WS-2019-0064: Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects prototype, thus allowing an attacker to execute arbitrary code on the server.
This is to address: https://www.npmjs.com/advisories/755
It is a low priority fix, as Discourse does not allow end users to input
raw handlebars templates.
* UX: make composer resize work on touch devices
This also replaces a vendor dependency with a small built-in resize mechanism.
* Make blue bar's larger padding specific to touch devices
Uses github.com/discourse/moment-timezone-names-translations to translate timezone names.
Plugins can also provide their own timezone name translations.
Moves Highlight.js files to vendor/assets/javascripts
Adds Highlight.js in yarn package management
Removes old rake task and reliance on NPM to build Highlight.js
Highlight.js is now integrated in the "javascript:update" rake task
This feature is used for defer loading of images and in future for post cloaking
This gives us a polyfill so we can safely use the feature in problem browsers
The polyfill supports "polling" but it does not appear we need it yet.
If we discover anything odd here, consider setting poll interval per:
https://github.com/w3c/IntersectionObserver/tree/master/polyfill
```
var io = new IntersectionObserver(callback);
io.POLL_INTERVAL = 100; // Time in milliseconds.
```
Keeping the mutation observer cause we often mutate the DOM
* Add missing icons to set
* Revert FA5 revert
This reverts commit 42572ff
* use new SVG syntax in locales
* Noscript page changes (remove login button, center "powered by" footer text)
* Cast wider net for SVG icons in settings
- include any _icon setting for SVG registry (offers better support for plugin settings)
- let themes store multiple pipe-delimited icons in a setting
- also replaces broken onebox image icon with SVG reference in cooked post processor
* interpolate icons in locales
* Fix composer whisper icon alignment
* Add support for stacked icons
* SECURITY: enforce hostname to match discourse hostname
This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname
* load SVG sprite with pre-initializers
* FIX: enable caching on SVG sprites
* PERF: use JSONP for SVG sprites so they are served from CDN
This avoids needing to deal with CORS for loading of the SVG
Note, added the svg- prefix to the filename so we can quickly tell in
dev tools what the file is
* Add missing SVG sprite JSONP script to CSP
* Upgrade to FA 5.5.0
* Add support for all FA4.7 icons
- adds complete frontend and backend for renamed FA4.7 icons
- improves performance of SvgSprite.bundle and SvgSprite.all_icons
* Fix group avatar flair preview
- adds an endpoint at /svg-sprites/search/:keyword
- adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset
* Remove FA 4.7 font files
* First take on subsetting svg icons
* FontAwesome 5 svg subset WIP
* Include icons from plugins/badges into svg sprite subset
* add svg icon support to themes
* Add spec for SvgSprite
* Misc. SVG icon fixes
* Use FA5 svgs in local-dates plugin
* CSS adjustments, fix SVG icons in group flair
* Use SVG icons in poll plugin
* Add SVG icons to /wizard
Also corrects the positioning of autocomplete (when typing @ or emoji)
Previously there were edge conditions where autocomplete would be hundreds
of pixels away due to a bug measuring.
This correct an issue where Firefox ends up having an enormous blank space
at the bottom of topics after editing.
This commit removes the old evilstreak markdownjs engine.
- Adds specs to WhiteLister and changes it to stop using globals
(Fixes large memory leak)
- Fixes edge cases around bbcode handling
- Removes mdtest which is no longer valid (to be replaced with
CommonMark)
- Updates MiniRacer to correct minor unmanaged memory leak
- Fixes plugin specs
This adds the markdown.it engine to Discourse.
https://github.com/markdown-it/markdown-it
As the migration is going to take a while the new engine is default
disabled. To enable it you must change the hidden site setting:
enable_experimental_markdown_it.
This commit is a squash of many other commits, it also includes some
improvements to autospec (ability to run plugins), and a dev dependency
on the og gem for html normalization.
- Show fullscreen timeline with title of topic in mobile
- Go to post # kb shortcut now unconditionally uses a modal
- Always show wrench on topics (was missing if progress bar was showing)
- Be smarter about rendering timeline even if composer is open (provided there is room)
* Update sass-rails.
* FIX: Tilt dependency has been removed from Ember::Handlebars::Template.
* Update `DiscourseIIFE` to new Sprockets API.
* `Rails.application.assets` returns `nil` in production.
* Move sprockets-rails out of the assets group.
* Pin ember-rails to 0.18.5 which works with Sprockets 3.x.
* Update sprockets to 3.6.0.
* Make `DiscourseSassCompiler` work with Sprockets 3.
* Use `Sass::Rails::SassImporterGlobbing` instead of haxxing our own.
* Moneky patch so that we don't add dependencies for our custom css.
* FIX: Missing class.
* Upgrade ember-handlebars-template.
* FIX: require path needs to share the same root as the folder's path.
* Bump discourse-qunit-rails.
* Update ember-template-compiler.js to 1.12.2.
* `prepend` is private in Ruby 2.0.0.
* upstream/master: (185 commits)
SECURITY: Upgrade rails.
FIX: new user summary page was broken
Version bump to v1.5.0.beta9
Remove addressable from Discourse.
UX: change glyph when inviting existing user to a topic
FIX: Allow for large free disk space
Revert "FIX: disk_space should be a BigDecimal to handle large disk (closes#3923)"
UX: improve styling of messages and mobile view of messages
FIX: correct counts on user summary
FIX: link to filtered down list of badges from summary FEATURE: pick featured badges in summary page
FIX: do not allow new email to be duplicate FIX: return proper error message when email already exists
retain unactivated accounts a bit longer default
FEATURE: blocked users can send and reply to private messages from staff
Remove Arel patch that has been merged upstream.
correct path
little typo
FIX: Missing tag in CSS.
PERF: remove 10-20ms of work from every page view
FIX: remove green background for wiki (this can be re-added via a customization if needed)
Hotfix for unsubscribe via email
...
# Conflicts:
# .tx/config
Penar Musaraj
Joffrey JAFFEUX
Gerhard Schlager
Sam Saffron
Robin Ward
Bianca Nenciu
Guo Xiang Tan
Osama Sayegh
David Taylor
Kris
Vinoth Kannan
scossar
Régis Hanol
Arpit Jalan
Neil Lalonde
Sawood Alam
Manel Villar
Marcus Rückert
Khoa, Le Ngoc
root
Jeff Atwood