Commit graph

3533 commits

Author SHA1 Message Date
David Mehren
87e5575f03
Merge pull request #1350 from hedgedoc/fix-cloudflare-warning
Remove explicit title from cloudflare warning
2021-06-04 22:46:26 +02:00
Tilman Vatteroth
9a6d5d675a
Remove explicit title from cloudflare warning
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-06-03 23:24:09 +02:00
Yannick Bungers
23fa44cd36
Merge pull request #1346 from hedgedoc/add-cloudflare-warning-to-docs
Add Cloudflare warning to the docs
2021-06-03 20:43:46 +02:00
Tilman Vatteroth
ff12e3b23e
Add Cloudflare warning to the docs
The cloudflare minify feature for HTML, CSS and JS breaks HedgeDoc.

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-06-03 17:30:07 +02:00
David Mehren
eeaf054806
Merge pull request #1343 from hedgedoc/renovate/master-lock-file-maintenance
chore(deps): lock file maintenance (master)
2021-06-01 20:05:03 +02:00
David Mehren
37139c7210
Merge pull request #1341 from hedgedoc/renovate/master-mkdocs-material-7.x
chore(deps): update dependency mkdocs-material to v7.1.6 (master)
2021-06-01 20:02:58 +02:00
Renovate Bot
6f1a9eac18
chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-31 19:18:58 +00:00
Renovate Bot
4f592d32e2
chore(deps): update dependency mkdocs-material to v7.1.6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-31 19:17:51 +00:00
David Mehren
9ce49c2292
Merge pull request #1331 from hedgedoc/renovate/master-linters
chore(deps): update linters (master)
2021-05-31 21:16:50 +02:00
Renovate Bot
485413473b
chore(deps): update linters
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-29 21:42:25 +00:00
David Mehren
68d14b198f
Merge pull request #1328 from hedgedoc/renovate/master-lock-file-maintenance
chore(deps): lock file maintenance (master)
2021-05-24 18:43:24 +02:00
Renovate Bot
e6d2ed0dc3
chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-24 16:34:43 +00:00
David Mehren
ec90852e62
Merge pull request #1330 from hedgedoc/renovate/master-css-loader-5.x
chore(deps): update dependency css-loader to v5.2.6 (master)
2021-05-24 18:32:40 +02:00
Renovate Bot
f6b671495e
chore(deps): update dependency css-loader to v5.2.6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-24 16:15:43 +00:00
David Mehren
e0af7c51af
Merge pull request #1325 from hedgedoc/renovate/master-linters
chore(deps): update linters (master)
2021-05-24 18:14:46 +02:00
Renovate Bot
57c23ac2a9
chore(deps): update linters
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-22 02:00:31 +00:00
David Mehren
02e6169d25
Merge pull request #1316 from hedgedoc/renovate/master-mkdocs-material-7.x
chore(deps): update dependency mkdocs-material to v7.1.5 (master)
2021-05-21 21:26:20 +02:00
David Mehren
a7c27538a5
Merge pull request #1320 from hedgedoc/renovate/master-css-loader-5.x
chore(deps): update dependency css-loader to v5.2.5 (master)
2021-05-21 21:25:55 +02:00
Renovate Bot
a40f412190
chore(deps): update dependency css-loader to v5.2.5
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-20 14:20:26 +00:00
Renovate Bot
b072da418d
chore(deps): update dependency mkdocs-material to v7.1.5
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-19 09:13:36 +00:00
David Mehren
311e6dbc78
Merge pull request #1285 from hedgedoc/renovate/master-lock-file-maintenance
Lock file maintenance (master)
2021-05-17 19:57:18 +02:00
Renovate Bot
1389146e90
Lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 17:12:42 +00:00
David Mehren
74b0f34153
Merge pull request #1289 from hedgedoc/renovate/master-passport-saml-3.x 2021-05-17 19:10:46 +02:00
David Mehren
7f3c04c9fc
SAML: Use privateKey option
The old `privateCert` option was removed in
https://github.com/node-saml/passport-saml/pull/569

