hedgedoc/public/views, branch cindy Hedgedoc with support for CindyScript Add simple support for cindyjs 2021-05-17T18:12:50+00:00 stuebinm 2021-03-09T00:23:23+00:00 b0f98a43381486995b99ed79e0eabb3af149dbf3 Notably, the error output (in case of compiler errors) is generated by overwriting the builtin console.error-function, which is a horrible idea for many reasons, but there isn't really any other way right now. 
Notably, the error output (in case of compiler errors) is generated
by overwriting the builtin console.error-function, which is a horrible
idea for many reasons, but there isn't really any other way right now.
Escape custom Open Graph tags 2021-05-09T17:21:27+00:00 David Mehren 2021-05-09T13:25:59+00:00 4a0216096a6aa1ebba9d8b0ada067c73ffa1513f HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de> 
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Extract list of supported languages in separate file 2021-04-26T19:45:31+00:00 Erik Michelson 2021-04-25T22:18:08+00:00 0d943d128431f166045de53bd64575dac142d320 Signed-off-by: Erik Michelson <github@erik.michelson.eu> 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Add support for freshly imported languages 2021-04-26T19:42:06+00:00 David Mehren 2021-04-25T20:28:42+00:00 837cf59ef9f27d8cbc6d77120304d8dcf8e7e9bb New languages: bg, fa, gl, he, hu, oc, pt-br Signed-off-by: David Mehren <git@herrmehren.de> 
New languages: bg, fa, gl, he, hu, oc, pt-br

Signed-off-by: David Mehren <git@herrmehren.de>
Templates: Remove lang and add translation parameter 2021-03-16T09:48:44+00:00 Philip Molares 2021-03-11T11:21:44+00:00 8e6aab0145019b40cb5517cbb66d2bbe545f0ec9 Since the interface is not always in english, we mostly removed the lang attribute from all html tags. Since the error messages in error.ejs are not translated, but always in english, there the global lang="en" should be kept. Also in the slide and editor template the div, which contains the user generated text, has the attribute translate="no" now, to avoid unwanted translations. Since on the publish view (pretty.ejs) only the user generated content is shown, we set the lang to the language defined in yaml (or 'en') as a default, but that was also moved to the corresponding markdown div instead of html. Fixes #881 See also #437 Signed-off-by: Philip Molares <philip.molares@udo.edu> 
Since the interface is not always in english, we mostly removed the lang attribute from all html tags. Since the error messages in error.ejs are not translated, but always in english, there the global lang="en" should be kept.
Also in the slide and editor template the div, which contains the user generated text, has the attribute translate="no" now, to avoid unwanted translations.
Since on the publish view (pretty.ejs) only the user generated content is shown, we set the lang to the language defined in yaml (or 'en') as a default, but that was also moved to the corresponding markdown div instead of html.

Fixes #881
See also #437

Signed-off-by: Philip Molares <philip.molares@udo.edu>
Switch to ejs 3 compliant imports 2021-02-09T19:27:39+00:00 David Mehren 2021-02-09T19:27:29+00:00 b468fb623b055ea6f105b40289d708023e59a07e Signed-off-by: David Mehren <git@herrmehren.de> 
Signed-off-by: David Mehren <git@herrmehren.de>
Merge pull request #599 from hedgedoc/fix/icons 2020-11-27T20:06:07+00:00 David Mehren 2020-11-27T20:06:07+00:00 e985c2e694c110bd3837cc3127ffc78e37950dd1 Fix shortcut icon urls pointing to old (nonexistent) files 
Fix shortcut icon urls pointing to old (nonexistent) files
 Replace references to Matrix room with chat.hedgedoc.org 2020-11-27T18:53:26+00:00 David Mehren 2020-11-27T18:53:14+00:00 b506db11a042f67cc752eecd79977cc944df5663 Signed-off-by: David Mehren <git@herrmehren.de> 
Signed-off-by: David Mehren <git@herrmehren.de>
Fixed shortcut icon urls pointing to old (nonexistent) files 2020-11-27T10:29:34+00:00 Erik Michelson 2020-11-27T10:29:34+00:00 68c8f2860dd85f984e68b05393fbfdab0eec88c6 Signed-off-by: Erik Michelson <github@erik.michelson.eu> 
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Remove pdf export code 2020-11-26T20:09:23+00:00 Tilman Vatteroth 2020-11-26T19:52:57+00:00 97312b5ed3db8e5967184fc2f693a47dcba091f5 Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> 
Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>