summaryrefslogtreecommitdiff
path: root/public (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Escape custom Open Graph tagsDavid Mehren2021-05-091-1/+1
| | | | | | | | | | | | | | | | | | | HedgeDoc allows to specify custom Open Graph tags using the `opengraph` key in the YAML metadata of a note. These are rendered into the HTML delivered to clients using `ejs` and its `<%-` tag. This outputs the variable unescaped into the template and therefore allows to inject arbitrary strings, including `<script>` tags. This commit changes the template to use ejs's `<%=` tag instead, which automatically escapes the variables content, thereby mitigating the XSS vector. See also https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-gjg7-4j2h-94fq Co-authored-by: Christoph (Sheogorath) Kern <sheogorath@shivering-isles.com> Signed-off-by: David Mehren <git@herrmehren.de>
* Fix typo in release notesDavid Mehren2021-05-061-1/+1
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Add release notes for 1.8.1David Mehren2021-05-061-0/+17
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Fix 1.8.0 changelogDavid Mehren2021-05-061-1/+1
| | | | | | | CVE-2021-29475 has been fixed since HedgeDoc 1.5.0, instead of 1.6.0 Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1233 from hedgedoc/fix/insertOnStartOfLinesDavid Mehren2021-05-061-4/+7
|\ | | | | Fix insertOnStartOfLines behaviour
| * Fix insertOnStartOfLines behaviourDavid Mehren2021-05-051-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | A bug in insertOnStartOfLines lead to duplicated text, if the cursor was not at the start of a line. This fixes the behaviour of insertOnStartOfLines to always use the complete first and last line of the selection, even if they were only partially selected. Fixes #1231 Signed-off-by: David Mehren <git@herrmehren.de>
* | Fix click handler for numbered task listsErik Michelson2021-05-051-6/+6
|/ | | | | | | The regex for tasklists in 1.x didn't include upper-case x/X letters nor ordered lists (1. [ ] abc). This commit changes the regex to allow both. Signed-off-by: Erik Michelson <opensource@erik.michelson.eu>
* Add release notes for 1.8.0David Mehren2021-05-031-2/+4
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Extract list of supported languages in separate fileErik Michelson2021-04-262-43/+8
| | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Add changelog for 1.8.0-rc1David Mehren2021-04-261-5/+29
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Add support for freshly imported languagesDavid Mehren2021-04-262-1/+9
| | | | | | New languages: bg, fa, gl, he, hu, oc, pt-br Signed-off-by: David Mehren <git@herrmehren.de>
* Add translators to the list of contributors for 1.8.0-rc1David Mehren2021-04-261-1/+15
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #1150 from hedgedoc/feature/prometheus_metricsDavid Mehren2021-04-251-1/+4
|\
| * Document new Prometheus endpointDavid Mehren2021-04-251-1/+4
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Merge pull request #1167 from hedgedoc/maintenance/master/remove_node_10David Mehren2021-04-251-0/+3
|\ \ | |/ |/|
| * Raise minimum required Node.js version to 12David Mehren2021-04-221-0/+3
| | | | | | | | | | | | | | | | | | As Node 10 will be EOL at April 30th, we should stop supporting and/or promoting the usage of that version. See also https://endoflife.date/nodejs Signed-off-by: David Mehren <git@herrmehren.de>
* | Changelog: Mention removal of node-imgurPhilip Molares2021-04-221-1/+4
|/ | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Features.md: Change tag explanationPhilip Molares2021-03-281-2/+9
| | | | | | | Explain tags in the features.md with yaml metadata, instead of the heading syntax. Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Merge pull request #1022 from hedgedoc/fix/translateDavid Mehren2021-03-185-9/+9
|\ | | | | [1.x] Templates: Remove lang and add translation parameter
| * Templates: Remove lang and add translation parameterPhilip Molares2021-03-165-9/+9
| | | | | | | | | | | | | | | | | | | | | | Since the interface is not always in english, we mostly removed the lang attribute from all html tags. Since the error messages in error.ejs are not translated, but always in english, there the global lang="en" should be kept. Also in the slide and editor template the div, which contains the user generated text, has the attribute translate="no" now, to avoid unwanted translations. Since on the publish view (pretty.ejs) only the user generated content is shown, we set the lang to the language defined in yaml (or 'en') as a default, but that was also moved to the corresponding markdown div instead of html. Fixes #881 See also #437 Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | Add release notes entry for #969David Mehren2021-03-061-0/+5
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Fix HTML clipboard importDavid Mehren2021-02-161-1/+1
| | | | | | | | | | jQuery's .html() method escapes contained text (e.g. '<' becomes '&lt;'). This confuses the turndown parser, which then only performs unescaping, but does not convert to markdown. By using .text() instead, the unescaped content is returned and turndown can correctly generate markdown. Signed-off-by: David Mehren <git@herrmehren.de>
* Linter: Fix all lint errorsPhilip Molares2021-02-1515-1064/+1731
| | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Merge pull request #841 from hedgedoc/renovate/master-ejs-3.xYannick Bungers2021-02-1311-45/+45
|\
