summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md6
-rw-r--r--app.js14
-rw-r--r--config.json.example13
-rw-r--r--lib/config/default.js15
-rw-r--r--lib/config/environment.js11
-rw-r--r--lib/config/index.js2
-rw-r--r--lib/csp.js80
-rw-r--r--lib/realtime.js2
-rw-r--r--lib/response.js8
-rw-r--r--lib/web/imageRouter.js34
-rw-r--r--lib/web/noteRouter.js4
-rw-r--r--lib/web/utils.js7
-rw-r--r--locales/de.json6
-rw-r--r--locales/en.json1
-rw-r--r--locales/zh-CN.json8
-rw-r--r--locales/zh-TW.json8
-rw-r--r--package.json2
-rw-r--r--public/docs/features.md17
-rw-r--r--public/js/mathjax-config-extra.js8
-rw-r--r--public/views/hackmd/body.ejs2
-rw-r--r--public/views/hackmd/foot.ejs4
-rw-r--r--public/views/index/body.ejs1
-rw-r--r--public/views/pretty.ejs4
-rw-r--r--public/views/shared/help-modal.ejs6
-rw-r--r--public/views/slide.ejs6
25 files changed, 233 insertions, 36 deletions
diff --git a/README.md b/README.md
index b820c92e..fb1f8e3d 100644
--- a/README.md
+++ b/README.md
@@ -143,6 +143,7 @@ There are some configs you need to change in the files below
| HMD_URL_ADDPORT | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
| HMD_USECDN | `true` or `false` | set to use CDN resources or not (default is `true`) |
| HMD_ALLOW_ANONYMOUS | `true` or `false` | set to allow anonymous usage (default is `true`) |
+| HMD_ALLOW_ANONYMOUS_EDITS | `true` or `false` | if `allowanonymous` is `true`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`) |
| HMD_ALLOW_FREEURL | `true` or `false` | set to allow new note by accessing not exist note url |
| HMD_DEFAULT_PERMISSION | `freely`, `editable`, `limited`, `locked` or `private` | set notes default permission (only applied on signed users) |
| HMD_DB_URL | `mysql://localhost:3306/database` | set the db url |
@@ -196,6 +197,7 @@ There are some configs you need to change in the files below
| HMD_HSTS_INCLUDE_SUBDOMAINS | `true` | set to include subdomains in HSTS (default is `true`) |
| HMD_HSTS_MAX_AGE | `31536000` | max duration in seconds to tell clients to keep HSTS status (default is a year) |
| HMD_HSTS_PRELOAD | `true` | whether to allow preloading of the site's HSTS status (e.g. into browsers) |
+| HMD_CSP_ENABLE | `true` | whether to enable Content Security Policy (directives cannot be configured with environment variables) |
## Application settings `config.json`
@@ -207,11 +209,13 @@ There are some configs you need to change in the files below
| port | `80` | web app port |
| alloworigin | `['localhost']` | domain name whitelist |
| usessl | `true` or `false` | set to use ssl server (if true will auto turn on `protocolusessl`) |
-| hsts | `{"enable": "true", "maxAgeSeconds": "31536000", "includeSubdomains": "true", "preload": "true"}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
+| hsts | `{"enable": true, "maxAgeSeconds": 31536000, "includeSubdomains": true, "preload": true}` | [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) options to use with HTTPS (default is the example value, max age is a year) |
+| csp | `{"enable": true, "directives": {"scriptSrc": "trustworthy-scripts.example.com"}, "upgradeInsecureRequests": "auto", "addDefaults": true}` | Configures [Content Security Policy](https://helmetjs.github.io/docs/csp/). Directives are passed to Helmet - see [their documentation](https://helmetjs.github.io/docs/csp/) for more information on the format. Some defaults are added to the configured values so that the application doesn't break. To disable this behaviour, set `addDefaults` to `false`. Further, if `usecdn` is on, some CDN locations are allowed too. By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `usessl` is on. To change this behaviour, set `upgradeInsecureRequests` to either `true` or `false`. |
