Commit graph

608 commits

Author SHA1 Message Date
David Mehren
faa10da86b Set all cookies with sameSite: strict
Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Signed-off-by: David Mehren <dmehren1@gmail.com>
2020-07-10 18:40:56 +08:00
Erik Michelson
76f07efcbc
Fixed eslint error introduced by 2d3ea1f
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-04-24 03:15:19 +02:00
Sheogorath
2d3ea1fc61
Merge pull request #312 from PascalBru/feature_301
add icon to toolbar with list of diagrams
2020-03-26 00:26:12 +01:00
Pascal Bruckert
3f047e33c4 add icon to toolbar with list of diagrams
Signed-off-by: Pascal Bruckert <pascal.bruckert@bit-sci.com>
2020-03-25 19:38:32 +01:00
Sheogorath
a2522888b2
Remove PDF export
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.

The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.

Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-26 15:05:54 +01:00
Sheogorath
45cc1325fb
Fix revision redirect to index page
The revision view had a bug that clicking on a list entry would redirect
the user back to the index page instead of providing the revision diff.

This was cased by the baseurl which is now used as reference for hrefs.
Therefore when clicking on the `href="#"` this was actually pointing at
`<baseurl>#` which is usually the index page.

This patch simply removes the href from the list items and therefore the
link functionality. This fixes the whole problem by removing 9
characters from our source code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-10 17:45:43 +01:00
Erik Michelson
c9abe4276f
Fix #249 - Focus user field after opening login modal
Signed-off-by: Erik Michelson <erik@liltv.de>
2020-01-08 18:37:11 +01:00
hoijui
ad1a2fb19c make standard conform [fix]
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:54 +01:00
hoijui
3233a448c6 make headerIds const [fix]
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:45 +01:00
hoijui
3be40b23d1 fix gfm header link generation with respect to deduplicatedHeaderId
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:24 +01:00
hoijui
47009805b3 linkifyHeaderStyle needs no string-ification; is already str.
Co-Authored-By: Yukai Huang <yukaihuangtw@gmail.com>
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-30 17:46:04 +01:00
Sheogorath
7a27579589
Merge pull request #205 from hoijui/linkifyHeaderStyle
Allow to generate lower case header references through the config
2019-10-23 21:18:57 +02:00
RyotaK
8494f6a085
Don't accept sandbox attribute
Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default.

Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com>
2019-10-22 12:04:12 +02:00
hoijui
e654ca8a31 Allow to generate lower case header references through the config
This makes the references consistent/compatible with GitHub,
GitLab, Pandoc and many other tools.

This behavior can be enabled in config.json with:

```
"linkifyHeaderStyle": "gfm"
```

Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-22 09:05:37 +02:00
hoijui
20adab2f32 slight doc comment touch-up/simplification [minor]
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
2019-10-22 09:02:40 +02:00
Sheogorath
6462968e84
Merge pull request #97 from SISheogorath/fix/linting
Fix eslint warnings
2019-06-04 16:09:46 +02:00
Sheogorath
4da68597f7
Fix eslint warnings
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.

There should no functional change be introduced.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-05-31 00:30:29 +02:00
Toma Tasovac
9e7b081bd9 fixed styling of slides preview
Signed-off-by: Toma Tasovac <ttasovac@humanistika.org>
2019-05-30 10:53:08 +02:00
Pedro Ferreira
26dacde959 Fix toolbar day mode
Also moved the code to SCSS

Signed-off-by: Pedro Ferreira <pedro@dete.st>
2019-05-12 20:15:46 +02:00
Pedro Ferreira
1801febfe6 Make upload button respect night mode
Also set a title in the input field, so that the file name doesn't show
up.

Signed-off-by: Pedro Ferreira <pedro@dete.st>
2019-05-12 20:15:46 +02:00
Sheogorath
c0e75b8606
Replace js-url with wurl
js-url is outdated and wurl is it's successor. This will fix some
vulnerabilities in the dependencies and also optimize the build process
by removing the external library toward internal tooling.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-04-16 19:28:23 +02:00
Max Wu
fb399ebe73
Fix stored XSS in the graphviz error message rendering [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>

Co-Authored-By: Sheogorath <sheogorath@shivering-isles.com>
2019-04-16 14:05:26 +02:00
Sheogorath
1544b45af5
Move upload button into toolbar
Currently we have the odd situation to have two toolbars. One inside the
header and one in the editor.

Since we only show the image upload button when the editor is visible we
should move the upload button into the editor toolbar.

This patch does this by adding the image upload button besides the image
tag button.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-25 22:33:27 +01:00
Sheogorath
982775f6dc
Fix broken HTML export with emojis
HTML export was broken due to missing alt-attribute for emojis.

This patch adds the old alt-element style and restores the exportability
this way.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-03-09 15:04:07 +01:00
Sheogorath
1f0fb12755
Fix CI errors for unused variables
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:36:39 +01:00
Sheogorath
c5ca7b634a
Remove broken speakerdeck embedding
The current speakerdeck implementation is broken. An alternative
implementation using oembed doesn't work due to CORS, which could be
solved by proxying the speakerdeck API, but we decided to not do this.

This patch provides the link to the speakerdeck presentation instead,
and this way doesn't break existing notes. This is right now the best
solution we could come up with.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-02-21 01:26:37 +01:00
Max Wu
067cfe2d1e Fix to escape html comment tag [Security Issue]
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-12-28 16:42:55 +08:00
Sheogorath
33774c11b9
Update from to-markdown to turndown
We got a security alert for a regular expression DoS attack on our used
library `to-markdown`.

