Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/lib
History
Roman Rizzi 5ee31cbf7d
FIX: Mark invites flash messages as HTML safe. (#15539) 
* FIX: Mark invites flash messages as HTML safe.
This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client.

Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220

* If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend.

* Escape user input instead of sanitizing
 		2022-01-18 09:38:31 -03:00
..
auth DEV: Deprecate OAuth2Authenticator and OAuth2UserInfo (#15427) 2022-01-06 16:50:18 +00:00
autospec DEV: Support for running theme test with Ember CLI (third attempt) 2022-01-13 16:02:07 -05:00
backup_restore DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
common_passwords DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
compression FIX: Decompressing lots of small files triggered error 2020-01-09 15:11:31 +01:00
content_security_policy FIX: Set CSP base-uri to `self` (#13654) 2021-07-07 09:43:48 -04:00
demon DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
discourse_dev DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
email FIX: don't trigger `topic_created` event for reply posts via email. (#15485) 2022-01-10 13:54:10 +05:30
emoji FEATURE: Add missing emojis (#15582) 2022-01-14 17:51:13 -03:00
faker DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
file_store DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
freedom_patches DEV: Follow Discourse's convention when monkey patching. 2022-01-11 09:48:27 +08:00
generators/rails DEV: removes plugin generator (#14101) 2021-08-20 11:29:06 +02:00
guardian FIX: Hide user's bio if profile is restricted 2022-01-05 10:23:36 +08:00
highlight_js DEV: already defined constant 'HIGHLIGHTJS_DIR' 2019-01-21 10:12:23 +01:00
i18n DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
imap FIX: Add random suffix to outbound Message-ID for email (#15179) 2021-12-06 10:34:39 +10:00
import DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
import_export FEATURE: include user custom fields in base exporter (#14690) 2021-10-22 10:02:56 -07:00
javascripts DEV: Allow `transformed` values to be used in all widget hbs statements (#13331) 2021-06-08 16:46:07 +01:00
middleware FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
migration DEV: Promote old post-deploy migrations to pre-deploy migrations (#13477) 2021-06-22 16:02:24 +01:00
onebox FIX: origins_to_regexes should always return an array (#15589) 2022-01-17 12:48:41 -05:00
plugin DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
pretty_text DEV: replaces huge generated emoji list by a simpler regex (#11053) 2021-04-22 08:43:06 +02:00
rate_limiter FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
reviewable DEV: APIs for plugin to add custom reviewable confirm modal (#12246) 2021-03-02 10:28:27 -06:00
scheduler
search FIX: remove superfluous spaces from CJK blurbs (#12629) 2021-04-12 12:46:42 +10:00
seed_data FIX: Support Ruby 3 keyword arguments 2021-10-05 11:25:00 -04:00
sidekiq DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
site_settings DEV: Drop env-based SiteSetting deprecation errors (#15273) 2021-12-13 17:36:29 +01:00
stylesheet DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
svg_sprite DEV: Remove a few unused icons (#14696) 2021-10-22 12:03:58 -04:00
tasks DEV: Update `rake qunit:test` and `rake plugin:qunit` to use `testem` 2022-01-18 10:16:29 +00:00
theme_store FIX: Git should not prompt for credentials (#15062) 2021-11-23 13:54:51 +02:00
topic_query FIX: exclude topics from muted tag in category featured list. (#14925) 2021-11-16 12:10:50 +05:30
turbo_tests FIX: Make thumbnail tests start with a clean slate (#15216) 2021-12-07 13:07:45 -06:00
