| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As we noticed in our poll about CDN usage, that most people
intentionally turn it off, but very little intetionally turn it on or
leave it on. [1]
There is also strong indicators that CDNs don't really provide any
benefits in loading time and due to the small deployments of CodiMD,
there is no big savings due to CDNs either. [2]
Therefore this patch changes the CDN default settings to off in order to
reduce the exposed user data.
[1]: https://community.codimd.org/t/poll-on-cdn-usage/28
[2]: https://csswizardry.com/2019/05/self-host-your-static-assets/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
| |
Which is part of `passport-google-oauth2`.
It could be used as whitelist to a domain supported by google oauth.
Ref: https://github.com/jaredhanson/passport-google-oauth2/issues/3
Signed-off-by: ike <developer@ikewat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This update of revealJS helps us to get rid of the headjs depedency
integration using webpack. It updates reveal.js to 3.9.2 and updates the
csp hash accordingly for using the slide mode.
Background for this update is the critical security vulnerability
described by snyk in their disclosure:
https://snyk.io/vuln/SNYK-JS-REVEALJS-543841
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Linkify header style
|
| | |
| |
| |
| | |
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
|
| | |
| |
| |
| | |
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
|
| | |
| |
| |
| |
| |
| | |
instead of doing it in the authentication source
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
|
| | |
| |
| |
| | |
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
|
| | |
| |
| |
| |
| |
| | |
Saving referer into session in SAML auth so passport can redirect correctly after SAML login.
Signed-off-by: Ralph Krimmel <rkrimme1@gwdg.de>
|
| |\ \
| |/
|/| |
First steps in refactoring the backend code
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
Move postNote to NoteController and rename to createFromPost
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
Because of circular import problems, this commit also moves the error messages from response.js to errors.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| |/
|
|
| |
Signed-off-by: Girish Ramakrishnan <girish@cloudron.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This makes the references consistent/compatible with GitHub,
GitLab, Pandoc and many other tools.
This behavior can be enabled in config.json with:
```
"linkifyHeaderStyle": "gfm"
```
Signed-off-by: hoijui <hoijui.quaero@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This regression bug was caused by the error page using the `codimd/head`
template. This resulted in error messages like this:
```
ReferenceError: /codimd/public/views/error.ejs:5
3|
4| <head>
>> 5| <%- include codimd/head %>
6| <link rel="stylesheet" href="<%- serverURL %>/css/center.css">
7| </head>
8|
/codimd/public/views/codimd/head.ejs:7
5| <meta name="apple-mobile-web-app-status-bar-style" content="black">
6| <meta name="mobile-web-app-capable" content="yes">
>> 7| <% for (var og in opengraph) { %>
8| <% if (opengraph.hasOwnProperty(og) && opengraph[og].trim() !== '') { %>
9| <meta property="og:<%- og %>" content="<%- opengraph[og] %>">
10| <% }} if (!opengraph.hasOwnProperty('image')) { %>
opengraph is not defined
at eval (eval at compile (/codimd/node_modules/ejs/lib/ejs.js:618:12), <anonymous>:18:23)
at eval (eval at compile (/codimd/node_modules/ejs/lib/ejs.js:618:12), <anonymous>:99:10)
at returnedFn (/codimd/node_modules/ejs/lib/ejs.js:653:17)
at tryHandleCache (/codimd/node_modules/ejs/lib/ejs.js:251:36)
at View.exports.renderFile [as engine] (/codimd/node_modules/ejs/lib/ejs.js:482:10)
at View.render (/codimd/node_modules/express/lib/view.js:135:8)
at tryRender (/codimd/node_modules/express/lib/application.js:640:10)
at Function.render (/codimd/node_modules/express/lib/application.js:592:3)
at ServerResponse.render (/codimd/node_modules/express/lib/response.js:1012:7)
at responseError (/codimd/lib/response.js:57:20)
at Object.errorNotFound (/codimd/lib/response.js:30:5)
at newNote (/codimd/lib/response.js:134:76)
at /codimd/lib/response.js:172:16
