diff options
-rw-r--r-- | README.md | 6 | ||||
-rw-r--r-- | app.js | 14 | ||||
-rw-r--r-- | config.json.example | 13 | ||||
-rw-r--r-- | lib/config/default.js | 15 | ||||
-rw-r--r-- | lib/config/environment.js | 11 | ||||
-rw-r--r-- | lib/config/index.js | 2 | ||||
-rw-r--r-- | lib/csp.js | 80 | ||||
-rw-r--r-- | lib/realtime.js | 2 | ||||
-rw-r--r-- | lib/response.js | 8 | ||||
-rw-r--r-- | lib/web/imageRouter.js | 34 | ||||
-rw-r--r-- | lib/web/noteRouter.js | 4 | ||||
-rw-r--r-- | lib/web/utils.js | 7 | ||||
-rw-r--r-- | locales/de.json | 6 | ||||
-rw-r--r-- | locales/en.json | 1 | ||||
-rw-r--r-- | locales/zh-CN.json | 8 | ||||
-rw-r--r-- | locales/zh-TW.json | 8 | ||||
-rw-r--r-- | package.json | 2 | ||||
-rw-r--r-- | public/docs/features.md | 17 | ||||
-rw-r--r-- | public/js/mathjax-config-extra.js | 8 | ||||
-rw-r--r-- | public/views/hackmd/body.ejs | 2 | ||||
-rw-r--r-- | public/views/hackmd/foot.ejs | 4 | ||||
-rw-r--r-- | public/views/index/body.ejs | 1 | ||||
-rw-r--r-- | public/views/pretty.ejs | 4 | ||||
-rw-r--r-- | public/views/shared/help-modal.ejs | 6 | ||||
-rw-r--r-- | public/views/slide.ejs | 6 |
25 files changed, 233 insertions, 36 deletions
@@ -143,6 +143,7 @@ There are some configs you need to change in the files below | HMD_URL_ADDPORT | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) | | HMD_USECDN | `true` or `false` | set to use CDN resources or not (default is `true`) | | HMD_ALLOW_ANONYMOUS | `true` or `false` | set to allow anonymous usage (default is `true`) | +| HMD_ALLOW_ANONYMOUS_EDITS | `true` or `false` | if `allowanonymous` is `true`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`) | | HMD_ALLOW_FREEURL | `true` or `false` | set to allow new note by accessing not exist note url | | HMD_DEFAULT_PERMISSION | `freely`, `editable`, `limited`, `locked` or `private` | set notes default permission (only applied on signed users) | | HMD_DB_URL | `mysql://localhost:3306/database` | set the db url | @@ -196,6 +197,7 @@ There are some configs you need to change in the files below | HMD_HSTS_INCLUDE_SUBDOMAINS | `true` | set to include subdomains in HSTS (default is `true`) | | HMD_HSTS_MAX_AGE | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) | | HMD_HSTS_PRELOAD | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) | +| HMD_CSP_ENABLE | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) | ## Application settings `config.json` @@ -207,11 +209,13 @@ There are some configs you need to change in the files below | port | `80` | web app port | | alloworigin | `['localhost']` | domain name whitelist | | usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) | -| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) | +| hsts | `{"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) | +| csp | `{"enable": true, "directives": {"scriptSrc": "trustworthy-scripts.example.com"}, "upgradeInsecureRequests": "auto", "addDefaults": true}` | Configures [Content Security Policy](https://helmetjs.github.io/docs/csp/). Directives are passed to Helmet - see [their documentation](https://helmetjs.github.io/docs/csp/) for more information on the format. Some defaults are added to the configured values so that the application doesn't break. To disable this behaviour, set `addDefaults` to `false`. Further, if `usecdn` is on, some CDN locations are allowed too. By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `usessl` is on. To change this behaviour, set `upgradeInsecureRequests` to either `true` or `false`. | | protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) | | urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) | | usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) | | allowanonymous | `true` or `false` | set to allow anonymous usage (default is `true`) | +| allowanonymousedits | `true` or `false` | if `allowanonymous` is `true`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`) | | allowfreeurl | `true` or `false` | set to allow new note by accessing not exist note url | | defaultpermission | `freely`, `editable`, `limited`, `locked`, `protected` or `private` | set notes default permission (only applied on signed users) | | dburl | `mysql://localhost:3306/database` | set the db url, if set this variable then below db config won't be applied | @@ -24,6 +24,7 @@ var config = require('./lib/config') var logger = require('./lib/logger') var response = require('./lib/response') var models = require('./lib/models') +var csp = require('./lib/csp') // generate front-end constants by template var constpath = path.join(__dirname, './public/js/lib/common/constant.ejs') @@ -109,6 +110,19 @@ if (config.hsts.enable) { logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security') } +// Generate a random nonce per request, for CSP with inline scripts +app.use(csp.addNonceToLocals) + +// use Content-Security-Policy to limit XSS, dangerous plugins, etc. +// https://helmetjs.github.io/docs/csp/ +if (config.csp.enable) { + app.use(helmet.contentSecurityPolicy({ + directives: csp.computeDirectives() + })) +} else { + logger.info('Content-Security-Policy is disabled. This may be a security risk.') +} + i18n.configure({ locales: ['en', 'zh', 'zh-CN', 'zh-TW', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'], cookie: 'locale', diff --git a/config.json.example b/config.json.example index c2c270c3..f5ddf182 100644 --- a/config.json.example +++ b/config.json.example @@ -17,10 +17,17 @@ "production": { "domain": "localhost", "hsts": { - "enable": "true", + "enable": true, "maxAgeSeconds": "31536000", - "includeSubdomains": "true", - "preload": "true" + "includeSubdomains": true, + "preload": true + }, + csp: { + "enable": true, + "directives": { + }, + "upgradeInsecureRequests": "auto" + "addDefaults": true }, "db": { "username": "", diff --git a/lib/config/default.js b/lib/config/default.js index 40803476..28f4490c 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -13,9 +13,17 @@ module.exports = { includeSubdomains: true, preload: true }, + csp: { + enable: true, + directives: { + }, + addDefaults: true, + upgradeInsecureRequests: 'auto' + }, protocolusessl: false, usecdn: true, allowanonymous: true, + allowanonymousedits: false, allowfreeurl: false, defaultpermission: 'editable', dburl: '', @@ -54,6 +62,13 @@ module.exports = { secretAccessKey: undefined, region: undefined }, + minio: { + accessKey: undefined, + secretKey: undefined, + endPoint: undefined, + secure: true, + port: 9000 + }, s3bucket: undefined, // authentication facebook: { diff --git a/lib/config/environment.js b/lib/config/environment.js index 5a297382..e2112b6a 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -14,10 +14,14 @@ module.exports = { includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS), preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD) }, + csp: { + enable: toBooleanConfig(process.env.HMD_CSP_ENABLE) + }, protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL), alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), usecdn: toBooleanConfig(process.env.HMD_USECDN), allowanonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS), + allowanonymousedits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS), allowfreeurl: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), defaultpermission: process.env.HMD_DEFAULT_PERMISSION, dburl: process.env.HMD_DB_URL, @@ -30,6 +34,13 @@ module.exports = { secretAccessKey: process.env.HMD_S3_SECRET_ACCESS_KEY, region: process.env.HMD_S3_REGION }, + minio: { + accessKey: process.env.HMD_MINIO_ACCESS_KEY, + secretKey: process.env.HMD_MINIO_SECRET_KEY, + endPoint: process.env.HMD_MINIO_ENDPOINT, + secure: toBooleanConfig(process.env.HMD_MINIO_SECURE), + port: process.env.HMD_MINIO_PORT + }, s3bucket: process.env.HMD_S3_BUCKET, facebook: { clientID: process.env.HMD_FACEBOOK_CLIENTID, diff --git a/lib/config/index.js b/lib/config/index.js index 13c4692c..4f6b4b6a 100644 --- a/lib/config/index.js +++ b/lib/config/index.js @@ -49,7 +49,7 @@ if (config.ldap.tlsca) { // Permission config.permission = Permission -if (!config.allowanonymous) { +if (!config.allowanonymous && !config.allowanonymousedits) { delete config.permission.freely } if (!(config.defaultpermission in config.permission)) { diff --git a/lib/csp.js b/lib/csp.js new file mode 100644 index 00000000..509bc530 --- /dev/null +++ b/lib/csp.js @@ -0,0 +1,80 @@ +var config = require('./config') +var uuid = require('uuid') + +var CspStrategy = {} + +var defaultDirectives = { + defaultSrc: ['\'self\''], + scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''], + // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594 + imgSrc: ['*'], + styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views + fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'], + objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ + childSrc: ['*'], + connectSrc: ['*'] +} + +var cdnDirectives = { + scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'], + styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'], + fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com'] +} + +CspStrategy.computeDirectives = function () { + var directives = {} + mergeDirectives(directives, config.csp.directives) + mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives) + mergeDirectivesIf(config.usecdn, directives, cdnDirectives) + if (!areAllInlineScriptsAllowed(directives)) { + addInlineScriptExceptions(directives) + } + addUpgradeUnsafeRequestsOptionTo(directives) + return directives +} + +function mergeDirectives (existingDirectives, newDirectives) { + for (var propertyName in newDirectives) { + var newDirective = newDirectives[propertyName] + if (newDirective) { + var existingDirective = existingDirectives[propertyName] || [] + existingDirectives[propertyName] = existingDirective.concat(newDirective) + } + } +} + +function mergeDirectivesIf (condition, existingDirectives, newDirectives) { + if (condition) { + mergeDirectives(existingDirectives, newDirectives) + } +} + +function areAllInlineScriptsAllowed (directives) { + return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1 +} + +function addInlineScriptExceptions (directives) { + directives.scriptSrc.push(getCspNonce) + // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html + // Any more clean solution appreciated. + directives.scriptSrc.push('\'sha256-EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=\'') +} + +function getCspNonce (req, res) { + return "'nonce-" + res.locals.nonce + "'" +} + +function addUpgradeUnsafeRequestsOptionTo (directives) { + if (config.csp.upgradeInsecureRequests === 'auto' && config.usessl) { + directives.upgradeInsecureRequests = true + } else if (config.csp.upgradeInsecureRequests === true) { + directives.upgradeInsecureRequests = true + } +} + +CspStrategy.addNonceToLocals = function (req, res, next) { + res.locals.nonce = uuid.v4() + next() +} + +module.exports = CspStrategy diff --git a/lib/realtime.js b/lib/realtime.js index e03e2d0b..c731e5b0 100644 --- a/lib/realtime.js +++ b/lib/realtime.js @@ -781,7 +781,7 @@ function connection (socket) { var note = notes[noteId] // Only owner can change permission if (note.owner && note.owner === socket.request.user.id) { - if (permission === 'freely' && !config.allowanonymous) return + if (permission === 'freely' && !config.allowanonymous && !config.allowanonymousedits) return note.permission = permission models.Note.update({ permission: permission diff --git a/lib/response.js b/lib/response.js index 9f3d5a44..445aa0d7 100644 --- a/lib/response.js +++ b/lib/response.js @@ -60,6 +60,7 @@ function showIndex (req, res, next) { url: config.serverurl, useCDN: config.usecdn, allowAnonymous: config.allowanonymous, + allowAnonymousEdits: config.allowanonymousedits, facebook: config.isFacebookEnable, twitter: config.isTwitterEnable, github: config.isGitHubEnable, @@ -93,6 +94,7 @@ function responseHackMD (res, note) { title: title, useCDN: config.usecdn, allowAnonymous: config.allowanonymous, + allowAnonymousEdits: config.allowanonymousedits, facebook: config.isFacebookEnable, twitter: config.isTwitterEnable, github: config.isGitHubEnable, @@ -117,7 +119,8 @@ function newNote (req, res, next) { } models.Note.create({ ownerId: owner, - alias: req.alias ? req.alias : null + alias: req.alias ? req.alias : null, + content: req.body ? req.body : '' }).then(function (note) { return res.redirect(config.serverurl + '/' + LZString.compressToBase64(note.id)) }).catch(function (err) { @@ -595,7 +598,8 @@ function showPublishSlide (req, res, next) { lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, robots: meta.robots || false, // default allow robots GA: meta.GA, - disqus: meta.disqus + disqus: meta.disqus, + cspNonce: res.locals.nonce } return renderPublishSlide(data, res) }).catch(function (err) { diff --git a/lib/web/imageRouter.js b/lib/web/imageRouter.js index bebab302..b17cccbd 100644 --- a/lib/web/imageRouter.js +++ b/lib/web/imageRouter.js @@ -73,6 +73,40 @@ imageRouter.post('/uploadimage', function (req, res) { }) }) break + + case 'minio': + var utils = require('../utils') + var Minio = require('minio') + var minioClient = new Minio.Client({ + endPoint: config.minio.endPoint, + port: config.minio.port, + secure: config.minio.secure, + accessKey: config.minio.accessKey, + secretKey: config.minio.secretKey + }) + fs.readFile(files.image.path, function (err, buffer) { + if (err) { + logger.error(err) + res.status(500).end('upload image error') + return + } + + var key = path.join('uploads', path.basename(files.image.path)) + var protocol = config.minio.secure ? 'https' : 'http' + + minioClient.putObject(config.s3bucket, key, buffer, buffer.size, utils.getImageMimeType(files.image.path), function (err, data) { + if (err) { + logger.error(err) + res.status(500).end('upload image error') + return + } + res.send({ + link: `${protocol}://${config.minio.endPoint}:${config.minio.port}/${config.s3bucket}/${key}` + }) + }) + }) + break + case 'imgur': default: imgur.setClientId(config.imgur.clientID) diff --git a/lib/web/noteRouter.js b/lib/web/noteRouter.js index 007c02c2..41bf5f73 100644 --- a/lib/web/noteRouter.js +++ b/lib/web/noteRouter.js @@ -4,10 +4,14 @@ const Router = require('express').Router const response = require('../response') +const {markdownParser} = require('./utils') + const noteRouter = module.exports = Router() // get new note noteRouter.get('/new', response.newNote) +// post new note with content +noteRouter.post('/new', markdownParser, response.newNote) // get publish note noteRouter.get('/s/:shortid', response.showPublishNote) // publish note actions diff --git a/lib/web/utils.js b/lib/web/utils.js index c9016523..d58294ad 100644 --- a/lib/web/utils.js +++ b/lib/web/utils.js @@ -7,3 +7,10 @@ exports.urlencodedParser = bodyParser.urlencoded({ extended: false, limit: 1024 * 1024 * 10 // 10 mb }) + +// create text/markdown parser +exports.markdownParser = bodyParser.text({ + inflate: true, + type: ['text/plain', 'text/markdown'], + limit: 1024 * 1024 * 10 // 10 mb +}) diff --git a/locales/de.json b/locales/de.json index de76b590..73ffe0e6 100644 --- a/locales/de.json +++ b/locales/de.json @@ -29,6 +29,8 @@ "Import from browser": "Vom Browser importieren", "Releases": "Versionen", "Are you sure?": "Sind sie sicher?", + "Do you really want to delete this note?": "Möchten Sie diese Notiz wirklich löschen?", + "All users will lose their connection.": "Alle Benutzer werden getrennt.", "Cancel": "Abbrechen", "Yes, do it!": "Ja, mach es!", "Choose method": "Methode wählen", @@ -60,6 +62,7 @@ "Refresh": "Neu laden", "Contacts": "Kontakte", "Report an issue": "Fehlerbericht senden", + "Meet us on Gitter": "Triff uns auf Gitter", "Send us email": "Kontakt", "Documents": "Dokumente", "Features": "Funktionen", @@ -100,5 +103,6 @@ "Select From Available Snippets": "Aus verfügbaren Snippets wählen", "OR": "Oder", "Export to Snippet": "Zu Snippet exportieren", - "Select Visibility Level": "Sichtbarkeit bestimmen" + "Select Visibility Level": "Sichtbarkeit bestimmen", + "Night Theme": "Nachtmodus" } diff --git a/locales/en.json b/locales/en.json index 49e93a83..e6a966d7 100644 --- a/locales/en.json +++ b/locales/en.json @@ -62,6 +62,7 @@ "Refresh": "Refresh", "Contacts": "Contacts", "Report an issue": "Report an issue", + "Meet us on Gitter": "Meet us on Gitter", "Send us email": "Send us email", "Documents": "Documents", "Features": "Features", diff --git a/locales/zh-CN.json b/locales/zh-CN.json index 97602c82..da0e029c 100644 --- a/locales/zh-CN.json +++ b/locales/zh-CN.json @@ -60,6 +60,7 @@ "Refresh": "重新整理", "Contacts": "联络方式", "Report an issue": "报告问题", + "Meet us on Gitter": "在 Gitter 上联系我们", "Send us email": "寄信给我们", "Documents": "文件", "Features": "功能简介", @@ -100,5 +101,8 @@ "Select From Available Snippets": "从可用的 Snippets 中选择", "OR": "或是", "Export to Snippet": "导出到 Snippet", - "Select Visibility Level": "选择可见层级" -}
\ No newline at end of file + "Select Visibility Level": "选择可见层级", + "Night Theme": "夜间主题", + "Do you really want to delete this note?": "确定要删除这个文件吗?", + "All users will lose their connection.": "所有用户将失去连接" +} diff --git a/locales/zh-TW.json b/locales/zh-TW.json index a3bb7774..da50f66a 100644 --- a/locales/zh-TW.json +++ b/locales/zh-TW.json @@ -60,6 +60,7 @@ "Refresh": "重新整理", "Contacts": "聯絡方式", "Report an issue": "回報問題", + "Meet us on Gitter": "透過 Gitter 聯絡我們", "Send us email": "寄信給我們", "Documents": "文件", "Features": "功能簡介", @@ -100,5 +101,8 @@ "Select From Available Snippets": "從可用的 Snippets 中選擇", "OR": "或是", "Export to Snippet": "匯出到 Snippet", - "Select Visibility Level": "選擇可見層級" -}
\ No newline at end of file + "Select Visibility Level": "選擇可見層級", + "Night Theme": "夜間主題", + "Do you really want to delete this note?": "確定要刪除這個文件嗎?", + "All users will lose their connection.": "所有使用者將會失去連線" +} diff --git a/package.json b/package.json index bdb59635..94107783 100644 --- a/package.json +++ b/package.json @@ -79,6 +79,7 @@ "mattermost": "^3.4.0", "meta-marked": "^0.4.2", "method-override": "^2.3.7", + "minio": "^3.1.3", "moment": "^2.17.1", "morgan": "^1.7.0", "mysql": "^2.12.0", @@ -118,6 +119,7 @@ "tedious": "^1.14.0", "to-markdown": "^3.0.3", "toobusy-js": "^0.5.1", + "uuid": "^3.1.0", "uws": "~0.14.1", "validator": "^6.2.0", "velocity-animate": "^1.4.0", diff --git a/public/docs/features.md b/public/docs/features.md index a894c087..01340fd7 