The html.hbs template does not contain any logic,
so we can replace the lib with good old string.replace calls.
This significantly reduces the bundle size, as we don't have to ship
a full template engine to the client.
Signed-off-by: David Mehren <git@herrmehren.de>
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.
These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.
This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.
See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq
Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in public/views
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in README
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in SECURITY.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in LICENSE
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/configuration.md
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in bin/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/dev
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/guides/auth
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update various links in code to the new GitHub org.
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: codiMDVersion.js is now hedgeDocVersion.js
Signed-off-by: David Mehren <git@herrmehren.de>
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: References in docs/setup/yunohost
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rebrand to HedgeDoc: Add banner and logo
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Update links in docs/guides/migrate-etherpad
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Remove note in docs/guides/auth/github
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace links in public/docs/features
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add todo placeholder in docs/history
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in public/views/index/body
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Replace github link in README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add logo to README
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Rename to HedgeDoc: Add note about the renaming to the front page
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
Removed Travis from README.md and change CodiMD to HedgeDoc in some places
Signed-off-by: Yannick Bungers <git@innay.de>
Some more renaming to HedgeDoc
- Fixed capitalization of HedgeDoc
- Added renaming for etherpad migration doc
Signed-off-by: Yannick Bungers <git@innay.de>
Changed Repo name to hedgedoc
Signed-off-by: Yannick Bungers <git@innay.de>