at tryCatcher (/codimd/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/codimd/node_modules/bluebird/js/release/promise.js:517:31)
at Promise._settlePromise (/codimd/node_modules/bluebird/js/release/promise.js:574:18)
at Promise._settlePromise0 (/codimd/node_modules/bluebird/js/release/promise.js:619:10)
at Promise._settlePromises (/codimd/node_modules/bluebird/js/release/promise.js:699:18)
at _drainQueueStep (/codimd/node_modules/bluebird/js/release/async.js:138:12)
at _drainQueue (/codimd/node_modules/bluebird/js/release/async.js:131:9)
at Async._drainQueues (/codimd/node_modules/bluebird/js/release/async.js:147:5)
at Immediate.Async.drainQueues (/codimd/node_modules/bluebird/js/release/async.js:17:14)
```
The fix for that is rather trivial. We simply provide an empty array of
metadata when generating the error template.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Add customizable opengraph metadata for notes (see #40)
|
| | |
| |
| |
| | |
Signed-off-by: Erik Michelson <erik@liltv.de>
|
| | |
| |
| |
| | |
Signed-off-by: Amolith <amolith@nixnet.xyz>
|
| |/
|
|
| |
Signed-off-by: Amolith <amolith@nixnet.xyz>
|
| |\
| |
| | |
Added endpoint for note-creation with given alias
|
| | |
| |
| |
| |
| |
| |
| | |
Known bugs/features:
- pushing towards an existing note results in an error 500
Signed-off-by: Erik Michelson <erik@liltv.de>
|
| | |
| |
| |
| | |
Signed-off-by: Erik Michelson <erik@liltv.de>
|
| |/
|
|
| |
Signed-off-by: Erik Michelson <erik@liltv.de>
|
| |\
| |
| | |
Config: Return String Instead Of Buffer For Docker Secrets
|
| | |
| |
| |
| | |
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
|
| | |
| |
| |
| |
| |
| | |
Prevents "TypeError: Cannot freeze array buffer views with elements".
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
|
| |/
|
|
| |
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
|
| |\
| |
| | |
make aws s3 endpoint configurable
|
| | |
| |
| |
| | |
Signed-off-by: Mathias Merscher <Mathias.Merscher@dg-i.net>
|
| | |
| |
| |
| | |
Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As a temporary fix, to keep you and your users save, this patch disables
the PDF export feature. Details of the attack along with a fix for
future versions of CodiMD will be released in future.
I hope you can live with this solution for this release because I'm
super short on time and the alternative would be to ship no fix at all.
This appears to be the better solution for this release.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
| |
| |
| |
| |
| |
| | |
It seems like since we switched to camelcase we missed to update some
variable names in the config section. This patch fixes those.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
| |
| |
| | |
Signed-off-by: chandi <git@chandi.it>
|
| |\ \
| | |
| | | |
Respect DNT header
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Do Not Track (DNT) is an old web standard in order to notify pages that
the user doesn't want to be tracked. Even while a lot of pages either
ignore this header or even worse, use it for tracking purposes, the
orignal intention of this header is good and should be adopted.
This patch implements a respect of the DNT header by no longer including
the optional Google Analytics and disqus integrations when sending a DNT
header. This should reduce outside resource usage and help to stay more
private.
This should later-on extended towards other document content (i.e.
iframe based content).
The reason to not change the CDN handling is that CDNs will be
deprecated with next release and removed in long term.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\ \ \
| | | |
| | | | |
DB URL: Secret File Support
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
As the connection string may include a password it should be supported by Docker Secrets.
Signed-off-by: Jonas Thelemann <e-mail@jonas-thelemann.de>
|
| |\ \ \ \
| |/ / /
|/| | | |
Add SVG image detection based on file extension
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add simple SVG image detecetion base on the file extension .svg.
This fixes the SVG being delivered as binary/octet-stream and makes it possible to embedd the SVG.
Signed-off-by: Lennart Weller <lennart.weller@hansemerkur.de>
|