| protocolusessl | `true` or `false` | set to use ssl protocol for resources path (only applied when domain is set) |
| urladdport | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
| usecdn | `true` or `false` | set to use CDN resources or not (default is `true`) |
| allowanonymous | `true` or `false` | set to allow anonymous usage (default is `true`) |
+| allowanonymousedits | `true` or `false` | if `allowanonymous` is `true`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`) |
| allowfreeurl | `true` or `false` | set to allow new note by accessing not exist note url |
| defaultpermission | `freely`, `editable`, `limited`, `locked`, `protected` or `private` | set notes default permission (only applied on signed users) |
| dburl | `mysql://localhost:3306/database` | set the db url, if set this variable then below db config won't be applied |
diff --git a/app.js b/app.js
index ee04abd7..b7d493e0 100644
--- a/app.js
+++ b/app.js
@@ -24,6 +24,7 @@ var config = require('./lib/config')
var logger = require('./lib/logger')
var response = require('./lib/response')
var models = require('./lib/models')
+var csp = require('./lib/csp')
// generate front-end constants by template
var constpath = path.join(__dirname, './public/js/lib/common/constant.ejs')
@@ -109,6 +110,19 @@ if (config.hsts.enable) {
logger.info('https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security')
}
+// Generate a random nonce per request, for CSP with inline scripts
+app.use(csp.addNonceToLocals)
+
+// use Content-Security-Policy to limit XSS, dangerous plugins, etc.
+// https://helmetjs.github.io/docs/csp/
+if (config.csp.enable) {
+ app.use(helmet.contentSecurityPolicy({
+ directives: csp.computeDirectives()
+ }))
+} else {
+ logger.info('Content-Security-Policy is disabled. This may be a security risk.')
+}
+
i18n.configure({
locales: ['en', 'zh', 'zh-CN', 'zh-TW', 'fr', 'de', 'ja', 'es', 'ca', 'el', 'pt', 'it', 'tr', 'ru', 'nl', 'hr', 'pl', 'uk', 'hi', 'sv', 'eo', 'da'],
cookie: 'locale',
diff --git a/config.json.example b/config.json.example
index c2c270c3..f5ddf182 100644
--- a/config.json.example
+++ b/config.json.example
@@ -17,10 +17,17 @@
"production": {
"domain": "localhost",
"hsts": {
- "enable": "true",
+ "enable": true,
"maxAgeSeconds": "31536000",
- "includeSubdomains": "true",
- "preload": "true"
+ "includeSubdomains": true,
+ "preload": true
+ },
+ csp: {
+ "enable": true,
+ "directives": {
+ },
+ "upgradeInsecureRequests": "auto"
+ "addDefaults": true
},
"db": {
"username": "",
diff --git a/lib/config/default.js b/lib/config/default.js
index 40803476..28f4490c 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -13,9 +13,17 @@ module.exports = {
includeSubdomains: true,
preload: true
},
+ csp: {
+ enable: true,
+ directives: {
+ },
+ addDefaults: true,
+ upgradeInsecureRequests: 'auto'
+ },
protocolusessl: false,
usecdn: true,
allowanonymous: true,
+ allowanonymousedits: false,
allowfreeurl: false,
defaultpermission: 'editable',
dburl: '',
@@ -54,6 +62,13 @@ module.exports = {
secretAccessKey: undefined,
region: undefined
},
+ minio: {
+ accessKey: undefined,
+ secretKey: undefined,
+ endPoint: undefined,
+ secure: true,
+ port: 9000
+ },
s3bucket: undefined,
// authentication
facebook: {
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 5a297382..e2112b6a 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -14,10 +14,14 @@ module.exports = {
includeSubdomains: toBooleanConfig(process.env.HMD_HSTS_INCLUDE_SUBDOMAINS),
preload: toBooleanConfig(process.env.HMD_HSTS_PRELOAD)
},
+ csp: {
+ enable: toBooleanConfig(process.env.HMD_CSP_ENABLE)
+ },
protocolusessl: toBooleanConfig(process.env.HMD_PROTOCOL_USESSL),
alloworigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
usecdn: toBooleanConfig(process.env.HMD_USECDN),
allowanonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
+ allowanonymousedits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
allowfreeurl: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
defaultpermission: process.env.HMD_DEFAULT_PERMISSION,
dburl: process.env.HMD_DB_URL,
@@ -30,6 +34,13 @@ module.exports = {
secretAccessKey: process.env.HMD_S3_SECRET_ACCESS_KEY,
region: process.env.HMD_S3_REGION
},
+ minio: {
+ accessKey: process.env.HMD_MINIO_ACCESS_KEY,
+ secretKey: process.env.HMD_MINIO_SECRET_KEY,
+ endPoint: process.env.HMD_MINIO_ENDPOINT,
+ secure: toBooleanConfig(process.env.HMD_MINIO_SECURE),
+ port: process.env.HMD_MINIO_PORT
+ },
s3bucket: process.env.HMD_S3_BUCKET,
facebook: {
clientID: process.env.HMD_FACEBOOK_CLIENTID,
diff --git a/lib/config/index.js b/lib/config/index.js
index 13c4692c..4f6b4b6a 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -49,7 +49,7 @@ if (config.ldap.tlsca) {
// Permission
config.permission = Permission
-if (!config.allowanonymous) {
+if (!config.allowanonymous && !config.allowanonymousedits) {
delete config.permission.freely
}
if (!(config.defaultpermission in config.permission)) {
diff --git a/lib/csp.js b/lib/csp.js
new file mode 100644
index 00000000..509bc530
--- /dev/null
+++ b/lib/csp.js
@@ -0,0 +1,80 @@
+var config = require('./config')
+var uuid = require('uuid')
+
+var CspStrategy = {}
+
+var defaultDirectives = {
+ defaultSrc: ['\'self\''],
+ scriptSrc: ['\'self\'', 'vimeo.com', 'https://gist.github.com', 'www.slideshare.net', 'https://query.yahooapis.com', 'https://*.disqus.com', '\'unsafe-eval\''],
+ // ^ TODO: Remove unsafe-eval - webpack script-loader issues https://github.com/hackmdio/hackmd/issues/594
+ imgSrc: ['*'],
+ styleSrc: ['\'self\'', '\'unsafe-inline\'', 'https://assets-cdn.github.com'], // unsafe-inline is required for some libs, plus used in views
+ fontSrc: ['\'self\'', 'https://public.slidesharecdn.com'],
+ objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
+ childSrc: ['*'],
+ connectSrc: ['*']
+}
+
+var cdnDirectives = {
+ scriptSrc: ['https://cdnjs.cloudflare.com', 'https://cdn.mathjax.org'],
+ styleSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.googleapis.com'],
+ fontSrc: ['https://cdnjs.cloudflare.com', 'https://fonts.gstatic.com']
+}
+
+CspStrategy.computeDirectives = function () {
+ var directives = {}
+ mergeDirectives(directives, config.csp.directives)
+ mergeDirectivesIf(config.csp.addDefaults, directives, defaultDirectives)
+ mergeDirectivesIf(config.usecdn, directives, cdnDirectives)
+ if (!areAllInlineScriptsAllowed(directives)) {
+ addInlineScriptExceptions(directives)
+ }
+ addUpgradeUnsafeRequestsOptionTo(directives)
+ return directives
+}
+
+function mergeDirectives (existingDirectives, newDirectives) {
+ for (var propertyName in newDirectives) {
+ var newDirective = newDirectives[propertyName]
+ if (newDirective) {
+ var existingDirective = existingDirectives[propertyName] || []
+ existingDirectives[propertyName] = existingDirective.concat(newDirective)
+ }
+ }
+}
+
+function mergeDirectivesIf (condition, existingDirectives, newDirectives) {
+ if (condition) {
+ mergeDirectives(existingDirectives, newDirectives)
+ }
+}
+
+function areAllInlineScriptsAllowed (directives) {
+ return directives.scriptSrc.indexOf('\'unsafe-inline\'') !== -1
+}
+
+function addInlineScriptExceptions (directives) {
+ directives.scriptSrc.push(getCspNonce)
+ // TODO: This is the SHA-256 hash of the inline script in build/reveal.js/plugins/notes/notes.html
+ // Any more clean solution appreciated.
