-
Notifications
You must be signed in to change notification settings - Fork 0
Developer changes in 1.3.x
The 1.3.x branch of MantisBT significantly differs from the 1.2.x branch. Plugin developers and core developers will need to adapt to the changes outlined on this page. This list is not exhaustive and it is recommended that you follow the commit history of the 1.3.x branch to fully appreciate the changes that have been made in 1.3.x.
If the client browser supports XML parsing and rendering of web pages via the application/xhtml+xml MIME type, MantisBT will use this capability. Firefox, Chrome and Opera web browsers (amongst numerous others) support this feature. In this XML rendering mode, browsers will produce fatal errors if the XHTML document is not well formed. Unclosed tags, incorrect escaping of special characters and other common markup errors will cause the browser to display a rendering error to the user.
You must be very careful in ensuring that your plugins (and core MantisBT page output) do not generate invalid XHTML. For example, the following markup is invalid because <input> elements are not permitted directly within <form> elements:
<form>
<input type="text" name="sample" />
</form>
To correct this issue, the following markup can be used:
<form>
<fieldset>
<input type="text" name="sample" />
</fieldset>
</form>
The 1.3.x branch includes support for the X-Content-Security-Policy feature developed by Mozilla for Firefox version 4 (and later versions). This important security feature provides a safety net to XSS and clickjacking vulnerabilities that may present themselves in MantisBT and any installed plugins.
The default CSP policy in 1.3.x dictates that images, scripts and other content cannot be loaded from domains that are separate to the one which MantisBT is being accessed from. Most importantly, the default policy disallows inline Javascript from executing from within HTML output. You must ensure that all Javascript code executed by plugins (and the core of MantisBT) is stored in external Javascript source files. These source files can then be included within the <head> element of page output by using <script type="text/javascript" src="script.js"> elements.
Examples of illegal output in MantisBT 1.3.x:
<a href="javascript:somefunction()">Link</a>
<script type="text/javascript">
// code here
</script>
<span onclick="somefunction()">Content</span>
<script type="text/javascript" src="http://externaldomain.example.com/script.js"></script>
<img src="http://externaldomain.example.com/image.jpg" />
It is also highly advisable that this strictness be carried over to CSS styling by ensuring that CSS styles are only applied from external stylesheets linked via a <link rel="stylesheet" src="style.css" /> element within the document's <head> element.
MantisBT 1.3.x is now shipped with jQuery. Most of the old Javascript code (calendar picker widget, autocomplete, "select all" checkboxes, etc) has been completely replaced with simple and modern jQuery code. It is highly advisable that plugins make use of jQuery, rather than custom code, if there is a need for Javascript functionality.
In version 1.2.x of MantisBT, a call to this function took this appearance:
db_get_table( 'mantis_something_table' )
As of MantisBT 1.3.x you must remove the mantis prefix and table suffix. An example of how this function should be called in 1.3.x follows:
db_get_table( 'something' )