Commit graph

338 commits

Author SHA1 Message Date
David Mehren
7b00a59661
Set secure flag for non-session cookies
This adds the secure flag to all cookies that are set
in the frontend for storing various settings.
If `SameSite=none` is set (like when embedding the instance is allowed),
 the `secure` flag is necessary to set any cookie.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:08:31 +02:00
David Mehren
7ff685933e
Lazy-load highlight.js
This commit moves the import of highlight.js into a `require.ensure`
block, that is only executed when a code-block is actually present
in a note. Webpack automatically splits the library into a separate
chunk and loads that on demand.

The call to `hljs.listLanguages()` in `index.js` is also replaced
by a static list. This is important, as `index.js` would otherwise
need to import highlight.js, which would cause the quite big
library to be included into nearly every entrypoint, needlessly
increasing the transferred code size.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-11 09:29:27 +02:00
David Mehren
bd62e79f7d
Load ot without script-loader
The ot library is tricky to load with Webpack, as it writes
it's functions into a global `ot` object and does not export anything.
I got it working using `exports-loader` to put the `ot` object
into a CommonJS export and then forcing Webpack to only
load using CommonJS.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
4f4a4cb747
Load jquery-textcomplete without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:37 +02:00
David Mehren
cf867daf99
Load Idle.js without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
0e7a9df97d
Load jquery-ui resizable from npm package
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
e17cc6440f
Load codemirror and codemirror-spell-checker without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:20 +02:00
David Mehren
0f7f11e4f3
Fix HTML clipboard import
jQuery's .html() method escapes contained text (e.g. '<' becomes
'&lt;'). This confuses the turndown parser, which then only performs
unescaping, but does not convert to markdown.
By using .text() instead, the unescaped content is returned and turndown
can correctly generate markdown.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-16 22:06:45 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
David Mehren
788e7d460a
Update webpack config and JS import for spin.js v4
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-12 23:47:58 +01:00
David Mehren
b0e2577fd5
Remove reference to nonexisting DOM element
This was missed in #596 and breaks the frontend JS.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-27 19:24:43 +01:00
David Mehren
3461993ee0
Merge pull request #486 from codimd/feature/cookie-policy 2020-09-25 22:39:30 +02:00
Erik Michelson
824f910bfe
Add config option for cookie SameSite policy
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-27 02:04:49 +02:00
Erik Michelson
f821da6c09
Add prevent default to export button too
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-23 01:21:37 +02:00
Erik Michelson
d9adf598d8
Add dropbox CSP directive if configured and make button clickable
The lack of a 'preventDefault' on the click event handler resulted in the dropbox link being unclickable.
Furthermore because of a missing CSP rule, the dropbox script couldn't be loaded. The dropbox origin is now added to the CSP script sources if dropbox integration is configured.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-23 01:11:31 +02:00
David Mehren
e77e7b165a
Set all cookies with sameSite: strict
Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-06-08 15:27:31 +02:00
Sheogorath
45cc1325fb
Fix revision redirect to index page
The revision view had a bug that clicking on a list entry would redirect
the user back to the index page instead of providing the revision diff.

This was cased by the baseurl which is now used as reference for hrefs.
Therefore when clicking on the `href="#"` this was actually pointing at
`<baseurl>#` which is usually the index page.

This patch simply removes the href from the list items and therefore the
link functionality. This fixes the whole problem by removing 9
characters from our source code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-10 17:45:43 +01:00
Sheogorath
6462968e84
Merge pull request #97 from SISheogorath/fix/linting
Fix eslint warnings
2019-06-04 16:09:46 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Toma Tasovac
9e7b081bd9 fixed styling of slides preview
Signed-off-by: Toma Tasovac <ttasovac@humanistika.org>
2019-05-30 10:53:08 +02:00
Sheogorath
c0e75b8606
Replace js-url with wurl
js-url is outdated and wurl is it's successor. This will fix some
vulnerabilities in the dependencies and also optimize the build process
by removing the external library toward internal tooling.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-04-16 19:28:23 +02:00
Sheogorath
1544b45af5
Move upload button into toolbar
Currently we have the odd situation to have two toolbars. One inside the
header and one in the editor.

Since we only show the image upload button when the editor is visible we
should move the upload button into the editor toolbar.

This patch does this by adding the image upload button besides the image
tag button.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-25 22:33:27 +01:00
Sheogorath
1f0fb12755
Fix CI errors for unused variables
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:36:39 +01:00
Sheogorath
33774c11b9
Update from to-markdown to turndown
We got a security alert for a regular expression DoS attack on our used
library `to-markdown`.

After checking `to-markdown` to be maintained or not, it turned out they
renamed the library to `turndown`. So upgrading to `turndown` should fix
this vulnerbility.