+ directives.scriptSrc.push('\'sha256-EtvSSxRwce5cLeFBZbvZvDrTiRoyoXbWWwvEVciM5Ag=\'')
+}
+
+function getCspNonce (req, res) {
+ return "'nonce-" + res.locals.nonce + "'"
+}
+
+function addUpgradeUnsafeRequestsOptionTo (directives) {
+ if (config.csp.upgradeInsecureRequests === 'auto' && config.usessl) {
+ directives.upgradeInsecureRequests = true
+ } else if (config.csp.upgradeInsecureRequests === true) {
+ directives.upgradeInsecureRequests = true
+ }
+}
+
+CspStrategy.addNonceToLocals = function (req, res, next) {
+ res.locals.nonce = uuid.v4()
+ next()
+}
+
+module.exports = CspStrategy
diff --git a/lib/realtime.js b/lib/realtime.js
index e03e2d0b..c731e5b0 100644
--- a/lib/realtime.js
+++ b/lib/realtime.js
@@ -781,7 +781,7 @@ function connection (socket) {
var note = notes[noteId]
// Only owner can change permission
if (note.owner && note.owner === socket.request.user.id) {
- if (permission === 'freely' && !config.allowanonymous) return
+ if (permission === 'freely' && !config.allowanonymous && !config.allowanonymousedits) return
note.permission = permission
models.Note.update({
permission: permission
diff --git a/lib/response.js b/lib/response.js
index 9f3d5a44..445aa0d7 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -60,6 +60,7 @@ function showIndex (req, res, next) {
url: config.serverurl,
useCDN: config.usecdn,
allowAnonymous: config.allowanonymous,
+ allowAnonymousEdits: config.allowanonymousedits,
facebook: config.isFacebookEnable,
twitter: config.isTwitterEnable,
github: config.isGitHubEnable,
@@ -93,6 +94,7 @@ function responseHackMD (res, note) {
title: title,
useCDN: config.usecdn,
allowAnonymous: config.allowanonymous,
+ allowAnonymousEdits: config.allowanonymousedits,
facebook: config.isFacebookEnable,
twitter: config.isTwitterEnable,
github: config.isGitHubEnable,
@@ -117,7 +119,8 @@ function newNote (req, res, next) {
}
models.Note.create({
ownerId: owner,
- alias: req.alias ? req.alias : null
+ alias: req.alias ? req.alias : null,
+ content: req.body ? req.body : ''
}).then(function (note) {
return res.redirect(config.serverurl + '/' + LZString.compressToBase64(note.id))
}).catch(function (err) {
@@ -595,7 +598,8 @@ function showPublishSlide (req, res, next) {
lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null,
robots: meta.robots || false, // default allow robots
GA: meta.GA,
- disqus: meta.disqus
+ disqus: meta.disqus,
+ cspNonce: res.locals.nonce
}
return renderPublishSlide(data, res)
}).catch(function (err) {
diff --git a/lib/web/imageRouter.js b/lib/web/imageRouter.js
index bebab302..b17cccbd 100644
--- a/lib/web/imageRouter.js
+++ b/lib/web/imageRouter.js
@@ -73,6 +73,40 @@ imageRouter.post('/uploadimage', function (req, res) {
})
})
break
+
+ case 'minio':
+ var utils = require('../utils')
+ var Minio = require('minio')
+ var minioClient = new Minio.Client({
+ endPoint: config.minio.endPoint,
+ port: config.minio.port,
+ secure: config.minio.secure,
+ accessKey: config.minio.accessKey,
