Spring Cleaning: Reporting and WYSIWYG Bug Fixes and Updates

[chrismaddalena]

Release Notes

Largely Cosmetic

• Fixed various text fields across the application that were displayed as raw HTML after being edited with the WYSIWYG editor.
• Fixed some stylesheet issues to address mis-matched text.

Impactful Functionality Changes

Ghostwriter

• Updated many of the success_url functions for forms and views to improve the user experience.
  • Successful form submissions will now redirect to a more appropriate URL with an anchor. The anchor will expand the related BootStrap accordion on that page.
  • Example: Checking-out a domain will no longer send a user to their asset page. A successful check-out will redirect to the project's details page and expand the Infrastructure accordion to present the current check-outs and infrastructure information. The user can then search for and check-out another domain with no additional navigation.
• Some forms now have conditional redirects to help return users to more appropriate webpages after a successful submission.
  • These conditional redirects rely on the HTTP REFERER header. If available, the REFERER is added to a hidden form field and then checked upon submission.
  • This REFERER value is set as an "origin" for the form. Ghostwriter will try to redirect users to this origin (plus an anchor) for a more sensible redirect.
    • Example: An update to a project used to redirect the user to the project's page. With this change, if the update is successful, Ghostwriter will check the passed REFERER value for the redirect and return the user back to the project details page or the client details page (the two places a project can be edited via the interface).
  • If the REFERER header is unsupported or stripped (the form receives a blank value), the functions will return the user to the old default view.
  • A user can edit the REFERER value, but this has little impact on security. A modified REFERER could inject client-side code or cause an unintended redirect, but this would only impact the client and the user.

WYSIWYG

• All text pasted into the WYSIWYG editor is now converted to plain text.
  • This change strips all styling information that might be carried over from a webpage or Word document.
• The HTML parser for the WYSIWYG fields has been completely replaced. Ghostwriter now uses BeautifulSoup 4 to step trhough the contents of the body tags.
  • Complex nested style options are now better supported. Previously, a run of bold text that was partially underlined and partially italicized might not have been formatted correctly.
• The editor will now allow spellcheck with a user's web browser's built-in spellchecker.

Reporting

• Findings in a report now have much saner weight/position values.
  • Values can no longer be reduced below zero.
  • If a value is increased or decreased to a value matching another finding of the same severity the findings trade values.
• Evidence can now be attached while editing a finding in a report.
  • A new "Upload Evidence" button is available in the WYSIWYG editor for report findings.
  • The button opens a URLDialog window with a new minimal version of the evidence upload form.
  • Uploading evidence with this dialog window will attach the file to the finding, update the finding form page's AutoComplete dictionary to include the new evidence file's name, and automatically insert the evidence file placeholder into the finding.
• The Evidence model now checks friendly_name to see if the same name is used for another evidence file attached to the same finding.
• The Evidence model now requires a caption value for form validation.
• Ghostwrter now uses the python-docx-template library in cbomination with the python-docx library to generate Word documents.
  • The python-docx library version is now set to v0.8.7 for compatibility.
  • The template.docx file now uses Jinja2 for layouts which opens up many new possibilities for custom templates.
    • The included template.docx includes examples of dynamic table generation and text replacement.
    • The reporting module now generated the findings report as a "sub-document" that can be included anywhere in a template using the JInja2 placeholder {{p findings_subdoc }}.

Projects

• Project objective deadlines are now automatically set to the last day of the project.

Shepherd

• Fixed bad logic used for the user asset page that could cause a 500 error in particular situations.
• Deleting the latest project history entry for a domain or server now flips an "Unavailable" domain to "Available."
  • This change addressed a condition where deleting a check-out for a domain or server could lead to a situation where a domain was "Unavailable" without any current projects.
  • In theory, this would fix itself when the domain_release() task was run, but a user could delete all of the check-out/project history entries. Such an action would lead to an "Unavailable" domain with no project history and the domain being ignored by the domain_release() task.