Commit graph

1103 commits

Author SHA1 Message Date
David Mehren
cf867daf99
Load Idle.js without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
0e7a9df97d
Load jquery-ui resizable from npm package
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:23 +02:00
David Mehren
e17cc6440f
Load codemirror and codemirror-spell-checker without script-loader
Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 20:59:20 +02:00
Tilman Vatteroth
41b9ab956c
Replace vimeo meta data api
Vimeo deprecated the v2 api and recommends to
use https://developer.vimeo.com/api/oembed/videos

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-05-15 21:25:03 +02:00
David Mehren
81d73b2db9
Add release notes for 1.8.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-11 21:28:10 +02:00
David Mehren
4a0216096a
Escape custom Open Graph tags
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-09 19:21:27 +02:00
David Mehren
3e836d815b
Fix typo in release notes
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-06 22:37:47 +02:00
David Mehren
1b1b328d49
Add release notes for 1.8.1
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-06 22:24:02 +02:00
David Mehren
2c12feb127
Fix 1.8.0 changelog
CVE-2021-29475 has been fixed since
HedgeDoc 1.5.0, instead of 1.6.0

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-06 21:34:30 +02:00
David Mehren
dc1f621eb8
Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLines
Fix insertOnStartOfLines behaviour
2021-05-06 21:16:22 +02:00
Erik Michelson
7f8be22e97
Fix click handler for numbered task lists
The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc).
This commit changes the regex to allow both.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
2021-05-05 23:34:03 +02:00
David Mehren
e4b2b6ff73
Fix insertOnStartOfLines behaviour
A bug in insertOnStartOfLines lead to duplicated text,
if the cursor was not at the start of a line.

This fixes the behaviour of insertOnStartOfLines to always use
the complete first and last line of the selection,
even if they were only partially selected.

Fixes #1231

Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-05 22:57:49 +02:00
David Mehren
30a91b6fd7
Add release notes for 1.8.0
Signed-off-by: David Mehren <git@herrmehren.de>
2021-05-03 22:26:08 +02:00
Erik Michelson
0d943d1284
Extract list of supported languages in separate file
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-04-26 21:45:31 +02:00
David Mehren
0bf97f30c4
Add changelog for 1.8.0-rc1
Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-26 21:45:31 +02:00
David Mehren
837cf59ef9
Add support for freshly imported languages
New languages: bg, fa, gl, he, hu, oc, pt-br

Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-26 21:42:06 +02:00
David Mehren
e4c8f869f0
Add translators to the list of contributors for 1.8.0-rc1
Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-26 21:42:06 +02:00
David Mehren
2faf5b6974
Merge pull request #1150 from hedgedoc/feature/prometheus_metrics 2021-04-25 20:34:03 +02:00
David Mehren
c8e2117452
Merge pull request #1167 from hedgedoc/maintenance/master/remove_node_10 2021-04-25 20:10:46 +02:00
David Mehren
cbe7b03b59
Document new Prometheus endpoint
Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-25 20:06:56 +02:00
David Mehren
e1df30bd5c
Raise minimum required Node.js version to 12
As Node 10 will be EOL at April 30th, we should stop supporting
and/or promoting the usage of that version.

See also https://endoflife.date/nodejs

Signed-off-by: David Mehren <git@herrmehren.de>
2021-04-22 22:52:38 +02:00
Philip Molares
049ac32cc9 Changelog: Mention removal of node-imgur
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-04-22 22:51:41 +02:00
Philip Molares
82aa36177f Features.md: Change tag explanation
Explain tags in the features.md with yaml metadata, instead of the
heading syntax.

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-28 19:02:30 +02:00
David Mehren
2ea40bb98d
Merge pull request #1022 from hedgedoc/fix/translate
[1.x] Templates: Remove lang and add translation parameter
2021-03-18 21:36:24 +01:00
Philip Molares
8e6aab0145 Templates: Remove lang and add translation parameter
Since the interface is not always in english, we mostly removed the lang attribute from all html tags. Since the error messages in error.ejs are not translated, but always in english, there the global lang="en" should be kept.
Also in the slide and editor template the div, which contains the user generated text, has the attribute translate="no" now, to avoid unwanted translations.
Since on the publish view (pretty.ejs) only the user generated content is shown, we set the lang to the language defined in yaml (or 'en') as a default, but that was also moved to the corresponding markdown div instead of html.

