Commit Graph

16 Commits

Author SHA1 Message Date
Jarek Radosz 057d6b406d
DEV: Extensively use `includes()` (#17541)
Also, the change in insert-hyperlink (from `this.linkUrl.indexOf("http") === -1` to `!this.linkUrl.startsWith("http")`) was intentional fix: we don't want to prevent users from looking up topics with http in their titles.
2022-07-17 20:48:36 +02:00
Jarek Radosz 5f7163b5bb
DEV: Extensively use `startsWith()` (#17540) 2022-07-17 20:16:39 +02:00
David Taylor 166fe3bb34
FIX: Apply 'allowed_href_schemes' to all src/srcset attributes (#16860)
Previously we were only applying the restriction to `a[href]` and `img[src]`. This commit ensures we apply the same logic to all allowlisted media src attributes.
2022-05-19 11:18:30 +01:00
Jarek Radosz 77fed8dfc3
DEV: Update xss.js package (#16398) 2022-04-06 22:49:13 +02:00
Joffrey JAFFEUX b3ecf00c98
DEV: adds initial support for custom blocks using code fencing (#15743)
Allows to write custom code blocks:

```
   ```mermaid height=200,foo=bar
   test
   ```
```

Which will then get converted to:

```
<pre data-code-wrap="mermaid" data-code-height="200" data-code-foo="bar">
  <code class="lang-nohighlight">
    test
  </code>
</pre>
```
2022-02-09 11:23:44 +01:00
Bianca Nenciu 38199424bc
SECURITY: Sanitize d-popover attributes (#13958) 2021-08-05 16:39:17 +03:00
Josh Soref 59097b207f
DEV: Correct typos and spelling mistakes (#12812)
Over the years we accrued many spelling mistakes in the code base. 

This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change 

- comments
- test descriptions
- other low risk areas
2021-05-21 11:43:47 +10:00
Osama Sayegh d56b2e85aa
FIX: Escape Font Awesome icons (#12421)
This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS.
2021-03-17 16:11:40 +03:00
Rafael dos Santos Silva c4552e9c10
FIX: Autoplay videos must always be muted (#11533)
This automatically adds the muted attribute if it's missing in a video
tag.

Co-authored-by: David Taylor <david@taylorhq.com>
2020-12-21 14:55:00 -03:00
Krzysztof Kotlarek dbec3792b7
FIX: pretty text allow list (#10977)
Reword whitelist to allowlist in pretty-text.
This library is used by plugins so we need deprecation notice.
2020-10-28 13:22:06 +11:00
Joffrey JAFFEUX 530d9ab071
DEV: enforces eslint’s curly rule to the codebase (#10720)
eslint --fix is capable of fix it automatically for you, ensure prettier is run after eslint as eslint --fix could leave the code in an invalid prettier state.
2020-09-22 16:28:28 +02:00
Robin Ward 8c384ae6b8 Create proper shim for xss library - second attempt 2020-09-15 10:42:51 -04:00
Guo Xiang Tan e3b4632f04
Revert "Create proper shim for xss library"
This reverts commit 30e9112535.
2020-09-15 11:38:40 +08:00
Robin Ward 30e9112535 Create proper shim for xss library 2020-09-14 15:57:32 -04:00
Joffrey JAFFEUX 52672b9eab
DEV: apply new coding standards (#10592) 2020-09-04 13:42:47 +02:00
Robin Ward 79c64eaeff
DEV: Move pretty-text into an ember-addon format (#9689) 2020-05-07 12:37:47 -04:00