WS-2019-0064: Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects prototype, thus allowing an attacker to execute arbitrary code on the server.
This is to address: https://www.npmjs.com/advisories/755
It is a low priority fix, as Discourse does not allow end users to input
raw handlebars templates.
* UX: make composer resize work on touch devices
This also replaces a vendor dependency with a small built-in resize mechanism.
* Make blue bar's larger padding specific to touch devices
Uses github.com/discourse/moment-timezone-names-translations to translate timezone names.
Plugins can also provide their own timezone name translations.
Moves Highlight.js files to vendor/assets/javascripts
Adds Highlight.js in yarn package management
Removes old rake task and reliance on NPM to build Highlight.js
Highlight.js is now integrated in the "javascript:update" rake task
This feature is used for defer loading of images and in future for post cloaking
This gives us a polyfill so we can safely use the feature in problem browsers
The polyfill supports "polling" but it does not appear we need it yet.
If we discover anything odd here, consider setting poll interval per:
https://github.com/w3c/IntersectionObserver/tree/master/polyfill
```
var io = new IntersectionObserver(callback);
io.POLL_INTERVAL = 100; // Time in milliseconds.
```
Keeping the mutation observer cause we often mutate the DOM
* Add missing icons to set
* Revert FA5 revert
This reverts commit 42572ff
* use new SVG syntax in locales
* Noscript page changes (remove login button, center "powered by" footer text)
* Cast wider net for SVG icons in settings
- include any _icon setting for SVG registry (offers better support for plugin settings)
- let themes store multiple pipe-delimited icons in a setting
- also replaces broken onebox image icon with SVG reference in cooked post processor
* interpolate icons in locales
* Fix composer whisper icon alignment
* Add support for stacked icons
* SECURITY: enforce hostname to match discourse hostname
This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname
* load SVG sprite with pre-initializers
* FIX: enable caching on SVG sprites
* PERF: use JSONP for SVG sprites so they are served from CDN
This avoids needing to deal with CORS for loading of the SVG
Note, added the svg- prefix to the filename so we can quickly tell in
dev tools what the file is
* Add missing SVG sprite JSONP script to CSP
* Upgrade to FA 5.5.0
* Add support for all FA4.7 icons
- adds complete frontend and backend for renamed FA4.7 icons
- improves performance of SvgSprite.bundle and SvgSprite.all_icons
* Fix group avatar flair preview
- adds an endpoint at /svg-sprites/search/:keyword
- adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset
* Remove FA 4.7 font files
* First take on subsetting svg icons
* FontAwesome 5 svg subset WIP
* Include icons from plugins/badges into svg sprite subset
* add svg icon support to themes
* Add spec for SvgSprite
* Misc. SVG icon fixes
* Use FA5 svgs in local-dates plugin
* CSS adjustments, fix SVG icons in group flair
* Use SVG icons in poll plugin
* Add SVG icons to /wizard
Also corrects the positioning of autocomplete (when typing @ or emoji)
Previously there were edge conditions where autocomplete would be hundreds
of pixels away due to a bug measuring.
This correct an issue where Firefox ends up having an enormous blank space
at the bottom of topics after editing.
This commit removes the old evilstreak markdownjs engine.
- Adds specs to WhiteLister and changes it to stop using globals
(Fixes large memory leak)
- Fixes edge cases around bbcode handling
- Removes mdtest which is no longer valid (to be replaced with
CommonMark)
- Updates MiniRacer to correct minor unmanaged memory leak
- Fixes plugin specs
This adds the markdown.it engine to Discourse.
https://github.com/markdown-it/markdown-it
As the migration is going to take a while the new engine is default
disabled. To enable it you must change the hidden site setting:
enable_experimental_markdown_it.
This commit is a squash of many other commits, it also includes some
improvements to autospec (ability to run plugins), and a dev dependency
on the og gem for html normalization.
- Show fullscreen timeline with title of topic in mobile
- Go to post # kb shortcut now unconditionally uses a modal
- Always show wrench on topics (was missing if progress bar was showing)
- Be smarter about rendering timeline even if composer is open (provided there is room)
* Update sass-rails.
* FIX: Tilt dependency has been removed from Ember::Handlebars::Template.
* Update `DiscourseIIFE` to new Sprockets API.
* `Rails.application.assets` returns `nil` in production.
* Move sprockets-rails out of the assets group.
* Pin ember-rails to 0.18.5 which works with Sprockets 3.x.
* Update sprockets to 3.6.0.
* Make `DiscourseSassCompiler` work with Sprockets 3.
* Use `Sass::Rails::SassImporterGlobbing` instead of haxxing our own.
* Moneky patch so that we don't add dependencies for our custom css.
* FIX: Missing class.
* Upgrade ember-handlebars-template.
* FIX: require path needs to share the same root as the folder's path.
* Bump discourse-qunit-rails.
* Update ember-template-compiler.js to 1.12.2.
* `prepend` is private in Ruby 2.0.0.
- do not scroll screen if post is already on screen
- do not hide/show suggested topics each time you post
- be less aggressive about setting scrollTop in LockOn
- FIX: make sure we set a default name to a pasted image only on Chrome (the only browser that supports it)
- FIX: use ".json" extension to uploads endpoints since IE9 doesn't pass the correct header
- FIX: pass the CSRF token in a query parameter since IE9 doesn't pass it in the headers
- FIX: display error messages comming from the server when there is one over the default error message
- FIX: HACK around IE9 security issue when clicking a file input via JavaScript (use a label and set `visibility:hidden` on the input)
- FIX: hide the "cancel" upload on IE9 since it's not supported
- FIX: return "text/plain" content-type when uploading a file for IE9 in order to prevent it from displaying the save dialog
- FIX: check the maximum file size on the server 💥
- update jQuery File Upload Plugin to v. 5.42.2
- update JQuery IFram Transport Plugin to v. 1.8.5
- update jQuery UI Widget to v. 1.11.1