Fixes #881
See also #437

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-03-16 10:48:44 +01:00
David Mehren
73a83f3ed6
Add release notes entry for #969
Signed-off-by: David Mehren <git@herrmehren.de>
2021-03-06 10:35:34 +01:00
David Mehren
0f7f11e4f3
Fix HTML clipboard import
jQuery's .html() method escapes contained text (e.g. '<' becomes
'&lt;'). This confuses the turndown parser, which then only performs
unescaping, but does not convert to markdown.
By using .text() instead, the unescaped content is returned and turndown
can correctly generate markdown.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-16 22:06:45 +01:00
Philip Molares
136d895d15 Linter: Fix all lint errors
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 12:15:14 +01:00
Yannick Bungers
b01421c470
Merge pull request #841 from hedgedoc/renovate/master-ejs-3.x 2021-02-13 20:03:45 +01:00
David Mehren
788e7d460a
Update webpack config and JS import for spin.js v4
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-12 23:47:58 +01:00
David Mehren
b468fb623b
Switch to ejs 3 compliant imports
Signed-off-by: David Mehren <git@herrmehren.de>
2021-02-09 20:27:39 +01:00
Tilman Vatteroth
9f59a73049
Fix wrong acces to slide options
If the slide options in the frontmatter are empty
or not present, then slideOptions object in the
parsed JSON is undefined. This triggers an
exception when the sanitized slide options object
is built.

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-02-02 13:27:37 +01:00
Erik Michelson
40d30baa03
Improved CSS in night-mode
A general invert-filter is applied to all pre elements in night mode. As diagrams are embedded inside pre tags, they're inverted as well. For sequence-diagrams and flow-charts this looks well, if we wouldn't additionally set the stroke and text color to white in night-mode. These additional white rules invert the already inverted diagram again and make it not good visible. The graphviz and abc embeddings aren't really optimized to be inverted, therefore they're now excluded from invertion and stay in day mode.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2021-01-28 12:30:47 +01:00
Tilman Vatteroth
3eb64cff55
Delete slide options that are not defined
Reveal.js doesn't set the default value of an option in the provided config object
if the key is set with "undefined" as value. This leads to a broken slide mode,
because some critical settings are missing.

Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
2021-01-15 21:18:23 +01:00
David Mehren
e9d4587344
Bump version to 1.7.2
Signed-off-by: David Mehren <git@herrmehren.de>
2021-01-15 20:37:30 +01:00
David Mehren
2b8aac289a
Merge pull request #727 from hedgedoc/fix/slideOptionsSanitation 2021-01-14 21:57:07 +01:00
Philip Molares
8e611e42ee added theme to the sanitization of slideOptions
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 16:42:53 +01:00
Philip Molares
a52982c7d2 fixed a problem that the last line of code becomes covered by status bar and can't be moved without changing the note.
Thanks to @mhdrone for reporting this and suggesting the fix

fixes #724

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:51:32 +01:00
Philip Molares
1546786c63 changed the SCRIPT_END_PLACEHOLDER regex to case insensitive
this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:35:17 +01:00
Philip Molares
35b0d39a12 added sanitation to the slideMode in frontmatter
This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648

Specifically left out are
- dependency (user can't really include anything anyway, because CSP forbids most domains)
- autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this)
- keyboard (this let's users write arbitrary code and seems therefore to problematic)

See:
https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration
Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-01-14 11:18:09 +01:00
David Mehren
5b3d62e494
Fix typo in release notes
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 21:21:12 +01:00
David Mehren
7d2c433b1b
Bump version to 1.7.1
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 20:54:39 +01:00
David Mehren
c32b1cf42b
Don't store mermaid diagrams in innerHTML
Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements.
Using `.text()` instead mitigates this issue.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-27 10:14:27 +01:00
David Mehren
687fdf20cd
Add note about X-Forwarded-Proto to 1.7.0 release notes
This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies.

Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:35:49 +01:00
David Mehren
e7409b265c
Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 21:28:53 +01:00
David Mehren
a11d45ce27
Fix broken PDF embed in features page & explain embedding problems
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-21 17:20:33 +01:00
David Mehren
81e463250d
Release 1.7.0-rc2
Signed-off-by: David Mehren <git@herrmehren.de>
2020-12-02 23:15:56 +01:00
David Mehren
461e48e25b
Changelog for 1.7.0-rc1
Signed-off-by: David Mehren <git@herrmehren.de>
2020-11-29 17:23:30 +01:00
David Mehren
e985c2e694
Merge pull request #599 from hedgedoc/fix/icons
Fix shortcut icon urls pointing to old (nonexistent) files
2020-11-27 21:06:07 +01:00
Yannick Bungers
4b28acd9e8
Merge pull request #603 from hedgedoc/feat/new-chat-link
Replace references to Matrix room with chat.hedgedoc.org
2020-11-27 21:03:45 +01:00