Commit graph

3342 commits

Author SHA1 Message Date
Renovate Bot
7c6201a051
chore(deps): update dependency highlight.js to v10.7.3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-06-07 15:42:53 +00:00
David Mehren
6a4060c5d2
Merge pull request #1365 from hedgedoc/renovate/master-webpack-cli-4.x
chore(deps): update dependency webpack-cli to v4.7.1 (master)
2021-06-07 17:42:36 +02:00
David Mehren
1422ccf0e1
Merge pull request #1357 from hedgedoc/renovate/master-mkdocs-material-7.x
chore(deps): update dependency mkdocs-material to v7.1.7 (master)
2021-06-07 17:41:28 +02:00
David Mehren
38f73d2872
Enable source-maps in Webpack production config
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 17:22:40 +02:00
David Mehren
578cb4d919
Enable SplitChunksPlugin in Webpack production config
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 17:22:40 +02:00
Renovate Bot
c04e44562d
chore(deps): update dependency webpack-cli to v4.7.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-06-07 14:06:30 +00:00
Renovate Bot
a3581c514b
chore(deps): update dependency mkdocs-material to v7.1.7
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-06-07 00:17:03 +00:00
David Mehren
cb1428d9b0
Merge pull request #1360 from hedgedoc/fix-docs-openapi
Fix link in openapi doc
2021-06-06 21:35:45 +02:00
Erik Michelson
df7a5e3f6c
Fix link in openapi doc
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-06-06 20:33:25 +02:00
David Mehren
87e5575f03
Merge pull request #1350 from hedgedoc/fix-cloudflare-warning
Remove explicit title from cloudflare warning
2021-06-04 22:46:26 +02:00
Tilman Vatteroth
9a6d5d675a
Remove explicit title from cloudflare warning
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-06-03 23:24:09 +02:00
Yannick Bungers
23fa44cd36
Merge pull request #1346 from hedgedoc/add-cloudflare-warning-to-docs
Add Cloudflare warning to the docs
2021-06-03 20:43:46 +02:00
Tilman Vatteroth
ff12e3b23e
Add Cloudflare warning to the docs
The cloudflare minify feature for HTML, CSS and JS breaks HedgeDoc.

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-06-03 17:30:07 +02:00
David Mehren
eeaf054806
Merge pull request #1343 from hedgedoc/renovate/master-lock-file-maintenance
chore(deps): lock file maintenance (master)
2021-06-01 20:05:03 +02:00
David Mehren
37139c7210
Merge pull request #1341 from hedgedoc/renovate/master-mkdocs-material-7.x
chore(deps): update dependency mkdocs-material to v7.1.6 (master)
2021-06-01 20:02:58 +02:00
Renovate Bot
6f1a9eac18
chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-31 19:18:58 +00:00
Renovate Bot
4f592d32e2
chore(deps): update dependency mkdocs-material to v7.1.6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-31 19:17:51 +00:00
David Mehren
9ce49c2292
Merge pull request #1331 from hedgedoc/renovate/master-linters
chore(deps): update linters (master)
2021-05-31 21:16:50 +02:00
Renovate Bot
485413473b
chore(deps): update linters
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-29 21:42:25 +00:00
David Mehren
68d14b198f
Merge pull request #1328 from hedgedoc/renovate/master-lock-file-maintenance
chore(deps): lock file maintenance (master)
2021-05-24 18:43:24 +02:00
Renovate Bot
e6d2ed0dc3
chore(deps): lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-24 16:34:43 +00:00
David Mehren
ec90852e62
Merge pull request #1330 from hedgedoc/renovate/master-css-loader-5.x
chore(deps): update dependency css-loader to v5.2.6 (master)
2021-05-24 18:32:40 +02:00
Renovate Bot
f6b671495e
chore(deps): update dependency css-loader to v5.2.6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-24 16:15:43 +00:00
David Mehren
e0af7c51af
Merge pull request #1325 from hedgedoc/renovate/master-linters
chore(deps): update linters (master)
2021-05-24 18:14:46 +02:00
Renovate Bot
57c23ac2a9
chore(deps): update linters
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-22 02:00:31 +00:00
David Mehren
02e6169d25
Merge pull request #1316 from hedgedoc/renovate/master-mkdocs-material-7.x
chore(deps): update dependency mkdocs-material to v7.1.5 (master)
2021-05-21 21:26:20 +02:00
David Mehren
a7c27538a5
Merge pull request #1320 from hedgedoc/renovate/master-css-loader-5.x
chore(deps): update dependency css-loader to v5.2.5 (master)
2021-05-21 21:25:55 +02:00
Renovate Bot
a40f412190
chore(deps): update dependency css-loader to v5.2.5
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-20 14:20:26 +00:00
Renovate Bot
b072da418d
chore(deps): update dependency mkdocs-material to v7.1.5
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-19 09:13:36 +00:00
David Mehren
311e6dbc78
Merge pull request #1285 from hedgedoc/renovate/master-lock-file-maintenance
Lock file maintenance (master)
2021-05-17 19:57:18 +02:00
Renovate Bot
1389146e90
Lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 17:12:42 +00:00
David Mehren
74b0f34153
Merge pull request #1289 from hedgedoc/renovate/master-passport-saml-3.x 2021-05-17 19:10:46 +02:00
David Mehren
7f3c04c9fc
SAML: Use privateKey option
The old `privateCert` option was removed in
https://github.com/node-saml/passport-saml/pull/569

