summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #1267 from hedgedoc/release/1.8.2David Mehren2021-05-115-5/+13
|\
| * Bump version to 1.8.2David Mehren2021-05-114-5/+5
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add release notes for 1.8.2David Mehren2021-05-111-0/+8
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request from GHSA-gjg7-4j2h-94fqDavid Mehren2021-05-112-3/+4
|\ | | | | Fix XSS in Open Graph & User metadata
| * Sanitize username and photo URLDavid Mehren2021-05-091-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | HedgeDoc displays the username and user photo at various places by rendering the respective variables into an `ejs` template. As the values are user-provided or generated from user-provided data, it may be possible to inject unwanted HTML. This commit sanitizes the username and photo URL by passing them through the `xss` library. Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
| * Escape custom Open Graph tagsDavid Mehren2021-05-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1259 from hedgedoc/renovate/master-lock-file-maintenanceDavid Mehren2021-05-111-105/+122
|\ \ | | | | | | Lock file maintenance (master)
| * | Lock file maintenanceRenovate Bot2021-05-111-105/+122
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1263 from hedgedoc/renovate/master-mermaid-8.xDavid Mehren2021-05-112-5/+5
|\ \ | |/ |/| Update dependency mermaid to v8.10.1 (master)
| * Update dependency mermaid to v8.10.1Renovate Bot2021-05-102-5/+5
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1246 from hedgedoc/fix/heroku_pg_sslDavid Mehren2021-05-091-0/+10
|\ | | | | Ignore Postgres SSL errors on Heroku
| * Ignore Postgres SSL errors on HerokuDavid Mehren2021-05-071-0/+10
| | | | | | | | | | | | | | | | | | | | | | The connection to Heroku's Postgres instances must use SSL, but not check the certificate. This adds the necessary configuration to the Heroku setup script. Fixes #1245 Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1241 from hedgedoc/renovate/master-test-packagesDavid Mehren2021-05-092-5/+5
|\ \ | | | | | | Update dependency mocha to v8.4.0 (master)
| * | Update dependency mocha to v8.4.0Renovate Bot2021-05-092-5/+5
| | | | | | | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | | Merge pull request #1247 from hedgedoc/renovate/master-lintersDavid Mehren2021-05-092-10/+10
|\ \ \ | |/ / |/| | Update dependency eslint to v7.26.0 (master)
| * | Update dependency eslint to v7.26.0Renovate Bot2021-05-092-10/+10
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1250 from hedgedoc/renovate/master-pymdown-extensions-8.xDavid Mehren2021-05-091-1/+1
|\ \ | | | | | | Update dependency pymdown-extensions to v8.2 (master)
| * | Update dependency pymdown-extensions to v8.2Renovate Bot2021-05-081-1/+1
|/ / | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1249 from hedgedoc/adjustSetupYannick Bungers2021-05-082-3/+3
|\ \ | |/ |/| Docs: Add mention to install devDependencies
| * Docs: Add mention to install devDependenciesPhilip Molares2021-05-082-3/+3
|/ | | | | | | Before `yarn build` can be succesfully run, we need to install the devDependencies. This is necessary, because `bin/setup` does not install the devDependencies… Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Fix typo in release notesDavid Mehren2021-05-061-1/+1
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1239 from hedgedoc/release/1.8.1David Mehren2021-05-066-13/+31
|\
| * Update example configDavid Mehren2021-05-061-7/+4
| | | | | | | | | | | | | | | | | | | | | | The development config now runs on http://localhost:3000 out-of-the-box. The production config now makes clear that domain should be changed. Both configs don't include `"linkifyHeaderStyle": "gfm"` anymore to make the links on the homepage work. Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump version to 1.8.1David Mehren2021-05-064-5/+5
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Update maintainers listDavid Mehren2021-05-061-0/+4
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add release notes for 1.8.1David Mehren2021-05-061-0/+17