After checking `to-markdown` to be maintained or not, it turned out they
renamed the library to `turndown`. So upgrading to `turndown` should fix
this vulnerbility.

References:
https://www.npmjs.com/package/to-markdown
https://github.com/domchristie/turndown/wiki/Migrating-from-to-markdown-to-Turndown
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-21 11:12:09 +01:00
Christoph (Sheogorath) Kern
271dff3808
Merge pull request #1043 from SISheogorath/fix/tocEmptyHead
Fix ToC breaking documents with empty h* elements
2018-11-19 21:33:34 +01:00
Sheogorath
d6dd33620c
Fix wrong anchors
While experimenting with the ToC changes, it became obvious that anchors
for those unnamed headers don't work.

This patch fixes those links by running the autolinkify twice and make
sure linkify only adds links to non-empty ids.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-19 20:20:56 +01:00
Claudius Coenen
858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
Sheogorath
c59b94a37b
Remove the xss library from webpack
We can load the xss functions directly from the library instead of
loading them through the expose loader of webpack, this should simplify
the setup and maybe even improve speed a bit.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-10 20:27:07 +01:00
Sheogorath
d188b3526a
Again: Replace emoji-plugin regex
The Regex introduced in the last commit[1], was already working quite
good. But still resulted in false positives for all URL that contained a
second `:`.

To fix this once and for all, we craft a simple, but long regex based on
all emoji names and use this to match them.

We could probably optimize it, but that should also be something the
regex engine itself can and should do.

[1]: 7e45533c75 (in this source tree)

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-31 15:33:45 +01:00
Sheogorath
7e45533c75
Fix emoji regex
The old regex, adapted from the other plugins, was a bit too open for
matching. This leads to matching something like: `This is a sentence:
[And something with a: in it.]()` which doesn't become a link anymore.
Because the match is: ` [And something with a`.

This patch provides a fix for the regex to only match non-space string
within the `:`'s.

References:
- Introducing commit:
2063eb8bdf
- Inspirational source of the original RegEx:
2063eb8bdf/public/js/extra.js (L1095)

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-29 20:37:47 +01:00
Christoph (Sheogorath) Kern
e115423d12
Merge pull request #1006 from SISheogorath/fix/missingEmojis
Fix not rendered autocomplete emojis
2018-10-22 23:02:33 +02:00
Christoph (Sheogorath) Kern
1abf7c54ae
Merge pull request #1004 from SISheogorath/feature/integrateHljs
Add autocomplete for highlight.js languages into codemirror
2018-10-11 17:30:03 +02:00
Sheogorath
1d452a6ed4
Remove dead package octicon
Octicon no longer provides its CSS classes and this way is useless in
CodiMD. Replacing all used classes in the UI and remove it from build
system.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 23:42:41 +02:00
Sheogorath
2063eb8bdf
Fix not rendered autocomplete emojis
Currently we have some emojis that are autocompleted but won't show up
in the resulting document.

This patch adds all emojis that are pushed to Codemirror and applies
them to the markdown rendering process, so they become usable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 21:24:33 +02:00
Sheogorath
1a9df22680
Add autocomplete for highlight.js languages into codemirror
Right now we support code highlighting for rust, but it doesn't appear
in autocomplete of codemirror, because codemirror is not aware of it.

This patch lets highlightjs simply tell codemirror, what it supports and
adds this to the autocomplete list.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-10 11:13:52 +02:00
Cédric Couralet
702f52f07c Fix #986 : Visibility is now transmitted with gitlab V4 api
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-10-09 06:46:25 +00:00
Sheogorath
75a23fe2c9
Add rel="noopener" to target="_blank" links
The noopener construct protects from some nasty clickjacking attacks. We
can apply them savely to all our links since we don't rely on the
previously used page.

Some more details: https://mathiasbynens.github.io/rel-noopener/

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-04 01:49:36 +02:00
Cédric Couralet
66d374b128 Add possibility to choose between version v3 or v4 for the gitlab api.
Apart from the uri versioning, one big change is the snippet visibility post data (visibility_level -> visibility)

Default gitlab api version to v4

Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-07-31 08:36:56 +00:00
Alexander Wellbrock
97c2330264
Fix some false titles
Signed-off-by: Alexander Wellbrock <a.wellbrock@mailbox.org>
2018-07-08 20:41:46 +02:00
Sheogorath
dea62cf310
Update store
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-30 16:52:34 +02:00
Sheogorath
1c92524c08
Fix broken unicode urls
It wasn't possible to create unicode based URLs in freeurl mode, because
the noteid used for the websocket connection is double escaped. When we
decode it and let socketio-client reencode it, we get the real
shortid/noteid and can find the note in the database and open the
connection.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-26 22:25:36 +02:00
Christoph (Sheogorath) Kern
c7745f6b27
Merge pull request #863 from hackmdio/feature/slidePrint
Add Print icon to slide view
2018-06-26 21:41:18 +02:00
Sheogorath
04d16e4d6e
Add Print icon to slide view
It redirects the user to the print view of the document. I claim that
people should either be smart enough to use ctrl+P or ask someone who
knows how to print a webpage. I don't want to babysit our users.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 23:50:38 +02:00
Sheogorath
2184491f4a
Final replacements
Looks like I missed a few. This should be complete now. And make us
ready for the repo rename and merging.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 14:13:46 +02:00
Sheogorath
4b060c7dba
Rebrand HackMD to CodiMD
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:24:12 +02:00
Sheogorath
8fe26988d1
Fix all newly introduced linting issues
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 21:27:21 +02:00