item and move your mose down, you might put your mouse on the tooltip while it's fading out. This prevents the next tooltip from showing. This happend to me a number of times and it took me a while to figure out that this is because I move my mouse over the fading tooltip and then stop moving. As a result, tooltips sometimes don't show up and it feels a little broken.

So I would propose not to use fade-in and all these items should be fixed. What do you think?

Is there a way to set the default options for $.toolip? Or would we have change every call?

@sgiehl commented on March 30th 2013 Member

Currenty the default behaviour is used.
I don't think a global config is possible. I'll change every call and disable animations.

@sgiehl commented on March 30th 2013 Member

In 6defcdabab75eb5365b77f375d0e07d45f513911: refs #3813 disabled animations for tooltips

@sgiehl commented on March 30th 2013 Member

I'll close that ticket for now. If there are any regressions please reopen.

@mattab commented on April 1st 2013 Owner

Superb commits... It is very useful to use these latest versions.

Feedback:

  • would it be possible to remove the jquery.browser.js? asking because the lib is deprecated
  • Maybe not a regression of this change, but on Widget view for a report, clicking "Row evolution" icon reloads the view rather than loading popover.
  • When a widget is maximised, clicking on the background should close the popover. Currently it does not. Clicking the "X" icon top right still works OK.
  • Note sure if it's a regression: Row Evolution popover eg. for Countries, or for Search engines Row Evolution, display the html code of the Icon, instead of displaying the icon in the popover title.

Great work anyway, works nicely.

Btw, are there other JS libraries, or JS plugins, we could update to their latest versions as well?

@sgiehl commented on April 1st 2013 Member

I considered replacing jquery.browser, but I don't think it makes sense, so I readded it as a "plugin". jQuery suggests to replace it with one of those feature detection frameworks.
Also kartograph.js uses jquery.browser and I guess greg would have to change that there...

I'll have a look at your regressions and fix them asap.

I had a look at the other jquery plugins we are still using, but there aren't any newer versions.

@sgiehl commented on April 1st 2013 Member

In 87d16aeb041d45f4f8144e9f1984d02120dd1095: refs #3813 fixed maximised widgets not closing on click outside

@sgiehl commented on April 1st 2013 Member

In 089b7df0d9ddeaa4c335380cdefdcb2231a51cb4: refs #3813 allow html for popover dialog title

@mattab commented on April 2nd 2013 Owner

I deployed these fixes on demo and it now works!

The last feedback would be to allow Row evolution and other RowActions in Widgetize mode, and maybe have a rule to enable them only if Width available > 700 or so.

@BeezyT commented on April 2nd 2013 Member

Thanks for the updates, it's almost perfect now...

When a row action is clicked, the tooltip is not hidden immediately (i.e. in the click event). In Transitions, it is hidden once the popover content is loaded (which can be seconds after the click). For Row Evolution and Overlay, it is not hidden at all (at least as long as the mouse is not moved).
Could you hide the tooltip in the click event?

@sgiehl commented on April 2nd 2013 Member

@EZdesign: I can't reproduce that behavior. Which browser are u using?

@BeezyT commented on April 2nd 2013 Member

It happens to me in Chrome and Safari. I didn't check other browsers.

@sgiehl commented on April 2nd 2013 Member

The tooltip of the rowaction is always hidden correct. But in a row with a row tooltip (truncated content) that tooltip sometimes shows up instead. I guess it's that what you mean? I'm not sure how to fix that, but I'll have a look.

@BeezyT commented on April 3rd 2013 Member

Stefan, I just sent you an email with a screen capture of the issue.

@BeezyT commented on April 3rd 2013 Member

I just noticed another detail (see attachment I just uploaded). I'm not entirely sure this belongs here but I think it didn't happen before.

