Because screen readers don't know that the anchor icon is not meant to be read,
they might read the title (which is the same as the heading itself) in addition
to the heading, thus causing a duplicated output.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The abuse of the demo instance required us to disallow note creation
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
A change in the minio JS SDK resulted in uploads being stored
with a defect metadata object in minio, resulting in all
files served as application/octet-stream. This was caused as
the fifth argument to putObject is a metadata object and not
the content-type alone anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
When the /_health endpoint for the docker container
healthcheck was introduced, it seems that it was
forgotten to exclude that route from the session
creation. As the healthcheck runs quite periodically,
this created a huge amount of session entries in the
database. This commit excludes the route from
session creation.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
A bug was reported that having frontmatter fields being only numeric results in an error. This seems to be caused
as the frontmatter is processed by the yaml-parser but returned
with the types as given. So a numeric value is returned as a number,
a "true" or "false" is returned as boolean etc.
As we expect strings in the template, that resulted in an exception.
This commit fixes this by treating every value as string in the template.
Since we've got no other usages of opengraph data, this should not have been
a security problem.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
HedgeDoc 1.9.x bundles Mermaid version 9.1.7, which
is old enough that current Mermaid syntax will fail to
render inside HedgeDoc notes.
Add a pointer to Mermaid 9.1.7 docs, so users of the
current stable HedgeDoc know what's actually supported.
https://github.com/mermaid-js/mermaid/blob/v9.1.7/docs/n00b-gettingStarted.md
Signed-off-by: Jordi Mallach <jordi@igalia.com>
After carefully studying the man pages of GNU sort and BSD sort,
we concluded that the version_lt function should also work on macOS.
Testing seemed to confirm that.
Signed-off-by: David Mehren <git@herrmehren.de>
I really don't know why this breaks only in a production build, but this
evil
hack makes the script work again.
Closes https://github.com/hedgedoc/hedgedoc/issues/3862
Signed-off-by: David Mehren <git@herrmehren.de>
Connection forbidden errors cause cleanup of note state without first
checking if other clients are still connected to the note. This leads
to inconsistent pad content and changes not being saved properly.
This change reverts parts of 725e982 (Fix realtime on forbidden not clean
up properly ...). The call to `interruptConnection()` on permission errors
is redundant, since `failConnection()` and `disconnect()` already perform
all required cleanup in this case. The other call to `interruptConnection()`
only happens when a client (the first client for a note) disconnects while
the note is being loaded from the database. It is refactored for clarity.
Fixes#3894
Co-authored-by: David Mehren <git@herrmehren.de>
Signed-off-by: Julian Rother <julian@jrother.eu>
This endpoint returns the internal readiness state used by
the realtime code to indicate whether HedgeDoc is performing
properly. As it only returns the state of a variable, it is
less resource hungry compared to a call to /status for
checking the health of HedgeDoc.
By prepending the route with an underscore, it should not be conflicting with already created pads in FreeURL mode.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
It can be a security concern in some environments to expose system
capabilities even though they don't expose any PII. Add some
flags (defaulted `true` to maintain existing behaviour) to control
whether the /metrics and /status (and anything in the StatusRouter)
are exposed.
Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>
In e17cc644 the Webpack build process for CodeMirror was changed.
For unknown reasons, not all plugins and modes were added.
This adds all plugins currently enabled in
https://github
.com/hedgedoc/CodeMirror/blob/951b3d94bb5ad9ac7b44642adbe595e843390506/release.sh
Signed-off-by: David Mehren <git@herrmehren.de>
The markdown for the publish-view is generated
using the `Note.extractMeta` method.
It uses meta-marked to separate the metadata from markdown.
Only the raw markdown is then sent to the client,
so it cannot respect the `breaks` option.
This adds an evil hack to send the `breaks` option with the markdown
if it is contained in the metadata block.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2358
Signed-off-by: David Mehren <git@herrmehren.de>
When using mysql the normal text attribute has a fixed size. When this size is reached then the json will be cut off and becomes invalid.
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
Since https://github.com/vesse/node-ldapauth-fork/commit
/741a648df98d789856b3301d65103b74872fdeea, ldapauth-fork calls `push` on
the attributes array.
Since we deep-freeze our config object in https://github
.com/hedgedoc/hedgedoc/blob/master/lib/config/index.js#L200, this
causes a crash.
This commit fixes the crash by creating a mutable clone of the LDAP
config and passing that to the LDAP strategy.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2561
Signed-off-by: David Mehren <git@herrmehren.de>
This patch removes the call of `/usr/bin/env` when calling the migration
script in favour of using the processes own nodejs invocation path.
This should drop the requirement for `/usr/bin/env` to exist on a
system/in a container that runs hedgedoc.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
that.
This copies the function into its own file (to make importing it easy)
and adds an import in index.js.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2248
Signed-off-by: David Mehren <git@herrmehren.de>