+ secretKey: config.minio.secretKey
+ })
+ fs.readFile(files.image.path, function (err, buffer) {
+ if (err) {
+ logger.error(err)
+ res.status(500).end('upload image error')
+ return
+ }
+
+ var key = path.join('uploads', path.basename(files.image.path))
+ var protocol = config.minio.secure ? 'https' : 'http'
+
+ minioClient.putObject(config.s3bucket, key, buffer, buffer.size, utils.getImageMimeType(files.image.path), function (err, data) {
+ if (err) {
+ logger.error(err)
+ res.status(500).end('upload image error')
+ return
+ }
+ res.send({
+ link: `${protocol}://${config.minio.endPoint}:${config.minio.port}/${config.s3bucket}/${key}`
+ })
+ })
+ })
+ break
+
case 'imgur':
default:
imgur.setClientId(config.imgur.clientID)
diff --git a/lib/web/noteRouter.js b/lib/web/noteRouter.js
index 007c02c2..41bf5f73 100644
--- a/lib/web/noteRouter.js
+++ b/lib/web/noteRouter.js
@@ -4,10 +4,14 @@ const Router = require('express').Router
const response = require('../response')
+const {markdownParser} = require('./utils')
+
const noteRouter = module.exports = Router()
// get new note
noteRouter.get('/new', response.newNote)
+// post new note with content
+noteRouter.post('/new', markdownParser, response.newNote)
// get publish note
noteRouter.get('/s/:shortid', response.showPublishNote)
// publish note actions
diff --git a/lib/web/utils.js b/lib/web/utils.js
index c9016523..d58294ad 100644
--- a/lib/web/utils.js
+++ b/lib/web/utils.js
@@ -7,3 +7,10 @@ exports.urlencodedParser = bodyParser.urlencoded({
extended: false,
limit: 1024 * 1024 * 10 // 10 mb
})
+
+// create text/markdown parser
+exports.markdownParser = bodyParser.text({
+ inflate: true,
+ type: ['text/plain', 'text/markdown'],
+ limit: 1024 * 1024 * 10 // 10 mb
+})
diff --git a/locales/de.json b/locales/de.json
index de76b590..73ffe0e6 100644
--- a/locales/de.json
+++ b/locales/de.json
@@ -29,6 +29,8 @@
"Import from browser": "Vom Browser importieren",
"Releases": "Versionen",
"Are you sure?": "Sind sie sicher?",
+ "Do you really want to delete this note?": "Möchten Sie diese Notiz wirklich löschen?",
+ "All users will lose their connection.": "Alle Benutzer werden getrennt.",
"Cancel": "Abbrechen",
"Yes, do it!": "Ja, mach es!",
"Choose method": "Methode wählen",
@@ -60,6 +62,7 @@
"Refresh": "Neu laden",
"Contacts": "Kontakte",
"Report an issue": "Fehlerbericht senden",
+ "Meet us on Gitter": "Triff uns auf Gitter",
"Send us email": "Kontakt",
"Documents": "Dokumente",
"Features": "Funktionen",
@@ -100,5 +103,6 @@
"Select From Available Snippets": "Aus verfügbaren Snippets wählen",
"OR": "Oder",
"Export to Snippet": "Zu Snippet exportieren",
- "Select Visibility Level": "Sichtbarkeit bestimmen"
+ "Select Visibility Level": "Sichtbarkeit bestimmen",
+ "Night Theme": "Nachtmodus"
}
diff --git a/locales/en.json b/locales/en.json
index 49e93a83..e6a966d7 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -62,6 +62,7 @@
"Refresh": "Refresh",
"Contacts": "Contacts",
"Report an issue": "Report an issue",