| * Switch to ejs 3 compliant importsDavid Mehren2021-02-0911-45/+45
| | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | Update webpack config and JS import for spin.js v4David Mehren2021-02-121-1/+2
|/ | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Fix wrong acces to slide optionsTilman Vatteroth2021-02-021-49/+50
| | | | | | | | | | If the slide options in the frontmatter are empty or not present, then slideOptions object in the parsed JSON is undefined. This triggers an exception when the sanitized slide options object is built. Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Improved CSS in night-modeErik Michelson2021-01-281-19/+8
| | | | | | A general invert-filter is applied to all pre elements in night mode. As diagrams are embedded inside pre tags, they're inverted as well. For sequence-diagrams and flow-charts this looks well, if we wouldn't additionally set the stroke and text color to white in night-mode. These additional white rules invert the already inverted diagram again and make it not good visible. The graphviz and abc embeddings aren't really optimized to be inverted, therefore they're now excluded from invertion and stay in day mode. Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* Delete slide options that are not definedTilman Vatteroth2021-01-151-0/+6
| | | | | | | | Reveal.js doesn't set the default value of an option in the provided config object if the key is set with "undefined" as value. This leads to a broken slide mode, because some critical settings are missing. Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Bump version to 1.7.2David Mehren2021-01-151-0/+9
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #727 from hedgedoc/fix/slideOptionsSanitationDavid Mehren2021-01-142-2/+52
|\
| * added theme to the sanitization of slideOptionsPhilip Molares2021-01-141-0/+1
| | | | | | | | Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * changed the SCRIPT_END_PLACEHOLDER regex to case insensitivePhilip Molares2021-01-141-1/+1
| | | | | | | | | | | | this was suggested by @TobiasHoll in https://github.com/hackmdio/codimd/issues/1648 Signed-off-by: Philip Molares <philip.molares@udo.edu>
| * added sanitation to the slideMode in frontmatterPhilip Molares2021-01-141-1/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | This should prevent the issue mentioned in https://github.com/hackmdio/codimd/issues/1648 Specifically left out are - dependency (user can't really include anything anyway, because CSP forbids most domains) - autoSlideMethod (nothing our users should be able to change as they won't write JS to be affected by this) - keyboard (this let's users write arbitrary code and seems therefore to problematic) See: https://github.com/hakimel/reveal.js/blob/3.9.2/README.md#configuration Signed-off-by: Philip Molares <philip.molares@udo.edu>
* | fixed a problem that the last line of code becomes covered by status bar and ↵Philip Molares2021-01-141-1/+1
|/ | | | | | | | | | can't be moved without changing the note. Thanks to @mhdrone for reporting this and suggesting the fix fixes #724 Signed-off-by: Philip Molares <philip.molares@udo.edu>
* Fix typo in release notesDavid Mehren2020-12-271-1/+1
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Bump version to 1.7.1David Mehren2020-12-271-0/+8
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Don't store mermaid diagrams in innerHTMLDavid Mehren2020-12-271-1/+1
| | | | | | | Using jQuery's `.html()` method stores the given string as `innerHTML`, which enables injection of arbitrary DOM elements. Using `.text()` instead mitigates this issue. Signed-off-by: David Mehren <git@herrmehren.de>
* Add note about `X-Forwarded-Proto` to 1.7.0 release notesDavid Mehren2020-12-211-0/+4
| | | | | | This header needs to be set correctly if the reverse proxy terminates TLS, otherwise we don't send cookies. Signed-off-by: David Mehren <git@herrmehren.de>
* Merge release notes of 1.7.0-rc1 and rc2 into 1.7.0David Mehren2020-12-211-9/+3
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Fix broken PDF embed in features page & explain embedding problemsDavid Mehren2020-12-211-1/+2
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Release 1.7.0-rc2David Mehren2020-12-021-0/+8
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Changelog for 1.7.0-rc1David Mehren2020-11-291-0/+86
| | | | Signed-off-by: David Mehren <git@herrmehren.de>
* Merge pull request #599 from hedgedoc/fix/iconsDavid Mehren2020-11-275-11/+11
|\ | | | | Fix shortcut icon urls pointing to old (nonexistent) files
| * Fixed shortcut icon urls pointing to old (nonexistent) filesErik Michelson2020-11-275-11/+11
| | | | | | | | Signed-off-by: Erik Michelson <github@erik.michelson.eu>
* | Merge pull request #603 from hedgedoc/feat/new-chat-linkYannick Bungers2020-11-272-2/+2
|\ \ | | | | | | Replace references to Matrix room with chat.hedgedoc.org
| * | Replace references to Matrix room with chat.hedgedoc.orgDavid Mehren2020-11-272-2/+2
| | | | | | | | | | | | Signed-off-by: David Mehren <git@herrmehren.de>
* | | Remove reference to nonexisting DOM elementDavid Mehren2020-11-271-2/+0
|/ / | | | | | | | | | | This was missed in #596 and breaks the frontend JS. Signed-off-by: David Mehren <git@herrmehren.de>
* / Remove pdf export codeTilman Vatteroth2020-11-262-10/+1
|/ | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>
* Remove irritating footer filesTilman Vatteroth2020-11-186-15/+13
| | | | Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de>