diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx index 06476ea6..e73d8d07 100644 --- a/docs/pages/changelog.mdx +++ b/docs/pages/changelog.mdx @@ -59,8 +59,8 @@ Version 2.0 and later versions may have new requirements that will thrive on new -1. **Flexible Firestore Database Use:** Version 2.0+ adopted a more flexible approach for handling data management, facilitating faster feature development by performing WRITE operations to the database directly from the web front end coupled with more lenient Firestore database Rules. However, this shift also introduced the potential for data to enter the database without the usual front-end controls through the Firestore REST APIs. While this was not an issue in Version 1.0, it emerged as part of the effort to enhance development speed and feature delivery starting with Version 2.0. -2. **Cross-Site Scripting (XSS) Vulnerability in Crop Recommendations:** Related to item 1, the new process for editing WYSIWYG HTML-form crop recommendations input may allow unsafe or inaccurate content due to limited validation. Risks associated with this were recognized early in the process, but the focus on delivering core features led to a delay in integrating security measures. +1. **Flexible Firestore Database Use:** Version 2.0+ adopted a more flexible approach for handling data management, facilitating faster feature development by performing WRITE operations to the database directly from the web front end coupled with more lenient Firestore database Rules. However, this shift also introduced the potential for data to enter the database without the usual front-end controls through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). While this was not an issue in Version 1.0, it emerged as part of the effort to enhance development speed and feature delivery starting with Version 2.0. +2. **Cross-Site Scripting (XSS) Vulnerability in Crop Recommendations:** Related to item 1, the new process for editing WYSIWYG HTML-form crop recommendations input may allow unsafe or inaccurate content due to limited validation through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). Risks associated with this were recognized early in the process, but the focus on delivering core features led to a delay in integrating security measures. 3. **Crop recommendations data integrity:** Ensuring that data presentations in PDF bulletins remain unaltered, trustworthy, and accurate is crucial for users and future developers. This priority stems from the concerns identified in items 1 and 2. > These issues, raised during the early 2.0 development phase, have been communicated to the new main ACAP Maintainer, who is also the new primary developer leading the creation and enhancement of new features for Version 2.0. The new Maintainer has made thoughtful decisions for balancing development speed with feature delivery, reflecting their understanding of the project's scope and the perceived security needs. They are open to addressing these issues as time and priorities allow within the ACAP project timeline. diff --git a/docs/pages/references.mdx b/docs/pages/references.mdx index 17a9dd7e..271aec37 100644 --- a/docs/pages/references.mdx +++ b/docs/pages/references.mdx @@ -51,6 +51,7 @@ This section contains URL links to partners and various online references used b
- [Firestore Web API](https://firebase.google.com/docs/firestore/quickstart) - [Firestore REST APIs](https://firebase.google.com/docs/firestore/use-rest-api) +- [Firestore REST API (Explorer)](https://cloud.google.com/firestore/docs/reference/rest/) - [Firestore Rules](https://firebase.google.com/docs/firestore/security/get-started)