fix: add file-based cache busting for JavaScript and stylesheet assets#749
Merged
RussH merged 4 commits intoApr 22, 2026
Merged
Conversation
Contributor
Author
|
I was not able to test this change in a fully reliable way before opening the PR. Additional testing would be appreciated, especially around shared page headers, direct asset includes and pages with non-standard layouts. |
Member
|
I'll check this out locally and test |
Member
|
Thanks — the asset cache-busting change looks useful, and I do not see a PHP 7.2 compatibility issue in that part. The main thing I’d ask for before merge is to make the activity notes rendering consistent. These two files are using the safer escaped pattern:
They now do: nl2br(htmlspecialchars($activityData['notes'], ENT_QUOTES | ENT_SUBSTITUTE, HTML_ENCODING))That is ideal, the note text is escaped first and only then converted to But these other paths are still using
So at the moment the PR leaves note output handled in two different ways, and these files are still vulnerable to XSS exploit if Could those be aligned so all note rendering uses the same escaped pattern before Finally - this PR seems broader than the title suggests, since it also includes the |
Contributor
Author
Member
|
Thanks — I’ve rechecked this and I think my earlier comment was mixed up with other PRs. Looking at the current diff, I don’t see any issues. |
anonymoususer72041
added a commit
to anonymoususer72041/OpenCATS
that referenced
this pull request
Apr 22, 2026
commit edf5d0f Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:59:58 2026 +0200 Use stricter assertions in tests commit 8597922 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:50:31 2026 +0200 Centralize PHPUnit test bootstrap commit 0393e63 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:44:48 2026 +0200 Clean up PHPUnit configuration commit dd9b184 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:36:22 2026 +0200 Refactor consecutive mock expectations commit b60e11a Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:30:42 2026 +0200 Replace deprecated mock builder methods commit 3580471 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:27:17 2026 +0200 Use expectException in CompanyRepositoryTest commit 9474ef7 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:22:28 2026 +0200 Replace deprecated regex assertions in tests commit 6361194 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:13:19 2026 +0200 Escape activity notes before applying nl2br (opencats#751) The remaining note rendering paths are now aligned with the safer pattern already used elsewhere in the codebase: nl2br(htmlspecialchars($notes, ENT_QUOTES | ENT_SUBSTITUTE, HTML_ENCODING)) commit d642ff0 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:08:54 2026 +0200 fix: add file-based cache busting for JavaScript and stylesheet assets (opencats#749) * Add file-based asset versioning helper * Switch JavaScript and stylesheet includes to file-based cache busting * Document static submodal asset loading exception * Remove legacy asset anti-cache handling
anonymoususer72041
added a commit
to anonymoususer72041/OpenCATS
that referenced
this pull request
Apr 22, 2026
commit edf5d0f Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:59:58 2026 +0200 Use stricter assertions in tests commit 8597922 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:50:31 2026 +0200 Centralize PHPUnit test bootstrap commit 0393e63 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:44:48 2026 +0200 Clean up PHPUnit configuration commit dd9b184 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:36:22 2026 +0200 Refactor consecutive mock expectations commit b60e11a Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:30:42 2026 +0200 Replace deprecated mock builder methods commit 3580471 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:27:17 2026 +0200 Use expectException in CompanyRepositoryTest commit 9474ef7 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:22:28 2026 +0200 Replace deprecated regex assertions in tests commit 6361194 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:13:19 2026 +0200 Escape activity notes before applying nl2br (opencats#751) The remaining note rendering paths are now aligned with the safer pattern already used elsewhere in the codebase: nl2br(htmlspecialchars($notes, ENT_QUOTES | ENT_SUBSTITUTE, HTML_ENCODING)) commit d642ff0 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:08:54 2026 +0200 fix: add file-based cache busting for JavaScript and stylesheet assets (opencats#749) * Add file-based asset versioning helper * Switch JavaScript and stylesheet includes to file-based cache busting * Document static submodal asset loading exception * Remove legacy asset anti-cache handling
anonymoususer72041
added a commit
to anonymoususer72041/OpenCATS
that referenced
this pull request
Apr 23, 2026
commit edf5d0f Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:59:58 2026 +0200 Use stricter assertions in tests commit 8597922 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:50:31 2026 +0200 Centralize PHPUnit test bootstrap commit 0393e63 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:44:48 2026 +0200 Clean up PHPUnit configuration commit dd9b184 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:36:22 2026 +0200 Refactor consecutive mock expectations commit b60e11a Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:30:42 2026 +0200 Replace deprecated mock builder methods commit 3580471 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:27:17 2026 +0200 Use expectException in CompanyRepositoryTest commit 9474ef7 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:22:28 2026 +0200 Replace deprecated regex assertions in tests commit 6361194 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:13:19 2026 +0200 Escape activity notes before applying nl2br (opencats#751) The remaining note rendering paths are now aligned with the safer pattern already used elsewhere in the codebase: nl2br(htmlspecialchars($notes, ENT_QUOTES | ENT_SUBSTITUTE, HTML_ENCODING)) commit d642ff0 Author: anonymoususer72041 <247563575+anonymoususer72041@users.noreply.github.com> Date: Wed Apr 22 19:08:54 2026 +0200 fix: add file-based cache busting for JavaScript and stylesheet assets (opencats#749) * Add file-based asset versioning helper * Switch JavaScript and stylesheet includes to file-based cache busting * Document static submodal asset loading exception * Remove legacy asset anti-cache handling
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR replaces the previous legacy asset anti-cache handling for JavaScript and stylesheet files with centralized file-based cache busting.
The change was motivated by stale browser-cached assets causing outdated client-side code to run against newer server-side code. In practice, this can produce misleading regressions that appear to be application bugs but disappear after a forced reload.
During investigation, issues such as #735, #739 and #740 were found to be affected by this class of problem. In those cases, stale JavaScript assets could cause AJAX requests to behave differently from the current server-side code, which made current master appear broken until the browser cache was bypassed. This PR addresses that underlying asset versioning problem so updated JavaScript and stylesheet files are fetched reliably after changes.