100644 --- a/public/docs/features.md +++ b/public/docs/features.md @@ -3,13 +3,12 @@ Features Introduction === -<i class="fa fa-file-text"></i> **HackMD** is a realtime, multiplatform collaborative markdown note editor. +<i class="fa fa-file-text"></i> **HackMD** is a realtime, multi-platform collaborative markdown note editor. This means that you can write notes with other people on your **desktop**, **tablet** or even on the **phone**. -You can sign-in via **Facebook**, **Twitter**, **GitHub**, or **Dropbox** in the [_homepage_](/). +You can sign-in via multiple auth providers like **Facebook**, **Twitter**, **GitHub** and many more on the [_homepage_](/). -Note that this service is still in an early stage, and thus still has some [_issues_](https://github.com/hackmdio/hackmd/issues?q=is%3Aopen+is%3Aissue+label%3Abug). -Please report new issues in [GitHub](https://github.com/hackmdio/hackmd/issues/new). -If you need instant help, please send us a [Facebook message](https://www.messenger.com/t/hackmdio). +If you experience any _issues_, feel free to report it on [**GitHub**](https://github.com/hackmdio/hackmd/issues). +Or meet us on [**Gitter**](https://gitter.im/hackmdio/hackmd) for dev-talk and interactive help. **Thank you very much!** Workspace @@ -137,7 +136,7 @@ alert(s); function $initHighlight(block, cls) { try { if (cls.search(/\bno\-highlight\b/) != -1) - return process(block, true, 0x0F) + + return process(block, true, 0x0F) + ' class=""'; } catch (e) { /* handle exception */ @@ -157,7 +156,7 @@ alert(s); function $initHighlight(block, cls) { try { if (cls.search(/\bno\-highlight\b/) != -1) - return process(block, true, 0x0F) + + return process(block, true, 0x0F) + ' class=""'; } catch (e) { /* handle exception */ @@ -259,7 +258,7 @@ cond(no)->op2 digraph hierarchy { nodesep=1.0 // increases the separation between nodes - + node [color=Red,fontname=Courier,shape=box] //All nodes will this shape and colour edge [color=Blue, style=dashed] //All the lines look like this @@ -386,7 +385,7 @@ Subscript: H~2~O > Blockquotes can also be nested... >> ...by using additional greater-than signs right next to each other... -> > > ...or with spaces between arrows. +> > > ...or with spaces between arrows. ### Lists diff --git a/public/js/mathjax-config-extra.js b/public/js/mathjax-config-extra.js new file mode 100644 index 00000000..11ba59c6 --- /dev/null +++ b/public/js/mathjax-config-extra.js @@ -0,0 +1,8 @@ +window.MathJax = { + messageStyle: 'none', + skipStartupTypeset: true, + tex2jax: { + inlineMath: [['$', '$'], ['\\(', '\\)']], + processEscapes: true + } +} diff --git a/public/views/hackmd/body.ejs b/public/views/hackmd/body.ejs index 91343ef6..49604379 100644 --- a/public/views/hackmd/body.ejs +++ b/public/views/hackmd/body.ejs @@ -15,7 +15,7 @@ <a id="permissionLabel" class="ui-permission-label text-uppercase" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false"> </a> <ul class="dropdown-menu" aria-labelledby="permissionLabel"> - <li class="ui-permission-freely"<% if(!allowAnonymous) { %> style="display: none;"<% } %>><a><i class="fa fa-leaf fa-fw"></i> Freely - Anyone can edit</a></li> + <li class="ui-permission-freely"<% if(!allowAnonymous && !allowAnonymousEdits) { %> style="display: none;"<% } %>><a><i class="fa fa-leaf fa-fw"></i> Freely - Anyone can edit</a></li> <li class="ui-permission-editable"><a><i class="fa fa-shield fa-fw"></i> Editable - Signed-in people can edit</a></li> <li class="ui-permission-limited"><a><i class="fa fa-id-card fa-fw"></i> Limited - Signed-in people can edit (forbid guests)</a></li> <li class="ui-permission-locked"><a><i class="fa fa-lock fa-fw"></i> Locked - Only owner can edit</a></li> diff --git a/public/views/hackmd/foot.ejs b/public/views/hackmd/foot.ejs index 16ef5737..fc971132 100644 --- a/public/views/hackmd/foot.ejs +++ b/public/views/hackmd/foot.ejs @@ -1,6 +1,4 @@ -<script type="text/x-mathjax-config"> - MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }}); -</script> +<script src="<%= url %>/js/mathjax-config-extra.js"></script> <% if(useCDN) { %> <script src="https://cdnjs.cloudflare.com/ajax/libs/spin.js/2.3.2/spin.min.js" integrity="sha256-PieqE0QdEDMppwXrTzSZQr6tWFX3W5KkyRVyF1zN3eg=" crossorigin="anonymous" defer></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script> diff --git a/public/views/index/body.ejs b/public/views/index/body.ejs index 913eef10..82d83f02 100644 --- a/public/views/index/body.ejs +++ b/public/views/index/body.ejs @@ -39,6 +39,7 @@ <div id="home" class="section"<% if(signin) { %> style="display:none;"<% } %>> <div class="inner cover"> <h1 class="cover-heading"><i class="fa fa-file-text"></i> HackMD</h1> + <p class="lead"><strong>Community Edition</strong></p> <p class="lead"> <%= __('Best way to write and share your knowledge in markdown.') %> </p> diff --git a/public/views/pretty.ejs b/public/views/pretty.ejs index db72fdc4..91d9c36c 100644 --- a/public/views/pretty.ejs +++ b/public/views/pretty.ejs @@ -72,9 +72,7 @@ </body> </html> -<script type="text/x-mathjax-config"> - MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }}); -</script> +<script src="<%= url %>/js/mathjax-config-extra.js"></script> <% if(useCDN) { %> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/velocity/1.4.0/velocity.min.js" integrity="sha256-bhm0lgEt6ITaZCDzZpkr/VXVrLa5RP4u9v2AYsbzSUk=" crossorigin="anonymous" defer></script> diff --git a/public/views/shared/help-modal.ejs b/public/views/shared/help-modal.ejs index b1ea681d..f5dc55c2 100644 --- a/public/views/shared/help-modal.ejs +++ b/public/views/shared/help-modal.ejs @@ -15,9 +15,9 @@ <h3 class="panel-title"><%= __('Contacts') %></h3> </div> <div class="panel-body"> - <a href="https://github.com/hackmdio/hackmd/issues" target="_blank"><i class="fa fa-tag fa-fw"></i> <%= __('Report an issue') %></a> + <a href="https://github.com/hackmdio/hackmd/issues" target="_blank"><i class="fa fa-tag fa-fw"></i> <%= __('Report an issue') %></a> <br> - <a href="mailto:hackmdio@gmail.com"><i class="fa fa-envelope fa-fw"></i> <%= __('Send us email') %></a> + <a href="https://gitter.im/hackmdio/hackmd" target="_blank"><i class="fa fa-comments fa-fw"></i> <%= __('Meet us on Gitter') %></a> </div> </div> <div class="panel panel-default"> @@ -144,4 +144,4 @@ letter-spacing: 0.025em; line-height: 1.25; } -</style>
\ No newline at end of file +</style> diff --git a/public/views/slide.ejs b/public/views/slide.ejs index 3572476f..942add4f 100644 --- a/public/views/slide.ejs +++ b/public/views/slide.ejs @@ -41,7 +41,7 @@ <link rel="stylesheet" href="<%- url %>/css/slide.css"> <!-- Printing and PDF exports --> - <script> + <script nonce="<%= cspNonce %>"> var link = document.createElement( 'link' ); link.rel = 'stylesheet'; link.type = 'text/css'; @@ -89,9 +89,7 @@ </div> </div> - <script type="text/x-mathjax-config"> - MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }}); - </script> + <script src="<%= url %>/js/mathjax-config-extra.js"></script> <% if(useCDN) { %> <script src="https://cdnjs.cloudflare.com/ajax/libs/reveal.js/3.3.0/lib/js/head.min.js" integrity="sha256-+09kLhwACKXFPDvqo4xMMvi4+uXFsRZ2uYGbeN1U8sI=" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/reveal.js/3.3.0/js/reveal.min.js" integrity="sha256-lvaInSKflJWLPqf5N5oHr/UZFwXKD6gckerdwoHqECY=" crossorigin="anonymous"></script> |