validators FIX: Mark invites flash messages as HTML safe. (#15539) 2022-01-18 09:38:31 -03:00
webauthn SECURITY: 2FA with U2F / TOTP 2020-01-15 11:27:12 +01:00
wizard FEATURE: Enable auto dark mode on new instances (#14208) 2021-09-02 14:55:38 -04:00
admin_confirmation.rb DEV: Upgrade Redis to 4.2.1. 2020-06-15 10:05:22 +08:00
admin_constraint.rb FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
admin_user_index_query.rb DEV: Let's always give a drop_from param to deprecate (#14901) 2021-11-12 08:52:59 -06:00
age_words.rb
archetype.rb
auth.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
backup_restore.rb DEV: Upgrade Rails to 6.1.3.1 (#12688) 2021-04-21 12:36:32 +03:00
badge_posts_view_manager.rb DEV: stop freezing frozen strings 2020-04-30 16:48:53 +10:00
badge_queries.rb FIX: Don't grant sharing badges to users who don't exist (#13851) 2021-07-27 16:32:59 +10:00
base62.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
bookmark_manager.rb DEV: Drop old bookmark columns (#15405) 2022-01-04 11:19:27 +10:00
bookmark_query.rb FEATURE: Go to last unread for topic-level bookmark links (#14396) 2021-09-21 13:49:56 +10:00
bookmark_reminder_notification_handler.rb DEV: Ignore reminder_type for bookmarks (#14349) 2021-09-16 09:56:54 +10:00
browser_detection.rb FIX: Detect DiscourseHub user agent. 2019-08-09 11:58:15 +03:00
cache.rb DEV: Fix rubocop issues (#14715) 2021-10-27 11:39:28 +03:00
canonical_url.rb FEATURE: Send a 'noindex' header in non-canonical responses (#15026) 2021-11-25 16:58:39 -03:00
category_badge.rb
chrome_installed_checker.rb DEV: Move chrome binary check into a shared lib (#13451) 2021-06-21 13:28:48 +10:00
comment_migration.rb
composer_messages_finder.rb FEATURE: Make allow_uploaded_avatars accept TL (#14091) 2021-08-24 10:46:28 +03:00
configurable_urls.rb Replace `base_uri` with `base_path` (#10879) 2020-10-09 12:51:24 +01:00
content_buffer.rb
content_security_policy.rb PERF: Eager load Theme associations in Stylesheet Manager. 2021-06-21 11:06:58 +08:00
cooked_post_processor.rb DEV: Remove xlink hrefs (#15059) 2021-11-25 15:22:43 +11:00
cooked_processor_mixin.rb DEV: Remove xlink hrefs (#15059) 2021-11-25 15:22:43 +11:00
crawler_detection.rb FEATURE: Implement browser update in crawler view (#12448) 2021-03-22 19:41:42 +02:00
csrf_token_verifier.rb DEV: Provide method for auth plugins to generate a CSRF token 2019-08-13 01:13:08 +01:00
current_user.rb
custom_renderer.rb
custom_setting_providers.rb
db_helper.rb DEV: Upgrade Rails to 6.1.3.1 (#12688) 2021-04-21 12:36:32 +03:00
directory_helper.rb
discourse.rb DEV: Don't warn on missing git tags (#15507) 2022-01-09 20:25:58 +01:00
discourse_connect_base.rb DEV: rename single_sign_on classes to discourse_connect (#15332) 2022-01-06 16:28:46 +04:00
discourse_connect_provider.rb DEV: rename single_sign_on classes to discourse_connect (#15332) 2022-01-06 16:28:46 +04:00
discourse_cookie_store.rb
discourse_dev.rb DEV: move `discourse_dev` gem to the core. (#13360) 2021-06-14 20:34:44 +05:30
discourse_diff.rb Escape values of HTML attributes 2021-08-10 10:25:15 -04:00
discourse_event.rb DEV: Remove site_setting_saved event (#15164) 2021-12-02 09:33:03 -06:00
discourse_hub.rb DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
discourse_ip_info.rb FIX: MaxMind DB file not downloading correctly 2020-01-05 22:08:13 +11:00
discourse_js_processor.rb DEV: Add support for class properties in babel (#13189) 2021-05-27 16:13:14 -04:00
discourse_logstash_logger.rb FIX: Use 'hostname' when Discourse.os_hostname is not available 2020-02-18 13:37:39 +02:00