+ "Meet us on Gitter": "Meet us on Gitter",
"Send us email": "Send us email",
"Documents": "Documents",
"Features": "Features",
diff --git a/locales/zh-CN.json b/locales/zh-CN.json
index 97602c82..da0e029c 100644
--- a/locales/zh-CN.json
+++ b/locales/zh-CN.json
@@ -60,6 +60,7 @@
"Refresh": "重新整理",
"Contacts": "联络方式",
"Report an issue": "报告问题",
+ "Meet us on Gitter": "在 Gitter 上联系我们",
"Send us email": "寄信给我们",
"Documents": "文件",
"Features": "功能简介",
@@ -100,5 +101,8 @@
"Select From Available Snippets": "从可用的 Snippets 中选择",
"OR": "或是",
"Export to Snippet": "导出到 Snippet",
- "Select Visibility Level": "选择可见层级"
-} \ No newline at end of file
+ "Select Visibility Level": "选择可见层级",
+ "Night Theme": "夜间主题",
+ "Do you really want to delete this note?": "确定要删除这个文件吗?",
+ "All users will lose their connection.": "所有用户将失去连接"
+}
diff --git a/locales/zh-TW.json b/locales/zh-TW.json
index a3bb7774..da50f66a 100644
--- a/locales/zh-TW.json
+++ b/locales/zh-TW.json
@@ -60,6 +60,7 @@
"Refresh": "重新整理",
"Contacts": "聯絡方式",
"Report an issue": "回報問題",
+ "Meet us on Gitter": "透過 Gitter 聯絡我們",
"Send us email": "寄信給我們",
"Documents": "文件",
"Features": "功能簡介",
@@ -100,5 +101,8 @@
"Select From Available Snippets": "從可用的 Snippets 中選擇",
"OR": "或是",
"Export to Snippet": "匯出到 Snippet",
- "Select Visibility Level": "選擇可見層級"
-} \ No newline at end of file
+ "Select Visibility Level": "選擇可見層級",
+ "Night Theme": "夜間主題",
+ "Do you really want to delete this note?": "確定要刪除這個文件嗎?",
+ "All users will lose their connection.": "所有使用者將會失去連線"
+}
diff --git a/package.json b/package.json
index bdb59635..94107783 100644
--- a/package.json
+++ b/package.json
@@ -79,6 +79,7 @@
"mattermost": "^3.4.0",
"meta-marked": "^0.4.2",
"method-override": "^2.3.7",
+ "minio": "^3.1.3",
"moment": "^2.17.1",
"morgan": "^1.7.0",
"mysql": "^2.12.0",
@@ -118,6 +119,7 @@
"tedious": "^1.14.0",
"to-markdown": "^3.0.3",
"toobusy-js": "^0.5.1",
+ "uuid": "^3.1.0",
"uws": "~0.14.1",
"validator": "^6.2.0",
"velocity-animate": "^1.4.0",
diff --git a/public/docs/features.md b/public/docs/features.md
index a894c087..01340fd7 100644
--- a/public/docs/features.md
+++ b/public/docs/features.md
@@ -3,13 +3,12 @@ Features
Introduction
===
-<i class="fa fa-file-text"></i> **HackMD** is a realtime, multiplatform collaborative markdown note editor.
+<i class="fa fa-file-text"></i> **HackMD** is a realtime, multi-platform collaborative markdown note editor.
This means that you can write notes with other people on your **desktop**, **tablet** or even on the **phone**.
-You can sign-in via **Facebook**, **Twitter**, **GitHub**, or **Dropbox** in the [_homepage_](/).
+You can sign-in via multiple auth providers like **Facebook**, **Twitter**, **GitHub** and many more on the [_homepage_](/).
-Note that this service is still in an early stage, and thus still has some [_issues_](https://github.com/hackmdio/hackmd/issues?q=is%3Aopen+is%3Aissue+label%3Abug).
-Please report new issues in [GitHub](https://github.com/hackmdio/hackmd/issues/new).
