XSS Vulnerability Patch 2

To implement this patch, create a custom module to override the appropriate file for your release within the Backbone.FormView module. The following table lists the appropriate files for each release.

The location of the file that you need to override depends on the SCA release that you need to patch:

Release	File Location
2019.2	.../SC_19.2_Live/Commons/Backbone.FormView/JavaScript/Backbone.FormView.ts
2019.1	.../Modules/suitecommerce/Backbone.FormView@sc-2019.1.0/JavaScript/Backbone.FormView.js
2018.2	.../Modules/suitecommerce/Backbone.FormView@sc-2018.2.0/JavaScript/Backbone.FormView.js
Aconcagua	.../Modules/suitecommerce/Backbone.FormView@aconcaguaR2/JavaScript/Backbone.FormView.js
Kilimanjaro	.../Modules/suitecommerce/Backbone.FormView@1.2.2/JavaScript/Backbone.FormView.js
Elbrus	.../Modules/suitecommerce/Backbone.FormView@1.2.0/JavaScript/Backbone.FormView.js
Vinson	.../Modules/suitecommerce/Backbone.FormView@1.1.1/JavaScript/Backbone.FormView.js
Montblanc	.../Modules/suitecommerce/Backbone.FormView@1.1.0/JavaScript/Backbone.FormView.js
Denali	.../Modules/suitecommerce/Backbone.FormView@1.0.1/JavaScript/Backbone.FormView.js

If you are not familiar with implementing patches for SCA, refer to the following:

• Before you get started, familiarize yourself with Best Practices for Customizing SCA.

• For step by step instructions, refer to Patch Using Override Mode.

Step 1: Create the Override Files

Following the instructions and recommendations in the Patch Using Override Mode procedure, copy and paste the following code samples in the new directory and file you create. Where you create the new directory and file depends on the SCA release that you need to patch:

Release	Location of New Directory and File
2019.2	.../SC_19.2_Live/Commons/extensions/Backbone.FormViewExtension@1.00/JavaScript/Backbone.FormView.ts
Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1	.../Modules/extensions/Backbone.FormViewExtension@1.00/JavaScript/Backbone.FormView.js

1. In the Backbone.FormView.js or Backbone.FormView.ts file, find the saveForm function. Add a new method called transformResponseText before the saveForm function as shown in the following example:

                       transformResponseText: function(response) {},
       
       // @method saveForm will serialize the input of some form and save() the given model using it
       // @param {HTMLEvent} e @param {‌Backbone.Model} model @param {Object} props properties to pass to model.save()
       // @return {‌jQuery.Deferred}
       saveForm: function(e, model, props) {
           e.preventDefault(); 
   
                 

   Important:

   If the Backbone.FormView file for your version of SCA includes a comma before the saveForm function, add the new transformResponseText method like so: ,transformResponseText: function(response) {}

2. In the saveForm function, find the error definition as shown in the following example:

                                       error: function(model, response) {
                           buttonSubmitDone(self.$savingForm);
   
                           if (response.responseText) {
                               model.trigger(
                                   'error',
                                   jQuery.parseJSON(response.responseText || 'null')
                               );
                           }
                       } 
   
                 

   And replace it with the following code:

                                       error: function(model, response) {
                           buttonSubmitDone(self.$savingForm);
   
                           if (response.responseText) {
                               self.transformResponseText(response);
                               model.trigger(
                                   'error',
                                   jQuery.parseJSON(response.responseText || 'null')
                               );
                           }
                       } 
   
                 

3. In the Backbone.FormView.js or Backbone.FormView.ts file, find this line of code:

                   view.saveForm = this.saveForm; 
   
                 

   And replace it with the following code:

                   view.saveForm = this.saveForm;
   view.transformResponseText = view.transformResponseText || this.transformResponseText; 
   
                 

4. Double-check to make sure that the reference path and the paths to the imported dependencies are accurate in the override file you create. If these paths are not accurate, the deploy to NetSuite may fail with errors that necessary files and modules cannot be found.

Step 2: Prepare the Developer Tools For Your Patch

When preparing the Developer Tools for your patch as described in the Patch Using Override Mode procedure, you should:

1. Paste the code appropriate for the SCA release you are patching into a new ns.package.json file that you create. Where you create the ns.package.json file depends upon the release you are working with.

