• chevron_right

      Votre lecteur PDF.js préféré peut exécuter du code malveillant !

      news.movim.eu / Korben · Monday, 20 May - 14:57 · 1 minute

    La bibliothèque JavaScript de visualisation de PDF développée par Mozilla, connue sous le nom de PDF.js , est au centre d’une nouvelle découverte de sécurité assez préoccupante ! Une faille dans le code de rendu des polices permet à un attaquant d’exécuter du JavaScript arbitraire simplement en ouvrant un PDF malveillant. Et attention, cela affecte toutes les applications utilisant PDF.js, y compris Firefox, certains éditeurs de code et navigateurs de fichiers. Aïe aïe aïe !

    En gros, lorsque PDF.js affiche une police spéciale, il convertit la description des glyphes en instructions pour dessiner ces glyphes. Cependant, un hacker mal intentionné peut injecter son propre code dans la description de la police, résultant en l’exécution de ce code par le navigateur.

    La vulnérabilité, estampillée CVE-2024-4367 , repose donc sur une manipulation des commandes de rendu de polices. La commande transform utilisant fontMatrix est exploitée pour insérer du code JavaScript puis PDF.js compile dynamiquement les descriptions de polices pour optimiser les performances. Normalement, ce tableau contient uniquement des nombres, toutefois, cette faille permet d’y injecter des chaînes de caractères. Et en insérant du code JavaScript dans ce tableau, il est possible de déclencher du code lors du rendu d’une police.

    Un exploit bien forgé permettrait diverses attaques telles que l’exécution de code arbitraire, le vol de données, ou même la prise de contrôle complète du système via des attaques XSS ou l’exécution de code natif. La vulnérabilité touche actuellement les versions de PDF.js inférieures à 4.2.67.

    Selon les chercheurs de Codean Labs , cette vulnérabilité affecte non seulement les utilisateurs de Firefox (<126), mais également de nombreuses applications web et basées sur Electron utilisant indirectement PDF.js pour la fonctionnalité d’aperçu. Ils soulignent également que cette faille exploite une partie spécifique du code de rendu de la police, un segment que les développeurs devraient vérifier attentivement.

    Bref, pensez à mettre à jour PDF.js vers une version supérieure à la 4.2.67 et à mettre à jour vos outils vers des version égales ou supérieures à Firefox 126, Firefox ESR 115.11 et Thunderbird 115.11.

    Source

    • chevron_right

      TypeScript 5.4 beta arrives

      pubsub.slavino.sk / infoworldcom · Tuesday, 30 January - 10:00 edit

    TypeScript 5.4, a planned update to the strongly typed JavaScript variant from Microsoft , has reached beta availability. New capabilities include preserved narrowing within function closures created after the last assignment and a NoInfer type to block inferences to valid but unwanted types.

    Released January 29, TypeScript 5.4 can be accessed via NuGet or NPM. In NPM, use the following command:

    npm install -D typescript@beta

    TypeScript 5.4 makes narrowing smarter. Detailing the improvement, Microsoft said a common pain point in TypeScript was that narrowed types were not always preserved within function closures. In TypeScript 5.4, when parameters and let variables are used in non-hoisted functions, the type checker will look for a last assignment point. If one is found, TypeScript can narrow from outside the containing function.

    To read this article in full, please click here


    Značky: #JavaScript, #Typescript, #Rozne

    • chevron_right

      Astro 4.2 boosts accessibility, image optimization features

      pubsub.slavino.sk / infoworldcom · Friday, 19 January - 22:17 edit

    Following fast in the footsteps of the Astro 4.1 release , Astro 4.2 has arrived, bringing improvements to accessibility rules and the ability for remark plugins to customize image optimization.

    The Astro 4.2 release also introduces prerendering using the Speculation Rules API and reworked routing priority for injected routes, both experimental features.

    Launched January 19 , Astro 4.2 marks the first release of the framework of almost all community-built features. Installation instructions for Astro can be found on GitHub .

    To read this article in full, please click here


    Značky: #JavaScript, #Rozne

    • chevron_right

      Microsoft Blazor adds SortableJS for drag-and-drop lists

      pubsub.slavino.sk / infoworldcom · Tuesday, 16 January - 21:15 edit

    SortableJS , a JavaScript library for creating reorderable drag-and-drop lists, has been wrapped into a component for Microsoft’s Blazor web application builder and renamed Blazor Sortable .