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-17 18:46:00 +02:00
Renovate Bot
1119b30535
Update dependency passport-saml to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 16:30:27 +00:00
David Mehren
3658d1aab2
Merge pull request #1286 from hedgedoc/renovate/master-optimize-css-assets-webpack-plugin-6.x
Update dependency optimize-css-assets-webpack-plugin to v6 (master)
2021-05-17 18:29:09 +02:00
Renovate Bot
f9f5f51204
Update dependency optimize-css-assets-webpack-plugin to v6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 02:44:55 +00:00
David Mehren
6b95833404
Merge pull request #1282 from hedgedoc/fix-vimeo
Replace vimeo meta data api
2021-05-16 21:52:40 +02:00
Tilman Vatteroth
41b9ab956c
Replace vimeo meta data api
Vimeo deprecated the v2 api and recommends to
use https://developer.vimeo.com/api/oembed/videos

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-05-15 21:25:03 +02:00
David Mehren
3762c6a00d
Merge pull request #1279 from hedgedoc/renovate/master-linters
Update dependency eslint-plugin-import to v2.23.2 (master)
2021-05-15 20:49:15 +02:00
Renovate Bot
c460f9c9f8
Update dependency eslint-plugin-import to v2.23.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-15 16:49:05 +00:00
David Mehren
8b374d8c19
Merge pull request #1267 from hedgedoc/release/1.8.2 2021-05-11 21:41:11 +02:00
David Mehren
32e31ac1e3
Bump version to 1.8.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
81d73b2db9
Add release notes for 1.8.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
01dad5821e
Merge pull request from GHSA-gjg7-4j2h-94fq
Fix XSS in Open Graph & User metadata
2021-05-11 21:13:25 +02:00
David Mehren
4cc9b3abe5
Merge pull request #1259 from hedgedoc/renovate/master-lock-file-maintenance
Lock file maintenance (master)
2021-05-11 19:42:43 +02:00
Renovate Bot
716808fa95
Lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-11 17:15:20 +00:00
David Mehren
65bf66adc3
Merge pull request #1263 from hedgedoc/renovate/master-mermaid-8.x
Update dependency mermaid to v8.10.1 (master)
2021-05-11 19:13:35 +02:00
Renovate Bot
0b997b540a
Update dependency mermaid to v8.10.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-10 17:39:12 +00:00
David Mehren
f552b14e11
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:28:44 +02:00
David Mehren
4a0216096a
Escape custom Open Graph tags
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:21:27 +02:00
David Mehren
87c83dcba5
Merge pull request #1246 from hedgedoc/fix/heroku_pg_ssl
Ignore Postgres SSL errors on Heroku
2021-05-09 14:59:29 +02:00
David Mehren
24883f7d99
Merge pull request #1241 from hedgedoc/renovate/master-test-packages
Update dependency mocha to v8.4.0 (master)
2021-05-09 14:46:02 +02:00
David Mehren
396e651254
Merge pull request #1247 from hedgedoc/renovate/master-linters
Update dependency eslint to v7.26.0 (master)
2021-05-09 14:45:31 +02:00
Renovate Bot
e7110c6305
Update dependency mocha to v8.4.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-09 12:40:58 +00:00
Renovate Bot
165327ad59
Update dependency eslint to v7.26.0
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-09 12:40:44 +00:00
David Mehren
f545fbd9a1
Merge pull request #1250 from hedgedoc/renovate/master-pymdown-extensions-8.x
Update dependency pymdown-extensions to v8.2 (master)
2021-05-09 14:39:48 +02:00
Renovate Bot
1d5cd3cdc9
Update dependency pymdown-extensions to v8.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-08 17:26:14 +00:00
Yannick Bungers
db50bdf919
Merge pull request #1249 from hedgedoc/adjustSetup
Docs: Add mention to install devDependencies
2021-05-08 16:07:10 +02:00
Philip Molares
a4b4ebd80c Docs: Add mention to install devDependencies
Before `yarn build` can be succesfully run, we need to install the devDependencies.
This is necessary, because `bin/setup` does not install the devDependencies…

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-05-08 13:47:31 +02:00