References:
https://www.npmjs.com/package/to-markdown
https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-21 11:12:09 +01:00
Christoph (Sheogorath) Kern
271dff3808
Merge pull request #1043 from SISheogorath/fix/tocEmptyHead
Fix ToC breaking documents with empty h* elements
2018-11-19 21:33:34 +01:00
Sheogorath
d6dd33620c
Fix wrong anchors
While experimenting with the ToC changes, it became obvious that anchors
for those unnamed headers don't work.

This patch fixes those links by running the autolinkify twice and make
sure linkify only adds links to non-empty ids.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-19 20:20:56 +01:00
Claudius Coenen
858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
Sheogorath
1a9df22680
Add autocomplete for highlight.js languages into codemirror
Right now we support code highlighting for rust, but it doesn't appear
in autocomplete of codemirror, because codemirror is not aware of it.

This patch lets highlightjs simply tell codemirror, what it supports and
adds this to the autocomplete list.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 11:13:52 +02:00
Cédric Couralet
702f52f07c Fix #986 : Visibility is now transmitted with gitlab V4 api
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-10-09 06:46:25 +00:00
Cédric Couralet
66d374b128 Add possibility to choose between version v3 or v4 for the gitlab api.
Apart from the uri versioning, one big change is the snippet visibility post data (visibility_level -> visibility)

Default gitlab api version to v4

Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-07-31 08:36:56 +00:00
Sheogorath
f65d96c57b
Fix liniting and optimize some functions
First fixed some linting issues. Also optimized some functions to be
undoable with one ctrl+z.

This should also speedup some operations

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 21:18:15 +02:00
Edgar Zanella Alvarenga
a8b664fdb5 Add a toolbar to Codemirror editor
Signed-off-by: Edgar Zanella Alvarenga <e@vaz.io>
2018-06-19 16:03:56 +02:00
Sheogorath
ad69c5017b
Removing google drive integration
It's sad but it's not working. For multiple releases this should be
already broken which shows how often it's used.

As there is also a security issue related to that, it's better to
remove the feature completely. Whoever wants to rewrite it, feel free to
go.

This commit removes the Google Drive integration from HackMD's Frontend
editor and this way removes the need to provide any API key and Client
ID in the frontend.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16 01:34:55 +02:00
Sheogorath
8b69013ebd
Fix night mode button after restore
The night mode toggle doesn't get the right state after restore from
local storage. This results in the need to toggle twice to disable night
mode.

This patch adds the needed class so the toggleNightMode function gets
the right state on execution.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 20:12:02 +02:00
Sheogorath
32c578db08
Persist nightmode so we can re-enable it
Right now the night mode is possible to set by a toggle in the menu bar
but needs to be re-enabled on every document switch, reload, etc.. This
is super annoying so we should keep this state in local storage or
a cookie.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-23 19:46:38 +01:00
Stefan Bühler
c4f8fb78ee don't require referer to find note id in socket.io connections (fixes #623)
Signed-off-by: Stefan Bühler <buehler@cert.uni-stuttgart.de>
2018-02-05 14:26:42 +01:00
Edoardo Odorico
6fc2c39eda Implemented dark theme.
Signed-off-by: Edoardo Odorico <edoubuntu@gmail.com>
2018-01-05 00:15:13 +01:00
Yukai Huang
4839838d0c Manage syncscroll / currentMode in appState 2017-05-07 20:38:22 +08:00
Yukai Huang
0e9afde5fa Move syncsroll under lib 2017-05-07 20:38:22 +08:00
Yukai Huang
d9221f6011 Remove CodeMirror-other-cursors dom creation
Since it’s done via hackmdio/CodeMirror#1
2017-05-07 20:38:22 +08:00
Yukai Huang
88c0c68856 Change more global var to global 2017-05-07 20:38:22 +08:00
Yukai Huang
68ccee20b3 Extract modeType 2017-05-07 20:37:27 +08:00
Yukai Huang
18a6f9063e Change some global variables to local 2017-05-07 20:37:27 +08:00
Yukai Huang
432f215a45 Fix indentation 2017-05-07 20:37:27 +08:00
Yukai Huang
c6c11c54ef Expose internal editor config variable 2017-05-07 20:37:27 +08:00
Wu Cheng-Han
e32dd547b4 Update to support code block syntax highlighting of gherkin 2017-05-05 18:03:23 +08:00
Yukai Huang
a938cac42a Fix indentations 2017-03-28 20:38:31 +08:00
Yukai Huang
b711ecfadb Drop global variable ui exposing 2017-03-28 19:30:06 +08:00
Yukai Huang
ba1bef015f Update to es6 module import style 2017-03-28 18:31:36 +08:00
Yukai Huang
7637a6a8a6 Update cm instance in changes event argument 2017-03-28 17:32:42 +08:00