-
Notifications
You must be signed in to change notification settings - Fork 0
Validation tasks
Verified (X)HTML validity for every single navigable page using the browser plugin for Firefox.
A fork of Bootstrap 3.3.7 was created where all CSS validation errors were fixed: https://github.com/sim642/bootstrap/tree/v3.3.7-valid. Changes were made in Less source files, compiled to CSS, minified and imported back into our project.
All CSS style elements are in separate files(see /src/main/resources/static/css/). No inline CSS is present in HTML templates.
Inlined JavaScript is used in user, post, settings, feed and statistics templates. It's sole function is to make the data put to the view available for the static JS script.
AChecker false positives:
-
On user profile page, e.g.
/users/1(templateuser.html):Check 37: Header nesting - header following
h1is incorrect.Line 128, Column 21:
<h1>Veiko Kääp</h1>
The header following
h1ish4inside the post location map's modal window:<h4 class="modal-title">Post location</h4>
The
h4is in a completely different place in the document (h1in the beginning,h4at the end) and also not visible by default, only when a post's location is viewed (which hides the rest of the page). For these reasons the headings do not actually belong together and thus one shouldn't be the subheading of another as the validator requires. -
On settings page, i.e.
/settings(templatesettings.html):Check 204:
inputelement,typeof "radio", has no text inlabel. Check 188: Label text is empty.Line 170, Column 37:
<input id="EN" value="EN" type="radio" name="language" checked="checked">
Line 173, Column 37:
<input id="EE" value="EE" type="radio" name="language">
The actual surrounding code is:
<label class="btn btn-default active"> <input id="EN" value="EN" type="radio" name="language" checked="checked"> <span>English</span> </label> <label class="btn btn-default"> <input id="EE" value="EE" type="radio" name="language"> <span>Eesti</span> </label>
Check 204 help text allows as one option:
- The input element is contained by a label element.
- Check if the label contains text.
Thus the actual code is valid but the validator fails to see the surrounding
labeland the text within it.
- Desktop
- Chrome 56.0
- IE 11.0
- Chrome 55.0
- Firefox 51
- Chrome 45.0
- Edge 14
- Firefox 52
- Mobile
- Chrome 52.0
- Safari 10.0
- Chrome 56.0
- Android Browser 4.0
- Safari 602
- Chrome 44.0
- Firefox 51
Ticked elements are ones which are manually tested. Rest were tested using http://browsershots.org/
- 1366x768
- 1024x768
- 1280x800
- 768x1024
- 1280x1024
- 1920x1080
- 1440x900
- 320x480
Production environment password/certificate elements are not publicly available.
External properties file which contains the secret elements is only available in the production server which is attached to the application upon startup using Spring.
Query parametrization is also handled by Spring Repositories.
Thymeleaf in conjunction with Spring escapes the user input in order to prevent XSS.
This can be verified by simply putting the following into a feed post and checking the source of the page after posting.
<script>alert("No XSS?");</script>
No INSERT or UPDATE queries are done in the project. This functionality is achieved by the usage of Spring Repositories.
Rakendus ei teosta SELECT päringuid mittekonstantsetel tabelitel (vaadete kasutamine andmete pärimiseks)
HTTP method usage is restricted by Spring's annotations(GetMapping, PostMapping, PutMapping, DeleteMapping). All other request methods will result in a 405 Method Not Allowed HTTP error.
Application does follow the RESTful principals.
See restful branch for development and ee.potatonet.controller package for HTTP endpoint mappings.
Most of the functionality can be used without JavaScript.