    A common feature for web application development, SortableJS supports touch devices and modern browsers, CSS animation, auto-scrolling, and smooth animations.

    Unveiled January 12 , Blazor Sortable has been made open source on GitHub. The GitHub repo for Blazor Sortable contains source code for the sortable list as well as demos. Developers only need the Shared/SortableList.razor , Shared/SortableList.razor.css , and Shared/SortableList.razor.js files to use Blazor Sortable. SortableList is a generic component that takes a list of items. A SortableItemTemplate then defines how to render each item in the sortable list.

    To read this article in full, please click here


    Značky: #JavaScript, #Microsoft, #Rozne

    • chevron_right

      Astro web framework adds accessibility audit rules

      pubsub.slavino.sk / infoworldcom · Friday, 5 January - 22:30 edit

    Version 4.1 of the Astro web framework , released January 4, features new accessibility audit rules, custom cookie encoding, and a configuration option for the client:visible directive.

    Available on GitHub , Astro is positioned as a framework for building fast, content-driven websites, web applications, and dynamic server APIs. Astro 4.1 adds two audit rules for the dev toolbar. Developers now will be warned about unsupported ARIA (accessible rich internet applications) attributes and missing attributes required for the ARIA role.

    To read this article in full, please click here


    Značky: #Rozne, #JavaScript

    • chevron_right

      Oracle introduces JavaScript support in MySQL

      pubsub.slavino.sk / infoworldcom · Wednesday, 3 January - 22:30 edit

    Oracle has introduced JavaScript support in the MySQL database, allowing developers to write JavaScript stored programs, i.e. JavaScript functions and procedures, in the MySQL database server.

    The capability was announced on December 15, 2023 . The JavaScript stored programs will be run with the GraalVM , which provides an ECMAScript-compliant runtime to execute JavaScript programs. Developers can access this MySQL-JavaScript capability in a preview in MySQL Enterprise Edition, which can be downloaded via Oracle Technology Network (OTN) . MySQL-JavaScript also is offered in the MySQL Heatwave cloud service in Oracle Cloud Infrastructure (OCI), AWS, and Microsoft Azure.

    To read this article in full, please click here


    Značky: #JavaScript, #MySQL, #Database, #Rozne

    • chevron_right

      Building tables in React: Get started with react-table

      pubsub.slavino.sk / infoworldcom · Wednesday, 3 January - 10:00 edit

    Displaying data in tables is a lasting requirement of user interfaces. React Table is described as an “almost headless” table library for React. It focuses on giving you all the data aspects in a convenient format and leaves the styling and componentizing to you. This approach makes it easy to build powerful data grids and style them as needed. In this article, we'll use the react-table library to build a table with styling, filtering, sorting, and paging.

    What is react-table?

    The most recent version of the react-table library is part of TanStack , a larger project that provides components in a framework-agnostic way. Accordingly, react-table can drive table components for several frameworks: React, Solid, Vue, Svelte and applications built using TypeScript or JavaScript. Our examples focus on building a table in React.

    To read this article in full, please click here


    Značky: #React, #Rozne, #JavaScript

    • Bl chevron_right

      mumble-web (mis)adventure

      blabla.movim.eu / blog-woodpeckersnest-space:0 · Tuesday, 5 December - 20:01 edit

    Today I wanted to install yet another web frontend for the services I host, i.e. mumble-web

    mumble-web is an HTML5 Mumble client for use in modern browsers.

    I won't bore you with the install details, just know that it's basically JS and you need to install npm modules.. After some processing and a whole lot of deprecation warnings on screen, it finally failed. Then I looked at the logs it left and it was searching for python2!! Went back to the github page and found out the code is from about 3 years ago, with the latest issue being about one guy managing to build the software on Debian 11 with some old NodeJs version..

    So, after a bit of disappointment, I delete the whole directory and be done with it. You know, there's no alternatives out there 😟

    Now I would like to ask a question to disroot admins: how the hell are you running this junk on your server!? I believe they're using docker, still it's not safe in my opinion to run such old-unmaintained stuff.

    I won't be doing that.