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-17 18:46:00 +02:00
Renovate Bot
1119b30535
Update dependency passport-saml to v3
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 16:30:27 +00:00
David Mehren
3658d1aab2
Merge pull request #1286 from hedgedoc/renovate/master-optimize-css-assets-webpack-plugin-6.x
Update dependency optimize-css-assets-webpack-plugin to v6 (master)
2021-05-17 18:29:09 +02:00
Renovate Bot
f9f5f51204
Update dependency optimize-css-assets-webpack-plugin to v6
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-17 02:44:55 +00:00
David Mehren
6b95833404
Merge pull request #1282 from hedgedoc/fix-vimeo
Replace vimeo meta data api
2021-05-16 21:52:40 +02:00
Tilman Vatteroth
41b9ab956c
Replace vimeo meta data api
Vimeo deprecated the v2 api and recommends to
use https://developer.vimeo.com/api/oembed/videos

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-05-15 21:25:03 +02:00
David Mehren
3762c6a00d
Merge pull request #1279 from hedgedoc/renovate/master-linters
Update dependency eslint-plugin-import to v2.23.2 (master)
2021-05-15 20:49:15 +02:00
Renovate Bot
c460f9c9f8
Update dependency eslint-plugin-import to v2.23.2
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-15 16:49:05 +00:00
David Mehren
8b374d8c19
Merge pull request #1267 from hedgedoc/release/1.8.2 2021-05-11 21:41:11 +02:00
David Mehren
32e31ac1e3
Bump version to 1.8.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
81d73b2db9
Add release notes for 1.8.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
01dad5821e
Merge pull request from GHSA-gjg7-4j2h-94fq
Fix XSS in Open Graph & User metadata
2021-05-11 21:13:25 +02:00
David Mehren
4cc9b3abe5
Merge pull request #1259 from hedgedoc/renovate/master-lock-file-maintenance
Lock file maintenance (master)
2021-05-11 19:42:43 +02:00
Renovate Bot
716808fa95
Lock file maintenance
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-11 17:15:20 +00:00
David Mehren
65bf66adc3
Merge pull request #1263 from hedgedoc/renovate/master-mermaid-8.x
Update dependency mermaid to v8.10.1 (master)
2021-05-11 19:13:35 +02:00
Renovate Bot
0b997b540a
Update dependency mermaid to v8.10.1
Signed-off-by: Renovate Bot <bot@renovateapp.com>
2021-05-10 17:39:12 +00:00
David Mehren
f552b14e11
Sanitize username and photo URL
HedgeDoc displays the username and user photo at various places
by rendering the respective variables into an `ejs` template.
As the values are user-provided or generated from user-provided data,
it may be possible to inject unwanted HTML.

This commit sanitizes the username and photo URL by passing them
through the `xss` library.

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:28:44 +02:00
David Mehren
4a0216096a
Escape custom Open Graph tags
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:21:27 +02:00