Reproduce:

  • Open website selector
  • Search
  • Hover a search result
@sgiehl commented on April 3rd 2013 Member

I'll have look. Guess that happens because the new jQueryUI has new classnames at some points

@sgiehl commented on April 3rd 2013 Member

In 3e002e63d974df1f7949e9ae5aaf402cdeb46a7b: refs #3813 fixed adding new websites/users. note: jQuery('htmlString') doesn't work anymore if htmlString doesn't start with '<' - use jQuery(jQuery.parseHTML('htmlString')) instead

@sgiehl commented on April 3rd 2013 Member

In 75382f806ff9c782836f3606f0c892f8fdf5572f: refs #3813 fixed hover layout of site selector items

@mattab commented on April 4th 2013 Owner

Updated demo to beta5.

  • Click on black popover background does not close the popover. Reproduce: Click on "Give us feedback" then click on the background
  • The tooltip looks great.
  • However it is wrapped too early. It should display, when possible (up to a max width maybe 600px?), the text on one line. This is because the tooltip will be displayed often when the text is long, and it looks much better to show such text (often a URL or a keyword) in one line.
    See attached file showing issue.
  • on this report there is a funny space in "Pages Following a Site Search" (see attached file)
  • When adding a new website, "Keep URL fragment" is double HTML entitied (see screenshot)
@BeezyT commented on April 4th 2013 Member

I noticed a small but kinda ugly change in the evolution chart (see screenshots above).

jplot is now embedded as jqplot-custom.min.js. I can't debug the minified script. How can I build the minified script? Can Anthon or Stefan (who generated the script previously) place a README in the jqplot folder that explains the process?

The line is drawn on jqplot-grid-canvas, so it should be somewhere in jqplot.canvasGridRenderer.js. It's either a new parameter or a regression. I tried all documented parameters that seemed related but couldn't hide the line. I think we have to debug in the jqplot code.

Alternatively, we could revert the update. We don't depend on new jqplot features so using the old version would be OK - not ideal though.

@sgiehl commented on April 4th 2013 Member

I don't know how anthon did that before. I had written a simple script that minified those files using the jsmin class.

Using the old version of jqplot didn't work with new jquery, that was the reason I upgraded it.

@sgiehl commented on April 4th 2013 Member

@matt: I guess the url fragment thing got broken with your mass commit. There are whitspaces within the html tags. See https://github.com/piwik/piwik/blame/master/plugins/SitesManager/templates/SitesManager.tpl#L50
I'll fix that and the other regressions later...

@BeezyT commented on April 4th 2013 Member

Could you add the script to the jqplot folder so that we can just call it in the future to re-generate the minified file?

@halfdan commented on April 4th 2013 Member

@sgiehl can you try and fix it as soon as possible - I will have to work on this template today (in my branch) and would like to avoid horrible merge conflicts with Smarty/Twig.

@BeezyT commented on April 4th 2013 Member

In c35534d42f4000a709b476c56526e886b24b0952: refs #3813 removing the line that appeared on evolution and bar chars on the left after jqplot update

@BeezyT commented on April 4th 2013 Member

The problem is fixed now. A script to generate the minified file would still be nice :)

To be honest, I don't understand why we have to minfy it. Doesn't the addJs Hook do that?

@BeezyT commented on April 4th 2013 Member

This probably isn't the best way to do it, but what do you think about this script?

echo "" > jqplot-custom.min.js-temp

cat jqplot.core.js >> jqplot-custom.min.js-temp 
cat jqplot.linearAxisRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.axisTickRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.axisLabelRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.tableLegendRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.lineRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.linePattern.js >> jqplot-custom.min.js-temp
cat jqplot.markerRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.divTitleRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.canvasGridRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.shadowRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.shapeRenderer.js >> jqplot-custom.min.js-temp
cat jqplot.sprintf.js >> jqplot-custom.min.js-temp
cat jqplot.themeEngine.js >> jqplot-custom.min.js-temp
cat plugins/jqplot.pieRenderer.js >> jqplot-custom.min.js-temp
cat plugins/jqplot.barRenderer.js >> jqplot-custom.min.js-temp
cat plugins/jqplot.categoryAxisRenderer.js >> jqplot-custom.min.js-temp
cat plugins/jqplot.canvasTextRenderer.js >> jqplot-custom.min.js-temp
cat plugins/jqplot.canvasAxisTickRenderer.js >> jqplot-custom.min.js-temp