-If you need instant help, please send us a [Facebook message](https://www.messenger.com/t/hackmdio).
+If you experience any _issues_, feel free to report it on [**GitHub**](https://github.com/hackmdio/hackmd/issues).
+Or meet us on [**Gitter**](https://gitter.im/hackmdio/hackmd) for dev-talk and interactive help.
**Thank you very much!**
Workspace
@@ -137,7 +136,7 @@ alert(s);
function $initHighlight(block, cls) {
try {
if (cls.search(/\bno\-highlight\b/) != -1)
- return process(block, true, 0x0F) +
+ return process(block, true, 0x0F) +
' class=""';
} catch (e) {
/* handle exception */
@@ -157,7 +156,7 @@ alert(s);
function $initHighlight(block, cls) {
try {
if (cls.search(/\bno\-highlight\b/) != -1)
- return process(block, true, 0x0F) +
+ return process(block, true, 0x0F) +
' class=""';
} catch (e) {
/* handle exception */
@@ -259,7 +258,7 @@ cond(no)->op2
digraph hierarchy {
nodesep=1.0 // increases the separation between nodes
-
+
node [color=Red,fontname=Courier,shape=box] //All nodes will this shape and colour
edge [color=Blue, style=dashed] //All the lines look like this
@@ -386,7 +385,7 @@ Subscript: H~2~O
> Blockquotes can also be nested...
>> ...by using additional greater-than signs right next to each other...
-> > > ...or with spaces between arrows.
+> > > ...or with spaces between arrows.
### Lists
diff --git a/public/js/mathjax-config-extra.js b/public/js/mathjax-config-extra.js
new file mode 100644
index 00000000..11ba59c6
--- /dev/null
+++ b/public/js/mathjax-config-extra.js
@@ -0,0 +1,8 @@
+window.MathJax = {
+ messageStyle: 'none',
+ skipStartupTypeset: true,
+ tex2jax: {
+ inlineMath: [['$', '$'], ['\\(', '\\)']],
+ processEscapes: true
+ }
+}
diff --git a/public/views/hackmd/body.ejs b/public/views/hackmd/body.ejs
index 91343ef6..49604379 100644
--- a/public/views/hackmd/body.ejs
+++ b/public/views/hackmd/body.ejs
@@ -15,7 +15,7 @@
<a id="permissionLabel" class="ui-permission-label text-uppercase" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">
</a>
<ul class="dropdown-menu" aria-labelledby="permissionLabel">
- <li class="ui-permission-freely"<% if(!allowAnonymous) { %> style="display: none;"<% } %>><a><i class="fa fa-leaf fa-fw"></i> Freely - Anyone can edit</a></li>
+ <li class="ui-permission-freely"<% if(!allowAnonymous && !allowAnonymousEdits) { %> style="display: none;"<% } %>><a><i class="fa fa-leaf fa-fw"></i> Freely - Anyone can edit</a></li>
<li class="ui-permission-editable"><a><i class="fa fa-shield fa-fw"></i> Editable - Signed-in people can edit</a></li>
<li class="ui-permission-limited"><a><i class="fa fa-id-card fa-fw"></i> Limited - Signed-in people can edit (forbid guests)</a></li>
<li class="ui-permission-locked"><a><i class="fa fa-lock fa-fw"></i> Locked - Only owner can edit</a></li>
diff --git a/public/views/hackmd/foot.ejs b/public/views/hackmd/foot.ejs
index 16ef5737..fc971132 100644
--- a/public/views/hackmd/foot.ejs
+++ b/public/views/hackmd/foot.ejs
@@ -1,6 +1,4 @@
-<script type="text/x-mathjax-config">
- MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }});
-</script>
+<script src="<%= url %>/js/mathjax-config-extra.js"></script>
<% if(useCDN) { %>
