HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.
This commit sanitizes the username and photo URL by passing them
through the `xss` library.
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.
These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.
This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.
See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Before `yarn build` can be succesfully run, we need to install the devDependencies.
This is necessary, because `bin/setup` does not install the devDependencies…
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The connection to Heroku's Postgres instances must use SSL,
but not check the certificate.
This adds the necessary configuration to the Heroku setup script.
Fixes#1245
Signed-off-by: David Mehren <git@herrmehren.de>
The development config now runs on http://localhost:3000 out-of-the-box.
The production config now makes clear that domain should be changed.
Both configs don't include `"linkifyHeaderStyle": "gfm"` anymore
to make the links on the homepage work.
Signed-off-by: David Mehren <git@herrmehren.de>
This makes the behavior consistent with the docs and
saves the user from having to both set
`useSSL` and `protocolUseSSL`.
Signed-off-by: David Mehren <git@herrmehren.de>
The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc).
This commit changes the regex to allow both.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
A bug in insertOnStartOfLines lead to duplicated text,
if the cursor was not at the start of a line.
This fixes the behaviour of insertOnStartOfLines to always use
the complete first and last line of the selection,
even if they were only partially selected.
Fixes#1231
Signed-off-by: David Mehren <git@herrmehren.de>
The `upgradeInsecureRequests` option of Helmets CSP middleware
was a boolean in Helmet 3, but with Helmet 4,
everything changed to lists.
This commit adjusts the addUpgradeUnsafeRequestsOptionTo
function accordingly.
Closes#1221
See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy
Signed-off-by: David Mehren <git@herrmehren.de>