java -jar ../../js/yuicompressor-2.4.2/build/yuicompressor-2.4.2.jar --type js --line-break 1000 jqplot-custom.min.js-temp > jqplot-custom.min.js 

rm ./jqplot-custom.min.js-temp

Improvements / suggestions are welcome :)

@mattab commented on April 4th 2013 Owner

FYI: The reason the JQPlot JS were concatenated by Anthon was to make the JS Assets Merger much faster. Some web hosts were taking like 15-20seconds more to minify + merge these 19 files.

@sgiehl commented on April 4th 2013 Member

In 3892944beee9698ae7b8cba50b7b4adecd007fe4: refs #3813 fixes url fragments in sitemanager

@sgiehl commented on April 4th 2013 Member

In e20f8ac0773e2d047e2928724308a6f7d62c0231: refs #3813 set max tooltip width to 600px

@sgiehl commented on April 4th 2013 Member

In 8b2f6711dbe18be7097cfbe1fd3f61c40cc19e0e: refs #3813 rowevolution should work everywhere now

@mattab commented on April 5th 2013 Owner

In widgetize mode: https://demo.piwik.org/index.php?module=Widgetize&action=iframe&widget=1&moduleToWidgetize=Actions&actionToWidgetize=getPageUrls&idSite=3&period=day&date=yesterday&disableLink=1&widget=1

-> Row evolution is not working there. It adds the parameter &popover= to the URL instead of maybe creating the hash?

Note: If you fix this, you can also close #3570 which is to make Transitions+Row Evolution compatible with widgetize views :)

@BeezyT commented on April 5th 2013 Member

In b1db7def1cacdf04ab0c530da32cc46a53c2c7a8: refs #3813 hiding row action tooltip when clicking the action

@BeezyT commented on April 5th 2013 Member

In 392161d93895ffaa270502581212de7251a4638a: refs #3813 script for building jqplot-custom.min.js

@sgiehl commented on April 5th 2013 Member

In a6c9cbae140bea006b7af29645ae35198c59a7a4: fixes #3570 refs #3813 now rowactions should work everywhere ;)

@sgiehl commented on April 5th 2013 Member

In 0047ff17d75b5e515cad115c4d95f18a0e0f0a7e: refs #3813 fixed bug with ugly spaces in sitesearch datatable. problem was the datatable manager that didn't work with diffrent types of datatables on one page

@sgiehl commented on April 6th 2013 Member

In f3544da351ab5de4dce4d406a89d0a68b4317730: refs #3813 don't show row actions if available window width is less then 600px

@sgiehl commented on April 6th 2013 Member

I hope all regressions are fixed now. If not reopen ;)

@BeezyT commented on April 10th 2013 Member
  • In 0047ff17d75b5e515cad115c4d95f18a0e0f0a7e datatable_actions_js.tpl was removed. This file is still included in datatable_actions_recursive.tpl. Can we just remove the include or should the filename be changed to datatable_js.tpl?
  • After searching in a the pages report (search box at the bottom of the report), the data table JS does not work - neither sorting nor tooltips etc.
  • Also, search results with subtables are not shown properly, e.g. if you search for "index" here. They used to be nested like an expanded pages report.
@sgiehl commented on April 10th 2013 Member

oh, guess I missed that one. Should be replaced with datatable_js.tpl
I'll have a look at that search issue asap

@BeezyT commented on April 10th 2013 Member

I'm not sure what the effect of changing the import would be, and it's hard to test as long as the other bug breaks the data table.
So I'm not comfortable with changing it, please take a look at it after the other bug is fixed.