<script src="https://cdnjs.cloudflare.com/ajax/libs/spin.js/2.3.2/spin.min.js" integrity="sha256-PieqE0QdEDMppwXrTzSZQr6tWFX3W5KkyRVyF1zN3eg=" crossorigin="anonymous" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
diff --git a/public/views/index/body.ejs b/public/views/index/body.ejs
index 913eef10..82d83f02 100644
--- a/public/views/index/body.ejs
+++ b/public/views/index/body.ejs
@@ -39,6 +39,7 @@
<div id="home" class="section"<% if(signin) { %> style="display:none;"<% } %>>
<div class="inner cover">
<h1 class="cover-heading"><i class="fa fa-file-text"></i> HackMD</h1>
+ <p class="lead"><strong>Community Edition</strong></p>
<p class="lead">
<%= __('Best way to write and share your knowledge in markdown.') %>
</p>
diff --git a/public/views/pretty.ejs b/public/views/pretty.ejs
index db72fdc4..91d9c36c 100644
--- a/public/views/pretty.ejs
+++ b/public/views/pretty.ejs
@@ -72,9 +72,7 @@
</body>
</html>
-<script type="text/x-mathjax-config">
- MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }});
-</script>
+<script src="<%= url %>/js/mathjax-config-extra.js"></script>
<% if(useCDN) { %>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js" integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/velocity/1.4.0/velocity.min.js" integrity="sha256-bhm0lgEt6ITaZCDzZpkr/VXVrLa5RP4u9v2AYsbzSUk=" crossorigin="anonymous" defer></script>
diff --git a/public/views/shared/help-modal.ejs b/public/views/shared/help-modal.ejs
index b1ea681d..f5dc55c2 100644
--- a/public/views/shared/help-modal.ejs
+++ b/public/views/shared/help-modal.ejs
@@ -15,9 +15,9 @@
<h3 class="panel-title"><%= __('Contacts') %></h3>
</div>
<div class="panel-body">
- <a href="https://github.com/hackmdio/hackmd/issues" target="_blank"><i class="fa fa-tag fa-fw"></i> <%= __('Report an issue') %></a>
+ <a href="https://github.com/hackmdio/hackmd/issues" target="_blank"><i class="fa fa-tag fa-fw"></i> <%= __('Report an issue') %></a>
<br>
- <a href="mailto:hackmdio@gmail.com"><i class="fa fa-envelope fa-fw"></i> <%= __('Send us email') %></a>
+ <a href="https://gitter.im/hackmdio/hackmd" target="_blank"><i class="fa fa-comments fa-fw"></i> <%= __('Meet us on Gitter') %></a>
</div>
</div>
<div class="panel panel-default">
@@ -144,4 +144,4 @@
letter-spacing: 0.025em;
line-height: 1.25;
}
-</style> \ No newline at end of file
+</style>
diff --git a/public/views/slide.ejs b/public/views/slide.ejs
index 3572476f..942add4f 100644
--- a/public/views/slide.ejs
+++ b/public/views/slide.ejs
@@ -41,7 +41,7 @@
<link rel="stylesheet" href="<%- url %>/css/slide.css">
<!-- Printing and PDF exports -->
- <script>
+ <script nonce="<%= cspNonce %>">
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
@@ -89,9 +89,7 @@
</div>
</div>
- <script type="text/x-mathjax-config">
- MathJax.Hub.Config({ messageStyle: "none", skipStartupTypeset: true ,tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']], processEscapes: true }});
- </script>
+ <script src="<%= url %>/js/mathjax-config-extra.js"></script>
<% if(useCDN) { %>
<script src="https://cdnjs.cloudflare.com/ajax/libs/reveal.js/3.3.0/lib/js/head.min.js" integrity="sha256-+09kLhwACKXFPDvqo4xMMvi4+uXFsRZ2uYGbeN1U8sI=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/reveal.js/3.3.0/js/reveal.min.js" integrity="sha256-lvaInSKflJWLPqf5N5oHr/UZFwXKD6gckerdwoHqECY=" crossorigin="anonymous"></script>