Commit Graph

63 Commits

Author SHA1 Message Date
David Taylor cbea5f6471
DEV: Update compatibility file 2024-08-29 10:16:48 +01:00
David Taylor 948634fe31
SECURITY: Apply transformations to text nodes only
Previously, the replacement system would modify raw HTML, which is prone to issues and vulnerabilities. With this commit, we iterate over text nodes only, and do simple string replacements on their content. That means that the user input never gets passed into an HTML parser, and there is no chance of injection attacks.

The re-rendering system is also simplified to store the original value for re-use later, instead of mapping position/length of replacements.

This does mean the behavior is changed slightly. Replacements will no longer be applied to html attributes (e.g `a[href]`). If this affects your use-case, please let us know [on Meta](https://meta.discourse.org/t/113533).

This is a followup to the fix in a62f711d56
2024-08-29 10:15:53 +01:00
Joffrey JAFFEUX a62f711d56
SECURITY: properly escape user input (#38)
We were failing to correctly escape content which we would then inject in the HTML of the post causing an XSS.

Note this XSS is stopped by CSP.
2024-08-20 18:06:58 +02:00
Discourse Translator Bot 57045bc9e5
Update translations (#37) 2024-08-20 17:54:48 +02:00
Discourse Translator Bot 5e61e49ef5
Update translations (#36) 2024-08-13 16:34:43 +02:00
Natalie Tay 2a1f703999
DEV: Pin theme for Discourse < 3.4.0.beta1-dev (#35) 2024-08-02 17:47:11 +08:00
Discourse Translator Bot c7c7c99a6c
Update translations (#34) 2024-07-09 23:12:28 +02:00
dependabot[bot] 34e52524ec
Build(deps): bump braces from 3.0.2 to 3.0.3 (#33)
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-20 11:33:33 +02:00
Discourse Translator Bot 139284225f
Update translations (#32) 2024-06-18 15:41:02 +02:00
Discourse Translator Bot 154059ba14
Update translations (#31) 2024-06-11 17:22:13 +02:00
Discourse Translator Bot 687b0e4798
DEV: Add Crowdin support (#30) 2024-06-11 13:37:43 +02:00
JimmyJammyDodger bd6e5beee9
Update about.json (#29) 2024-06-09 10:09:13 +01:00
David Taylor a319c0baa1
DEV: Update linting (#28) 2024-03-27 18:55:28 +01:00
Selase Krakani 51df0ef4a6
DEV: Pin theme for Discourse < 3.3.0.beta1-dev (#27) 2024-02-29 12:59:20 -07:00
Jarek Radosz 05a727efd5
DEV: Use the new modal api (#26) 2023-12-05 23:15:32 +01:00
Alan Guo Xiang Tan 344f4dd0ea
DEV: Switch to new addComposerToolbarPopupMenuOption plugin API (#25)
Why this change?

`api.addToolbarPopupMenuOptionsCallback` has been deprecated in 913fd3a7b3
2023-10-23 08:08:57 +08:00
dependabot[bot] 3ca2000263
Build(deps): bump @babel/traverse from 7.20.10 to 7.23.2 (#24)
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.20.10 to 7.23.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-18 12:58:02 -04:00
Penar Musaraj fb1cf21616
DEV: Pin theme for Discourse 3.1 stable (#23) 2023-08-22 14:03:25 -05:00
dependabot[bot] 322db3406e
Build(deps): bump word-wrap from 1.2.3 to 1.2.4 (#22)
Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4.
- [Release notes](https://github.com/jonschlinkert/word-wrap/releases)
- [Commits](https://github.com/jonschlinkert/word-wrap/compare/1.2.3...1.2.4)

---
updated-dependencies:
- dependency-name: word-wrap
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-19 01:01:08 +02:00
dependabot[bot] 7b73d87557
Build(deps): bump semver from 6.3.0 to 6.3.1 (#21)
Bumps [semver](https://github.com/npm/node-semver) from 6.3.0 to 6.3.1.
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md)
- [Commits](https://github.com/npm/node-semver/compare/v6.3.0...v6.3.1)

---
updated-dependencies:
- dependency-name: semver
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-12 14:13:36 +02:00
Bastiaan Quast 20f155de34
plugin-> theme component (#20) 2023-02-04 15:57:50 +01:00
discoursebot f0fcd8b357
DEV: Update CI workflows (#18)
Co-authored-by: discoursebuild <build@discourse.org>
2023-01-10 19:30:47 +00:00
David Taylor 8fe8b1d4d1
DEV: Update eslint-config-discourse, use prettier for hbs (#17) 2023-01-04 13:46:24 +01:00
dependabot[bot] e7ec81230a
Build(deps): bump json5 from 2.2.1 to 2.2.2 (#16)
Bumps [json5](https://github.com/json5/json5) from 2.2.1 to 2.2.2.
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](https://github.com/json5/json5/compare/v2.2.1...v2.2.2)