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Fix 1.8.0 changelogDavid Mehren2021-05-061-1/+1
|/ | | | | | | CVE-2021-29475 has been fixed since HedgeDoc 1.5.0, instead of 1.6.0 Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1240 from hedgedoc/renovate/master-pin-dependenciesDavid Mehren2021-05-062-67/+67
|\ | | | | Pin dependencies (master)
| * Pin dependenciesRenovate Bot2021-05-062-67/+67
|/ | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* Merge pull request #1227 from hedgedoc/enhancement/esbuildDavid Mehren2021-05-064-11/+48
|\ | | | | Use esbuild to minify frontend JS
| * Use esbuild to minify frontend JSDavid Mehren2021-05-064-11/+48
| | | | | | | | | | | | This speeds up build times massively Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1237 from hedgedoc/renovate/master-mkdocs-material-7.xDavid Mehren2021-05-061-1/+1
|\ \ | | | | | | Update dependency mkdocs-material to v7.1.4 (master)
| * | Update dependency mkdocs-material to v7.1.4Renovate Bot2021-05-061-1/+1
| |/ | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1236 from hedgedoc/renovate/master-webpack-cli-4.xDavid Mehren2021-05-062-22/+21
|\ \ | | | | | | Update dependency webpack-cli to v4.7.0 (master)
| * | Update dependency webpack-cli to v4.7.0Renovate Bot2021-05-062-22/+21
| |/ | | | | | | Signed-off-by: Renovate Bot <bot@renovateapp.com>
* | Merge pull request #1223 from hedgedoc/fix/useSSLDavid Mehren2021-05-061-4/+11
|\ \ | | | | | | Automatically enable protocolUseSSL when useSSL is set
| * | Automatically enable protocolUseSSL when useSSL is setDavid Mehren2021-05-061-4/+11
|/ / | | | | | | | | | | | | | | This makes the behavior consistent with the docs and saves the user from having to both set `useSSL` and `protocolUseSSL`. Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1222 from hedgedoc/fix/upgrade_insecure_requestsDavid Mehren2021-05-061-2/+2
|\ \ | | | | | | Fix upgradeInsecureRequests CSP directive
| * | Fix upgradeInsecureRequests CSP directiveDavid Mehren2021-05-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `upgradeInsecureRequests` option of Helmets CSP middleware was a boolean in Helmet 3, but with Helmet 4, everything changed to lists. This commit adjusts the addUpgradeUnsafeRequestsOptionTo function accordingly. Closes #1221 See also https://github.com/helmetjs/helmet/tree/v4.6.0/middlewares/content-security-policy Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLinesDavid Mehren2021-05-061-4/+7
|\ \ \ | |_|/ |/| | Fix insertOnStartOfLines behaviour
| * | Fix insertOnStartOfLines behaviourDavid Mehren2021-05-051-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A bug in insertOnStartOfLines lead to duplicated text, if the cursor was not at the start of a line. This fixes the behaviour of insertOnStartOfLines to always use the complete first and last line of the selection, even if they were only partially selected. Fixes #1231 Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1226 from hedgedoc/enhancement/devDependenciesDavid Mehren2021-05-062-35/+34
|\ \ \
| * | | Only install production dependencies in bin/setupDavid Mehren2021-05-051-2/+1
| | | | | | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * | | Move frontend-only deps to devDependenciesDavid Mehren2021-05-051-33/+33
| |/ / | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | | Merge pull request #1234 from hedgedoc/fix/numbered-task-listsDavid Mehren2021-05-061-6/+6
|\ \ \ | |/ / |/| | Fix click handler for numbered task lists
| * | Fix click handler for numbered task listsErik Michelson2021-05-051-6/+6
|/ / | | | | | | | | | | | | The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc). This commit changes the regex to allow both. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* | Merge pull request #1219 from hedgedoc/release/1.8.0David Mehren2021-05-035-14/+12
|\|
| * Remove mention of .sequelizerc from docsDavid Mehren2021-05-031-7/+3
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Bump version to 1.8.0David Mehren2021-05-034-5/+5
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
| * Add release notes for 1.8.0David Mehren2021-05-031-2/+4
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>