   Release	Location of New nspackage.json File
   2019.2	.../Commons/extensions/Backbone.FormViewExtension@1.00/ns.package.json
   Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1	.../Modules/extensions/Backbone.FormViewExtension@1.00/ns.package.json

   • Use the following code if you are patching the 2019.2 release:

                         {
        "gulp": {
           "javascript": [
              "JavaScript/*.ts"
           ]
        },
        "overrides": {
           "Commons/Backbone.FormView/JavaScript/Backbone.FormView.ts" : "JavaScript/Backbone.FormView.ts"
        }
     } 
     
                       

   • Use the following code if you are patching the Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, or 2019.1 release:

                         {
        "gulp": {
           "javascript": [
              "JavaScript/*.js"
           ]
        },
        "overrides": {
           "suitecommerce/Backbone.FormView@X.Y.Z/JavaScript/Backbone.FormView.js" : "JavaScript/Backbone.FormView.js"
        }
     } 
     
                       

     Important:

     In the preceding code sample, you must replace the string X.Y.Z with the version of the module in your implementation of SuiteCommerce Advanced.

2. Open the distro.json file and then add your custom module to the modules object as described in the Patch Using Override Mode procedure. The location of the distro.json file depends on the version of SCA you are patching.

   Release	Location of the distro.json File
   2019.2	For the 2019.2 release, the distro.json file resides in the Advanced directory. For example, if you accepted the default name for the 2019.2 top-level directory, the complete path is: SuiteCommerce Advanced 2019.2/SC_19.2_Live/Advanced/distro.json.
   Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1	For these releases, the distro.json file resides in the top-level directory. For example, for the 2018.2 release, if you accepted the default directory name for your release, the top-level directory would be SuiteCommerce Advanced 2018.2.

   The following sample shows the value to add to the list of existing values that follow the "modules" key. Refer to the appropriate sample for the version of SCA you are working with.

   • Use the following sample if you are patching the 2019.2 release:

                         "modules": {
         "../Commons/extensions/Backbone.FormViewExtension@1.00",
         . . . 
     
                       

   • Use the following sample if you are patching the Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, or 2019.1 release:

                         "modules": {
         "extensions/Backbone.FormViewExtension": "1.0.0",
         . . . 
     
                       

Step 3: Add the transformResponseText Method to the LoginRegister.Login.View file

After completing the steps to override the Backbone.FormView.js or Backbone.FormView.ts file as described in the preceding steps, add the transformResponseText method to the LoginRegister.Login.View file. Where the LoginRegister.Login.View file resides depends on the SCA release that you need to patch:

Release	Location of the LoginRegister.Login.View File
2019.2	.../SC_19.2/Live/Advanced/LoginRegister/JavaScript/LoginRegister.Login.View.ts
2019.1	.../Modules/suitecommerce/LoginRegister@sc-2019.1.0/JavaScript/LoginRegister.Login.View.js
2018.2	.../Modules/suitecommerce/LoginRegister@sc-2018.2.0/JavaScript/LoginRegister.Login.View.js
Aconcagua	.../Modules/suitecommerce/LoginRegister@aconcaguaR2/JavaScript/LoginRegister.Login.View.js
Kilimanjaro	.../Modules/suitecommerce/LoginRegister@2.4.0/JavaScript/LoginRegister.Login.View.js
Elbrus	.../Modules/suitecommerce/LoginRegister@2.3.0/JavaScript/LoginRegister.Login.View.js
Vinson	.../Modules/suitecommerce/LoginRegister@2.2.0/JavaScript/LoginRegister.Login.View.js
Montblanc	.../Modules/suitecommerce/LoginRegister@2.1.0/JavaScript/LoginRegister.Login.View.js
Denali	.../Modules/suitecommerce/LoginRegister@2.0.1/JavaScript/LoginRegister.Login.View.js

1. Open the LoginRegister.Login.View file.

2. Find the getContext function, and add the transformResponseText method right above it as shown in the following example:

                       ,transformResponseText: function(response) {
          response.responseText = _.unescape(response.responseText);
       }
   
       //@method getContext @return {LoginRegister.Login.View.Context}
       , getContext: function () 
   
                 

Step 4: Test and Deploy Your Patch

Follow the instructions provided in the Patch Using Override Mode procedure to test and deploy your patch.

Important:

If you are patching the 2019.2 release, you need to complete the steps in the Deploy to NetSuite Fails with Errors patch instructions to insure that your patch deploys without errors.

Related Topics

SCA Patches

General Notices