@sgiehl commented on April 10th 2013 Member

In 80f5e5bdec5fbaf62bb2cffde47759203bc478f7: refs #3813 fixed template for recursive action tables

@sgiehl commented on April 10th 2013 Member

@EZdesign: I guess that should fix your issues. Can you confirm, plz?

@mattab commented on April 11th 2013 Owner

We found that Overlay is not working anymore, eg: http://demo.piwik.org/index.php?module=Overlay&period=month&date=today&idSite=1#l=http$3A$2F$2Fpiwik.org$2F

  • Bug: Dropdown isn't showing selected period (however data on the right seems to apply to period)
  • Bug: The left panel shows "no data"
  • The right panel shows the bubbles in the websites as expected.
  • the particular page /download-piwik shows 12% next page in the transitions report but the "DOWNLOAD" menu link shows 0% for the same period.
@mattab commented on April 11th 2013 Owner

Row Actions work in the standard UI, but in the Iframed Dashboard, the icon hides on click but does not launch the popover.

@BeezyT commented on April 11th 2013 Member

In 2fbfbf76be47fbc8a9c8d33872f03ce8308cbff3: refs #3813 another data table improvement: refactor data table header to a separate template

  • removes code duplication (we already had a minor inconsistent bug fix - shame on us!)
  • show the sorted column and report documentation after using the search box

@Stefan: the issues I reported are fixed now

@Everyone: this is turning into a general data table improvement ticket

@BeezyT commented on April 11th 2013 Member

In c00d063d46b88e8ec89313010012e387a375a4e0: refs #3813 Overlay compatibility with latest jquery

@BeezyT commented on April 11th 2013 Member

Bug: The left panel shows "no data"

I don't understand. Can you clarify? When exactly does it happen?

the particular page /download-piwik shows 12% next page in the transitions report but the "DOWNLOAD" menu link shows 0% for the same period.

Is that connected to the select box showing the wrong period? Can you check again?
My guess is that you got confused about which range is shown because the select box didn't work. If the bug still exists, please tell us the exact period for both reports where the numbers don't match.

@mattab commented on April 12th 2013 Owner

Nice refactoring Timo.

Regarding Overlay, now it's not loading any data for piwik.org: https://demo.piwik.org/index.php?module=Overlay&period=week&date=today&idSite=1

No data on the left and no bubbles in the right.

Overlay works OK on the forums& the crowdfunding site: http://demo.piwik.org/index.php?module=Overlay&period=month&date=today&idSite=7#l=http$3A$2F$2Fforum.piwik.org$2F

@mattab commented on April 12th 2013 Owner

Actually works on Chrome for piwik.org as well so looking good :)

IIRC the only small bug left to fix is:

  • Row Actions work in the standard UI, but in the Iframed Dashboard, the icon hides on click but does not launch the popover.
@sgiehl commented on April 12th 2013 Member

Replying to matt:

Regarding Overlay, now it's not loading any data for piwik.org: https://demo.piwik.org/index.php?module=Overlay&period=week&date=today&idSite=1

No data on the left and no bubbles in the right.

Doesn't work with https for me, too. http is working well...

@BeezyT commented on April 12th 2013 Member

https://demo.piwik.org/index.php?module=Overlay&period=week&date=today&idSite=1

This works for me in Firefox, Safari and Chrome. Are you using exactly this URL? And which browser?
Please copy-paste the exact URL, tell me the browser and whether it's working or not. I'm a bit confused about what is working for whom in which case...


Row Actions work in the standard UI, but in the Iframed Dashboard, the icon hides on click but does not launch the popover.

Stefan, will you handle that?

