David Mehren
bf3b45bc11
Uninstall script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
fa1ed66088
Load abcjs from npm package
...
This also loads abcjs without script-loader.
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
fddd97391b
Load gist-embed without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
1150c72fa7
Load handlebars without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
a98d184f2c
Load mermaid without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
bd62e79f7d
Load ot without script-loader
...
The ot library is tricky to load with Webpack, as it writes
it's functions into a global `ot` object and does not export anything.
I got it working using `exports-loader` to put the `ot` object
into a CommonJS export and then forcing Webpack to only
load using CommonJS.
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
4f4a4cb747
Load jquery-textcomplete without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
2515ad962b
Load inline-attachment without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:35 +02:00
David Mehren
cf867daf99
Load Idle.js without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
0e7a9df97d
Load jquery-ui resizable from npm package
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
e17cc6440f
Load codemirror and codemirror-spell-checker without script-loader
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:20 +02:00
Yannick Bungers
23fa44cd36
Merge pull request #1346 from hedgedoc/add-cloudflare-warning-to-docs
...
Add Cloudflare warning to the docs
2021-06-03 20:43:46 +02:00
Tilman Vatteroth
ff12e3b23e
Add Cloudflare warning to the docs
...
The cloudflare minify feature for HTML, CSS and JS breaks HedgeDoc.
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-06-03 17:30:07 +02:00
David Mehren
eeaf054806
Merge pull request #1343 from hedgedoc/renovate/master-lock-file-maintenance
...
chore(deps): lock file maintenance (master)
2021-06-01 20:05:03 +02:00
David Mehren
37139c7210
Merge pull request #1341 from hedgedoc/renovate/master-mkdocs-material-7.x
...
chore(deps): update dependency mkdocs-material to v7.1.6 (master)
2021-06-01 20:02:58 +02:00
Renovate Bot
6f1a9eac18
chore(deps): lock file maintenance
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-31 19:18:58 +00:00
Renovate Bot
4f592d32e2
chore(deps): update dependency mkdocs-material to v7.1.6
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-31 19:17:51 +00:00
David Mehren
9ce49c2292
Merge pull request #1331 from hedgedoc/renovate/master-linters
...
chore(deps): update linters (master)
2021-05-31 21:16:50 +02:00
Renovate Bot
485413473b
chore(deps): update linters
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-29 21:42:25 +00:00
David Mehren
68d14b198f
Merge pull request #1328 from hedgedoc/renovate/master-lock-file-maintenance
...
chore(deps): lock file maintenance (master)
2021-05-24 18:43:24 +02:00
Renovate Bot
e6d2ed0dc3
chore(deps): lock file maintenance
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-24 16:34:43 +00:00
David Mehren
ec90852e62
Merge pull request #1330 from hedgedoc/renovate/master-css-loader-5.x
...
chore(deps): update dependency css-loader to v5.2.6 (master)
2021-05-24 18:32:40 +02:00
Renovate Bot
f6b671495e
chore(deps): update dependency css-loader to v5.2.6
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-24 16:15:43 +00:00
David Mehren
e0af7c51af
Merge pull request #1325 from hedgedoc/renovate/master-linters
...
chore(deps): update linters (master)
2021-05-24 18:14:46 +02:00
Renovate Bot
57c23ac2a9
chore(deps): update linters
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-22 02:00:31 +00:00
David Mehren
02e6169d25
Merge pull request #1316 from hedgedoc/renovate/master-mkdocs-material-7.x
...
chore(deps): update dependency mkdocs-material to v7.1.5 (master)
2021-05-21 21:26:20 +02:00
David Mehren
a7c27538a5
Merge pull request #1320 from hedgedoc/renovate/master-css-loader-5.x
...
chore(deps): update dependency css-loader to v5.2.5 (master)
2021-05-21 21:25:55 +02:00
Renovate Bot
a40f412190
chore(deps): update dependency css-loader to v5.2.5
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-20 14:20:26 +00:00
Renovate Bot
b072da418d
chore(deps): update dependency mkdocs-material to v7.1.5
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-19 09:13:36 +00:00
David Mehren
311e6dbc78
Merge pull request #1285 from hedgedoc/renovate/master-lock-file-maintenance
...
Lock file maintenance (master)
2021-05-17 19:57:18 +02:00
Renovate Bot
1389146e90
Lock file maintenance
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 17:12:42 +00:00
David Mehren
74b0f34153
Merge pull request #1289 from hedgedoc/renovate/master-passport-saml-3.x
2021-05-17 19:10:46 +02:00
David Mehren
7f3c04c9fc
SAML: Use privateKey
option
...
The old `privateCert` option was removed in
https://github.com/node-saml/passport-saml/pull/569
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-17 18:46:00 +02:00
Renovate Bot
1119b30535
Update dependency passport-saml to v3
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 16:30:27 +00:00
David Mehren
3658d1aab2
Merge pull request #1286 from hedgedoc/renovate/master-optimize-css-assets-webpack-plugin-6.x
...
Update dependency optimize-css-assets-webpack-plugin to v6 (master)
2021-05-17 18:29:09 +02:00
Renovate Bot
f9f5f51204
Update dependency optimize-css-assets-webpack-plugin to v6
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 02:44:55 +00:00
David Mehren
6b95833404
Merge pull request #1282 from hedgedoc/fix-vimeo
...
Replace vimeo meta data api
2021-05-16 21:52:40 +02:00
Tilman Vatteroth
41b9ab956c
Replace vimeo meta data api
...
Vimeo deprecated the v2 api and recommends to
use https://developer.vimeo.com/api/oembed/videos
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-05-15 21:25:03 +02:00
David Mehren
3762c6a00d
Merge pull request #1279 from hedgedoc/renovate/master-linters
...
Update dependency eslint-plugin-import to v2.23.2 (master)
2021-05-15 20:49:15 +02:00
Renovate Bot
c460f9c9f8
Update dependency eslint-plugin-import to v2.23.2
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-15 16:49:05 +00:00
David Mehren
8b374d8c19
Merge pull request #1267 from hedgedoc/release/1.8.2
2021-05-11 21:41:11 +02:00
David Mehren
32e31ac1e3
Bump version to 1.8.2
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
81d73b2db9
Add release notes for 1.8.2
...
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
01dad5821e
Merge pull request from GHSA-gjg7-4j2h-94fq
...
Fix XSS in Open Graph & User metadata
2021-05-11 21:13:25 +02:00
David Mehren
4cc9b3abe5
Merge pull request #1259 from hedgedoc/renovate/master-lock-file-maintenance
...
Lock file maintenance (master)
2021-05-11 19:42:43 +02:00
Renovate Bot
716808fa95
Lock file maintenance
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-11 17:15:20 +00:00
David Mehren
65bf66adc3
Merge pull request #1263 from hedgedoc/renovate/master-mermaid-8.x
...
Update dependency mermaid to v8.10.1 (master)
2021-05-11 19:13:35 +02:00
Renovate Bot
0b997b540a
Update dependency mermaid to v8.10.1
...
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-10 17:39:12 +00:00
David Mehren
f552b14e11
Sanitize username and photo URL
...
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.
This commit sanitizes the username and photo URL by passing them
through the `xss` library.
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:28:44 +02:00
David Mehren
4a0216096a
Escape custom Open Graph tags
...
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.
These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.
This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.
See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:21:27 +02:00