XSS Vulnerability Patch 2
To implement this patch, create a custom module to override the appropriate file for your release within the Backbone.FormView module. The following table lists the appropriate files for each release.
The location of the file that you need to override depends on the SCA release that you need to patch:
Release |
File Location |
---|---|
2019.2 |
|
2019.1 |
|
2018.2 |
|
Aconcagua |
|
Kilimanjaro |
|
Elbrus |
|
Vinson |
|
Montblanc |
|
Denali |
|
If you are not familiar with implementing patches for SCA, refer to the following:
-
Before you get started, familiarize yourself with Best Practices for Customizing SCA.
-
For step by step instructions, refer to Patch Using Override Mode.
Step 1: Create the Override Files
Following the instructions and recommendations in the Patch Using Override Mode procedure, copy and paste the following code samples in the new directory and file you create. Where you create the new directory and file depends on the SCA release that you need to patch:
Release |
Location of New Directory and File |
---|---|
2019.2 |
|
Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1 |
|
-
In the Backbone.FormView.js or Backbone.FormView.ts file, find the
saveForm
function. Add a new method calledtransformResponseText
before thesaveForm
function as shown in the following example:transformResponseText: function(response) {}, // @method saveForm will serialize the input of some form and save() the given model using it // @param {HTMLEvent} e @param {Backbone.Model} model @param {Object} props properties to pass to model.save() // @return {jQuery.Deferred} saveForm: function(e, model, props) { e.preventDefault();
Important:If the Backbone.FormView file for your version of SCA includes a comma before the
saveForm
function, add the newtransformResponseText
method like so:,transformResponseText: function(response) {}
-
In the
saveForm
function, find the error definition as shown in the following example:error: function(model, response) { buttonSubmitDone(self.$savingForm); if (response.responseText) { model.trigger( 'error', jQuery.parseJSON(response.responseText || 'null') ); } }
And replace it with the following code:
error: function(model, response) { buttonSubmitDone(self.$savingForm); if (response.responseText) { self.transformResponseText(response); model.trigger( 'error', jQuery.parseJSON(response.responseText || 'null') ); } }
-
In the Backbone.FormView.js or Backbone.FormView.ts file, find this line of code:
view.saveForm = this.saveForm;
And replace it with the following code:
view.saveForm = this.saveForm; view.transformResponseText = view.transformResponseText || this.transformResponseText;
-
Double-check to make sure that the reference path and the paths to the imported dependencies are accurate in the override file you create. If these paths are not accurate, the deploy to NetSuite may fail with errors that necessary files and modules cannot be found.
Step 2: Prepare the Developer Tools For Your Patch
When preparing the Developer Tools for your patch as described in the Patch Using Override Mode procedure, you should:
-
Paste the code appropriate for the SCA release you are patching into a new ns.package.json file that you create. Where you create the ns.package.json file depends upon the release you are working with.
Release
Location of New nspackage.json File
2019.2
.../
Commons/extensions/Backbone.FormViewExtension@1.00/ns.package.json Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1
.../
Modules/extensions/Backbone.FormViewExtension@1.00/ns.package.json -
Use the following code if you are patching the 2019.2 release:
{ "gulp": { "javascript": [ "JavaScript/*.ts" ] }, "overrides": { "Commons/Backbone.FormView/JavaScript/Backbone.FormView.ts" : "JavaScript/Backbone.FormView.ts" } }
-
Use the following code if you are patching the Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, or 2019.1 release:
{ "gulp": { "javascript": [ "JavaScript/*.js" ] }, "overrides": { "suitecommerce/Backbone.FormView@X.Y.Z/JavaScript/Backbone.FormView.js" : "JavaScript/Backbone.FormView.js" } }
Important:In the preceding code sample, you must replace the string X.Y.Z with the version of the module in your implementation of SuiteCommerce Advanced.
-
-
Open the distro.json file and then add your custom module to the
modules
object as described in the Patch Using Override Mode procedure. The location of the distro.json file depends on the version of SCA you are patching.Release
Location of the distro.json File
2019.2
For the 2019.2 release, the distro.json file resides in the Advanced directory. For example, if you accepted the default name for the 2019.2 top-level directory, the complete path is: SuiteCommerce Advanced 2019.2/SC_19.2_Live/Advanced/distro.json.
Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1
For these releases, the distro.json file resides in the top-level directory. For example, for the 2018.2 release, if you accepted the default directory name for your release, the top-level directory would be SuiteCommerce Advanced 2018.2.
The following sample shows the value to add to the list of existing values that follow the
"modules"
key. Refer to the appropriate sample for the version of SCA you are working with.-
Use the following sample if you are patching the 2019.2 release:
"modules": { "../Commons/extensions/Backbone.FormViewExtension@1.00", . . .
-
Use the following sample if you are patching the Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, or 2019.1 release:
"modules": { "extensions/Backbone.FormViewExtension": "1.0.0", . . .
-
Step 3: Add the transformResponseText Method to the LoginRegister.Login.View file
After completing the steps to override the Backbone.FormView.js or Backbone.FormView.ts file as described in the preceding steps, add the transformResponseText
method to the LoginRegister.Login.View file. Where the LoginRegister.Login.View file resides depends on the SCA release that you need to patch:
Release |
Location of the LoginRegister.Login.View File |
---|---|
2019.2 |
|
2019.1 |
|
2018.2 |
|
Aconcagua |
|
Kilimanjaro |
|
Elbrus |
|
Vinson |
|
Montblanc |
|
Denali |
|
-
Open the LoginRegister.Login.View file.
-
Find the
getContext
function, and add thetransformResponseText
method right above it as shown in the following example:,transformResponseText: function(response) { response.responseText = _.unescape(response.responseText); } //@method getContext @return {LoginRegister.Login.View.Context} , getContext: function ()
Step 4: Test and Deploy Your Patch
Follow the instructions provided in the Patch Using Override Mode procedure to test and deploy your patch.
If you are patching the 2019.2 release, you need to complete the steps in the Deploy to NetSuite Fails with Errors patch instructions to insure that your patch deploys without errors.