@sgiehl commented on April 12th 2013 Member

In 30416f5a67aee234d38e3b203d8410affc2a3720: refs #3813 fixes rowevolution not working in widgetized dashboard

@sgiehl commented on April 12th 2013 Member

In ae2c2fd1cee3acdbee021210e44f9bbefa31826d: refs #3813 clean solution to make popovers work in widgetize mode

@sgiehl commented on April 15th 2013 Member

Is everything fixed now, or is something still open?

@mattab commented on April 16th 2013 Owner

Nice updates!

Updated beta10 to demo and found some bugs:

  • the "Export as image" icon below evolution graph is not triggering the "Save As" box (does nothing)
  • on Search engines report, clicking "Make it flat" loads "no data".
  • on widgetize dashboard, clicking Row Evolution works, but it also displays "Loading Data..." below the "calendar". Instead it should not show this "Loading data..." since the popover loading message is enough.
@mattab commented on April 16th 2013 Owner

There was also a bug reported in the forums on IE8.

  • Using IE8, go to Actions> Page title report
  • Click on "Related report: Entry page titles" in the footer
  • error: "Message: Syntax error, unrecognized expression: The plugin undefined is not enabled. You can activate the plugin on Settings > Plugins page in Piwik."
@BeezyT commented on April 16th 2013 Member

In 57cd3479ed52123dd4ec851db7eb4464967095ca: refs #3813 fixing export as image

@sgiehl commented on April 16th 2013 Member

In f2f4cd11fd637b727c68a38c02946d6ae508fb2f: refs #3813 do not show a loading message if broadcast is initalized for popovers

@sgiehl commented on April 16th 2013 Member

Replying to matt:

Seems to be related to the callbacks used by the api method of that datatable. Removing them makes the table work... don't know why -.-

  • on widgetize dashboard, clicking Row Evolution works, but it also displays "Loading Data..." below the "calendar". Instead it should not show this "Loading data..." since the popover loading message is enough.

fixed by my last commit

@sgiehl commented on April 16th 2013 Member

In 07d96a0be3df0524926aa6b6168e5dc546df59ea: refs #3813 fixes ie8 bug

@sgiehl commented on April 17th 2013 Member

As the search engines report seems to be fixed with [204cbc0af2cc2914235f6a720e4a5abf0d6b4101]. I guess everything is done?

@mattab commented on April 17th 2013 Owner

Nice fixes! I upgraded demo to b11.

I found a few more bugs:

  • Go to: here , click "all website" and the subtable loads "Google" but shows "1-25 of 102 Next " which is the paging info for the main table. Instead subtable paging should be "1-1 of 1" without next button.
    • similar/duplicate bug in search: Go to here search for "clear" below the subtable. On loading the search results, note that the paging information is wrong, and the "Next" button is displayed. Instead it should show "1-3 of 3" for the 3 search results, and hide the "next" button.
  • Row evolution regression: going to: dashboard, click on "Browser>Chrome row evolution" does not load the popover.
@mattab commented on April 17th 2013 Owner

Somehow the "Row evolution regressioN" I cannot replicate consistently.. sometimes it work, sometimes it doesn't.

Also tested dashboard and found:

  • Copying dashboard to user does not work. in the URL: user=undefined
  • Renaming dashboard also bugs
@sgiehl commented on April 17th 2013 Member

In 0f80874acfd228070cb2a7335b4ad76d09cdbf06: refs #3813 fixing dashboard regressions: jQuery.attr('value') might not return correct value anymore. use jQuery.val() instead!

@BeezyT commented on April 17th 2013 Member

In 8d672e51fba4fdedf4cb640e732758d09d2d4b52: refs #3813 fixing subtable pagination

@BeezyT commented on April 17th 2013 Member

In 8e95c379781dd65a97f33f9a58b9f35bcd7c7ac8: refs #3813 fixing pagination after searching in a report

@sgiehl commented on April 18th 2013 Member

In 235a231de94357003b833fb2514ec771a85457cd: refs #3813 popover param wasn't removed in some cases; popover wasn't closed when using browsers back button on pages with empty hash part in url

@mattab commented on April 20th 2013 Owner

The new Tooltip introduces XSS in Piwik!

