hedgedoc/public, branch cindy Hedgedoc with support for CindyScript Add simple support for cindyjs 2021-05-17T18:12:50+00:00 stuebinm 2021-03-09T00:23:23+00:00 b0f98a43381486995b99ed79e0eabb3af149dbf3 Notably, the error output (in case of compiler errors) is generated by overwriting the builtin console.error-function, which is a horrible idea for many reasons, but there isn't really any other way right now. 
Notably, the error output (in case of compiler errors) is generated
by overwriting the builtin console.error-function, which is a horrible
idea for many reasons, but there isn't really any other way right now.
Add release notes for 1.8.2 2021-05-11T19:28:10+00:00 David Mehren 2021-05-11T17:42:57+00:00 81d73b2db9e0d9bc938e242bb57bd45d948ce4f4 Signed-off-by: David Mehren <git@herrmehren.de> 
Signed-off-by: David Mehren <git@herrmehren.de>
Escape custom Open Graph tags 2021-05-09T17:21:27+00:00 David Mehren 2021-05-09T13:25:59+00:00 4a0216096a6aa1ebba9d8b0ada067c73ffa1513f HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de> 
HedgeDoc allows to specify custom Open Graph tags using the
`opengraph` key in the YAML metadata of a note.

These are rendered into the HTML delivered to clients using `ejs` and
its `<%-` tag. This outputs the variable unescaped into the template
and therefore allows to inject arbitrary strings,
including `<script>` tags.

This commit changes the template to use ejs's `<%=` tag instead,
which automatically escapes the variables content,
thereby mitigating the XSS vector.

See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq

Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com>
Signed-off-by: David Mehren <git@herrmehren.de>
Fix typo in release notes 2021-05-06T20:37:47+00:00 David Mehren 2021-05-06T20:37:47+00:00 3e836d815baf3f98fb6b263b5aa123d81f78fb9c Signed-off-by: David Mehren <git@herrmehren.de> 
Signed-off-by: David Mehren <git@herrmehren.de>
Add release notes for 1.8.1 2021-05-06T20:24:02+00:00 David Mehren 2021-05-06T18:48:46+00:00 1b1b328d49fe318b234d3d898db52c838a05d02a Signed-off-by: David Mehren <git@herrmehren.de> 
Signed-off-by: David Mehren <git@herrmehren.de>
Fix 1.8.0 changelog 2021-05-06T19:34:30+00:00 David Mehren 2021-05-06T18:48:30+00:00 2c12feb127259545c11dcbd0ad3d4aa64cd90a4b CVE-2021-29475 has been fixed since HedgeDoc 1.5.0, instead of 1.6.0 Signed-off-by: David Mehren <git@herrmehren.de> 
CVE-2021-29475 has been fixed since
HedgeDoc 1.5.0, instead of 1.6.0

Signed-off-by: David Mehren <git@herrmehren.de>
Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLines 2021-05-06T19:16:22+00:00 David Mehren 2021-05-06T19:16:22+00:00 dc1f621eb84356bcb42e357102ef1ecff73261a6 Fix insertOnStartOfLines behaviour 
Fix insertOnStartOfLines behaviour
 Fix click handler for numbered task lists 2021-05-05T21:34:03+00:00 Erik Michelson 2021-05-05T21:34:03+00:00 7f8be22e97a29eb54f22aff1ea377973417d45d4 The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc). This commit changes the regex to allow both. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu> 
The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc).
This commit changes the regex to allow both.

Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
Fix insertOnStartOfLines behaviour 2021-05-05T20:57:49+00:00 David Mehren 2021-05-05T20:57:49+00:00 e4b2b6ff73b0f2132c93f242ddf6143cc03a9619 A bug in insertOnStartOfLines lead to duplicated text, if the cursor was not at the start of a line. This fixes the behaviour of insertOnStartOfLines to always use the complete first and last line of the selection, even if they were only partially selected. Fixes #1231 Signed-off-by: David Mehren <git@herrmehren.de> 
A bug in insertOnStartOfLines lead to duplicated text,
if the cursor was not at the start of a line.

This fixes the behaviour of insertOnStartOfLines to always use
the complete first and last line of the selection,
even if they were only partially selected.

Fixes #1231

Signed-off-by: David Mehren <git@herrmehren.de>
Add release notes for 1.8.0 2021-05-03T20:26:08+00:00 David Mehren 2021-05-03T19:54:25+00:00 30a91b6fd742b1bcb6f143523ab3fcdefbdf094a Signed-off-by: David Mehren <git@herrmehren.de> 
Signed-off-by: David Mehren <git@herrmehren.de>