/ 
UR-0.47
River stage one • 2 direct dependents • 3 total dependents
⭐ Starred 3 GitHub stars
/ UR::Object::Type::AccessorWriter
Security Advisories (11)
CVE-2018-14041 (2018-07-13)

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

CVE-2018-14042 (2018-07-13)

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2019-11358 (2019-04-20)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2011-4969 (2013-03-08)

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708 (2018-01-18)

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

CVE-2020-7656 (2020-05-19)

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

CVE-2019-5428

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

CVE-2014-6071 (2018-01-16)

jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.

NAME

UR::Object::Type::AccessorWriter - Helper module for UR::Object::Type responsible for creating accessors for properties

DESCRIPTION

Subroutines within this module actually live in the UR::Object::Type namespace; this module is just a convienent place to collect them. The class initializer uses these subroutines when it's time to create accessor methods for a newly defined class. Each accessor is implemented by a closure that is then assigned a name by Sub::Name and inserted into the defined class's namespace by Sub::Install.

METHODS

initialize_direct_accessors
$classobj->initialize_direct_accessors();

This is the entry point into the accessor writing system. It inspects each item in the 'has' key of the class object's hashref, and creates methods for each property.

mk_rw_accessor
$classobj->mk_rw_accessor($class_name, $accessor_name, $column_name, $property_name, $is_transient);

Creates a mutable accessor named $accessor_name which stores its value in the $property_name key of the object's hashref.

mk_ro_accessor
$classobj->mk_ro_accessor($class_name, $accessor_name, $column_name, $property_name);

Creates a read-only accessor named $accessor_name which retrieves its value in the $property_name key of the object's hashref. If the method is used as a mutator by passing in a value to the method, it will throw an exception with Carp::croak.

mk_id_based_object_accessor
$classobj->mk_id_based_object_accessor($class_name, $accessor_name, $id_by,
                                       $r_class_name, $where);

Creates an object accessor named $accessor_name. It returns objects of type $r_class_name, id-ed by the parameters named in the $id_by arrayref. $where is an optional listref of additional filters to apply when retrieving objects.

The behavior of the created accessor depends on the number of parameters passed to it. For 0 params, it retrieves the object pointed to by $r_class_name and $id_by. For 1 param, it looks up the ID param values of the passed-in object-parameter, and reassigns value stored in the $id_by properties of the acted-upon object, effectively acting as a mutator.

For more than 1 param, the additional parameters are taken as properties/values to filter the returned objects on

mk_indirect_ro_accessor
$classobj->mk_indirect_ro_accessor($class_name, $accessor_name, $via, $to, $where);

Creates a read-only via accessor named $accessor_name. Its value is obtained by calling the object accessor named $via, and then calling the method $to on that object. The optional $where listref is used as additional filters when calling $via.

mk_indirect_rw_accessor
$classobj->mk_indirect_rw_accessor($class_name, $accessor_name, $via, $to,
                                   $where, $singular_name);

Creates a via accessor named $accessor_name that is able to change the property it points to with $to when called as a mutator. If the $to property on the remote object is an ID property of its class, it deletes the refered-to object and creates a new one with the appropriate properties. Otherwise, it updates the $to property on the refered-to object.

mk_calculation_accessor
$classobj->mk_calculation_accessor($class_name, $accessor_name, $calculation_src,
                                   $calculate_from, $params, $is_constant, $column_name);

Creates a calculated accessor called $accessor_name. If the $is_constant flag is true, then the accessor runs the calculation once, caches the result, and returns that result for subsequent calls to the accessor.

$calculation_src can be one of: coderef, string containing Perl code, or the name of a module under UR::Object::Type::AccessorWriter which has a method called calculate. If $calculation_src is empty, then $accessor_name must be the name of an already-existing subroutine in the class's namespace.

mk_dimension_delegate_accessors
mk_dimension_identifying_accessor

These create accessors for dealing with dimension tables in OLAP-type schemas. They need more documentation.

mk_rw_class_accessor
$classobj->mk_rw_class_accessor($class_name, $accessor_name, $column_name, $is_transient, $variable_value);

Creates a read-write accessor called $accessor_name which stores its value in a scalar captured by the accessor's closure. Since the closure is inserted into the class's namespace, all instances of the class share the same closure (and therefore the same scalar), and the property effectively acts as a class-wide property.

mk_ro_class_accessor
$classobj->mk_ro_class_accessor($class_name, $accessor_name, $column_name, $variable_value);

Creates a read-only accessor called $accessor_name which retrieves its value from a scalar captured by the accessor's closure. The value is initialized to $variable_value. If called as a mutator, it throws an exception through Carp::croak

SEE ALSO

UR::Object::Type::AccessorWriter, UR::Object::Type