Payload: piwik.php?idsite=1&rec=1&apiv=1&r=641368&_id=e1f7d8e178b7a866&3A42&fla=1&java=1&dir=0&qt=0&realp=0&pdf=0&wma=0&gears=0&ag=0&h=12&m=34&s=6&res=1024x768&cookie=1&url=http%3A%2F%2Fexample.org%2Findex.html&urlref=http%3A%2F%2Fthing1.com%2Fa%2Fb%2Fc.html%3Fa%3Db%26d%3Dc&action_name=second+page&urlref=http://example3.com/test%3E%22%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E

Then go to Referers> Websites

I get a 'XSS' popup!

Luckyly I often use XSS payloads to test ;-)

Thanks for fixing!

@mattab commented on April 20th 2013 Owner

And nice work on the other fixes, appart from above, I can't find other problems for now :)

@sgiehl commented on April 20th 2013 Member

I don't think that is caused by the tooltips, as they escape html by default. But I'll have a look...

@sgiehl commented on April 20th 2013 Member

In ab74f9316a0e5c80f5099921f62fc6c1f832268c: refs #3813 escape html title attribute to avoid possible XSS

@mattab commented on April 21st 2013 Owner

The bug is in the tooltip somehow (I think).

Fixing the datatable_cell is not enough as it appears in other cases as well:

 piwik.php?action_name=%C3%83%E2%80%9E&idsite=1&rec=1&r=604235&h=11&m=3&s=38&url=http%3A%2F%2Flocalhost%2F&_id=c7200934de2aba4e&_idts=1364427469&_idvc=3&_idn=0&_refts=1366498880&_viewts=1365810845&_ref=http%3A%2F%2Freferrer.example.com%2Fpage%2Fsub%3Fquery%3Dtest%26test2%3Dtest3&cs=windows-1252&cvar=%7B%222%22%3A%5B%22%3Cscript%3Ealert(%27xss%27)%3B%3C%2Fscript%3E%22%2C%22%3Cscript%3Ealert(%27xss%27)%3B%3C%2Fscript%3E%22%5D%2C%221%22%3A%5B%22pagecvar%22%2C%22%20WOOOW%20%22%5D%7D&pdf=0&qt=0&realp=0&wma=0&dir=0&fla=1&java=0&gears=0&ag=0&cookie=1&res=1920x1080&generation_time_ms=23 ```

Here it appears as a "Custom variable of page scope" in the Visitor Log, on hover on the page, it shows a XSS popup.  (I could send few even more payloads for other reports).

So +1 for revert previous and let me know if you find a solution that would fix it globally (if not I can take a look!) thanks!
@sgiehl commented on April 21st 2013 Member

In c1eb2001d421c7a5d8b083279f1058a8c4d6c2b2: refs #3813 escape tooltip content for visitorlog to fix possible XSS

@mattab commented on April 22nd 2013 Owner
  • When there is no data in the Visitor Log, the "Next" is displayed but it shouldn't be (since paging will not show data for the currently selected date)
@BeezyT commented on April 22nd 2013 Member

"Next" is always shown in the visitor log. This is a hack that has been there forever. When I made the latest changes to the plugin, I made the hack better (i.e. less ugly) but it's still there. My point is that it's not related to this ticket and not even a regression. It could be added to a list of possible improvements for the visitor log.

@mattab commented on April 22nd 2013 Owner

Thanks for clarification.

@sgiehl commented on May 1st 2013 Member

Another try to close that ticket.
Hope there aren't any other regressions...

@mattab commented on May 5th 2013 Owner

Thanks Stefan. Sorry for silence last few days... I plan to do a bit more testing this week but code/features look very good!

This Issue was closed on May 5th 2013
Powered by GitHub Issue Mirror