---
updated-dependencies:
- dependency-name: json5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-12-30 22:50:29 -05:00
discoursebot b26276efa2
DEV: Update CI workflows (#15)
Co-authored-by: discoursebuild <build@discourse.org>
2022-12-30 22:40:36 -05:00
discoursebot 8e7d40c23e
DEV: Update CI workflows (#14)
Co-authored-by: discoursebuild <build@discourse.org>
2022-11-07 14:14:16 -06:00
Jan Cernik 3918061c50
DEV: Replace bootbox alert dialog (#13) 2022-10-31 08:04:38 -03:00
Joffrey JAFFEUX be75773375
FIX: fully rely on keyValueStore to prevent error (#12)
* FIX: fully rely on keyValueStore to prevent error

The component was generating errors for some users due to direct access to `localStorage`:

```
TypeError: Cannot convert undefined or null to object
    at Function.keys (<anonymous>)
    at Object.expireOldValues (https://d3bpeqsaub0i6y.cloudfront.net/theme-javascripts/33bf35dc19b970a42f8c1e7d57d8cc72d6205bbd.js?__ws=meta.discourse.org:157:14)
    at Object.initialize (https://d3bpeqsaub0i6y.cloudfront.net/theme-javascripts/33bf35dc19b970a42f8c1e7d57d8cc72d6205bbd.js?__ws=meta.discourse.org:193:12)
    at o.initialize (https://d11a6trkgmumsb.cloudfront.net/assets/discourse-2bd9a9aa6b5c9cbee990a03159f5bff41fe503fe74814c3b66b3770876913dd5.gz.js:68:38)
```

This commits removes old unnecessary code using cookies and uses latest API from core `removeKeys`. Old discourse instances will just not evict old keys which is a minor annoyance.

* linting
2022-08-22 00:25:50 +02:00
Jarek Radosz faf88c2209
DEV: Fix `key-value-store:main` deprecation (#11) 2022-08-13 22:40:11 +02:00
Jarek Radosz ba7ca9e588
DEV: Fix typo (#10) 2022-08-13 22:39:58 +02:00
Jarek Radosz 1c4f5b1a99
DEV: Add CI setup and fix linting issues (#9) 2022-06-18 21:27:31 +02:00
dependabot[bot] c9dde66727
Build(deps): bump minimist from 1.2.5 to 1.2.6 (#8)
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-31 11:53:13 +02:00
David Taylor 9a002eed80
FIX: Dropdowns following recent refactoring (#7) 2022-01-13 16:48:07 -08:00
David Taylor 9882e993c5 DEV: Remove JQuery 2022-01-13 13:02:06 +00:00
David Taylor 468cf81fd2 DEV: Migrate to local storage
Setting cookies means that they're sent in the request headers for every HTTP request. This will have a (tiny) impact on performance, plus it can raise privacy concerns. Using localStorage is more appropriate for this use case.

This commit includes migration logic for any previously-saved values.

Previously the cookies were set to last for the 'session'. localStorage doesn't have an expiration mechanism, so this commit implements a 7-day expiration on the values.
2022-01-13 13:02:06 +00:00
David Taylor 6c43321b28 DEV: Apply prettier, remove es6 extension 2022-01-13 13:02:06 +00:00
Jarek Radosz 3adf5b8300
DEV: Use `cookie` imports (#5)
Fixes deprecation warnings.
2021-10-28 19:40:25 +02:00
Robin Ward bd544c3f38
FIX: `modifyClass` deprecation (#3) 2021-09-03 13:43:45 -04:00
jjaffeux 19fcc3210c UX: makes texts more readable 2021-06-01 11:38:29 +02:00
jjaffeux 3f0a5f7802 FIX: uses var for dark-light-choose 2021-06-01 11:37:12 +02:00
jjaffeux 3d0d4f2ca2 FIX: updates blend to use var 2021-06-01 11:34:59 +02:00
jjaffeux 248121c094 FIX: uses var for colors 2021-06-01 11:31:53 +02:00
dependabot[bot] 8ef85fc7d1
Build(deps): bump lodash from 4.17.19 to 4.17.21 (#2)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-05-11 10:28:24 -04:00
tshenry 6a3852e373
Update about.json 2021-03-04 16:22:57 -08:00
dependabot[bot] 8e41644cd5
Build(deps): bump lodash from 4.17.15 to 4.17.19 (#1)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-07-20 12:05:05 -04:00
jjaffeux 222e50bacb FIX: ensures we can rewrite links
This selector was too specific and would end up catching a directlyt wich would result in innerHTML being the text of the link and not the full link.
2020-04-24 11:19:36 +02:00
jjaffeux 81bbc2080a removes links and clear placeholders for now
It works well, but is too much noise for the value
2020-04-22 12:41:42 +02:00
jjaffeux e49d7411e5 FIX: better detection of default value 2020-04-20 20:39:54 +02:00
jjaffeux f947865904 FIX: ensures correct updates on input and clear 2020-04-20 17:07:04 +02:00
jjaffeux 1fab87e976 FIX: do not placeholder the placeholder 2020-04-20 17:06:49 +02:00