HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.
These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.
This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.
See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc).
This commit changes the regex to allow both.
Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
A bug in insertOnStartOfLines lead to duplicated text,
if the cursor was not at the start of a line.
This fixes the behaviour of insertOnStartOfLines to always use
the complete first and last line of the selection,
even if they were only partially selected.
Fixes#1231
Signed-off-by: David Mehren <git@herrmehren.de>
As Node 10 will be EOL at April 30th, we should stop supporting
and/or promoting the usage of that version.
See also https://endoflife.date/nodejs
Signed-off-by: David Mehren <git@herrmehren.de>
Since the interface is not always in english, we mostly removed the lang attribute from all html tags. Since the error messages in error.ejs are not translated, but always in english, there the global lang="en" should be kept.
Also in the slide and editor template the div, which contains the user generated text, has the attribute translate="no" now, to avoid unwanted translations.
Since on the publish view (pretty.ejs) only the user generated content is shown, we set the lang to the language defined in yaml (or 'en') as a default, but that was also moved to the corresponding markdown div instead of html.
Fixes#881
See also #437
Signed-off-by: Philip Molares <philip.molares@udo.edu>
jQuery's .html() method escapes contained text (e.g. '<' becomes
'<'). This confuses the turndown parser, which then only performs
unescaping, but does not convert to markdown.
By using .text() instead, the unescaped content is returned and turndown
can correctly generate markdown.
Signed-off-by: David Mehren <git@herrmehren.de>
If the slide options in the frontmatter are empty
or not present, then slideOptions object in the
parsed JSON is undefined. This triggers an
exception when the sanitized slide options object
is built.
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
A general invert-filter is applied to all pre elements in night mode. As diagrams are embedded inside pre tags, they're inverted as well. For sequence-diagrams and flow-charts this looks well, if we wouldn't additionally set the stroke and text color to white in night-mode. These additional white rules invert the already inverted diagram again and make it not good visible. The graphviz and abc embeddings aren't really optimized to be inverted, therefore they're now excluded from invertion and stay in day mode.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Reveal.js doesn't set the default value of an option in the provided config object
if the key is set with "undefined" as value. This leads to a broken slide mode,
because some critical settings are missing.
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648
Specifically left out are
- dependency (user can't really include anything anyway, because CSP forbids most domains)
- autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this)
- keyboard (this let's users write arbitrary code and seems therefore to problematic)
See:
https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.
Signed-off-by: David Mehren <git@herrmehren.de>
This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies.
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in public/views
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in README
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in SECURITY.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in LICENSE
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/configuration.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in bin/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/dev
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides/auth
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update various links in code to the new GitHub org.
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup/yunohost
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rebrand to HedgeDoc: Add banner and logo
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Remove note in docs/guides/auth/github
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace links in public/docs/features
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add todo placeholder in docs/history
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in public/views/index/body
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add logo to README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add note about the renaming to the front page
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Removed Travis from README.md and change CodiMD to HedgeDoc in some places
Signed-off-by: Yannick Bungers <git@innay.de>
Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc
Signed-off-by: Yannick Bungers <git@innay.de>
Changed Repo name to hedgedoc
Signed-off-by: Yannick Bungers <git@innay.de>
This patch adds the Malayalam translation to CodiMD. Do by our awesome
translation supporters civic john, Sooraj Kenoth, Nithin Prabhakaran and
Jothish.
Thank you very much!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable.
Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The current version of CodiMD/HedgeDoc does only support translations to be filled on server-side rendering. To allow the translation of the changed/created texts, I duplicated the container that holds the text, and pre-filed these containers with the translation server-side. The client just needs to hide the unneeded container and show the right one to show the translated status text.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Until now client-side translations were only possible in the context of the intro/history page, because the locale-detection logic relied on the language selector as a source of available languages. The editor of course has no such selector. With this commit, I copied the list of available languages from the i18n-initialization (server-side) to support language detection in the editor too.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Linting markdown files according to default remark-lint configuration.
Files inside the `public` directory were not linted.
Signed-off-by: oupala <oupala@users.noreply.github.com>
CodiMD currently only uses the 'lang' attribute in YAML-metadata of a note for setting certain js-elements of the markdown-renderer. This commit adds the chosen lang into the published version of a note.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Signed-off-by: David Mehren <dmehren1@gmail.com>
Adding translations for permissions for a possible 1.6.1 release doesn't
hurt but might helps some usecases of running CodiMD and we'll need the
translations in the new frontend anyway.
This patch adds the translations as well as the english local file.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The revision view had a bug that clicking on a list entry would redirect
the user back to the index page instead of providing the revision diff.
This was cased by the baseurl which is now used as reference for hrefs.
Therefore when clicking on the `href="#"` this was actually pointing at
`<baseurl>#` which is usually the index page.
This patch simply removes the href from the list items and therefore the
link functionality. This fixes the whole problem by removing 9
characters from our source code.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