discourse_plugin_registry.rb REFACTOR: Improve support for consolidating notifications. (#14904) 2021-11-30 13:36:14 -03:00
discourse_redis.rb PERF: Redis snapshotting during tests (#15260) 2021-12-10 14:25:26 -06:00
discourse_tagging.rb FEATURE: ability to add description to tags (#15125) 2021-12-01 09:18:56 +11:00
discourse_updates.rb FIX: Regression introduced in #14715 (#14842) 2021-11-09 17:20:09 +11:00
disk_space.rb FIX: correct upload statistics report for external storage 2020-02-20 15:15:53 +11:00
distributed_cache.rb PERF: Defer setting of distributed cache in more spots. 2021-06-04 09:13:18 +08:00
distributed_memoizer.rb DEV: Replace `Time.new` with `Time.now` (#9142) 2020-03-09 17:37:49 +01:00
distributed_mutex.rb FIX: Off-by-one error setting the distributed mutex key to expire 2020-02-03 14:54:50 +00:00
edit_rate_limiter.rb FEATURE: Increase daily edit limits proportionally to trust level (#13090) 2021-05-19 13:57:21 +04:00
email.rb FIX: Add random suffix to outbound Message-ID for email (#15179) 2021-12-06 10:34:39 +10:00
email_backup_token.rb DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
email_cook.rb PERF: Avoid lookbehinds when replacing links in imported emails (#11931) 2021-02-02 17:34:00 +01:00
email_updater.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
encodings.rb
enum.rb
enum_site_setting.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
excerpt_parser.rb DEV: Remove dead code 2021-05-31 10:22:50 +08:00
external_upload_helpers.rb DEV: Extract shared external upload routes into controller helper (#14984) 2021-11-18 09:17:23 +10:00
feed_element_installer.rb
feed_item_accessor.rb
file_helper.rb DEV: Swap out optipng with oxipng (#15013) 2021-11-22 10:16:35 -07:00
filter_best_posts.rb
final_destination.rb FIX: Canonical URLs may be relative (#14825) 2021-11-05 14:20:14 -03:00
flag_query.rb DEV: Remove deprecated methods (#14885) 2021-11-11 12:21:25 -06:00
flag_settings.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
gaps.rb
global_path.rb
group_email_credentials_check.rb FEATURE: Scheduled group email credential problem check (#15396) 2022-01-04 10:14:33 +10:00
guardian.rb FEATURE: Display pending posts on user’s page 2021-11-29 10:26:33 +01:00
has_errors.rb
hijack.rb DEV: Add more debugging context to onebox generation 2020-10-22 12:50:22 +08:00
homepage_constraint.rb FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
html_prettify.rb DEV: stop freezing frozen strings 2020-04-30 16:48:53 +10:00
html_to_markdown.rb FIX: Hoisting linebreaks shouldn't fail for HTML5 elements (#14364) 2021-09-17 10:41:34 +02:00
http_language_parser.rb FIX: Include resolved locale in anonymous cache key (#10289) 2020-07-22 18:00:07 +01:00
image_sizer.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
import_export.rb FEATURE: Rake task to export groups (#9450) 2020-04-17 14:59:54 -07:00
inline_oneboxer.rb FEATURE: check `blocked_onebox_domains` setting for inline oneboxes (#11944) 2021-02-03 21:45:22 +05:30
introduction_updater.rb FIX: replace default welcome topic post with new value from wizard 2020-04-01 15:42:45 -04:00
js_locale_helper.rb FIX: Translation overrides from fallback locale didn't work on client 2021-12-17 14:03:35 +01:00
json_error.rb
letter_avatar.rb DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
markdown_linker.rb
mem_info.rb
message_bus_diags.rb PERF: avoid shelling to get hostname aggressively 2020-02-18 15:13:19 +11:00
method_profiler.rb DEV: Add output_sql_to_stderr! to MethodProfiler (#12445) 2021-03-19 17:48:30 +10:00
mini_sql_multisite_connection.rb DEV: upgrade mini_sql (#12465) 2021-03-24 08:48:04 +11:00
mobile_detection.rb
new_post_manager.rb SECURITY: Escape watched word in error message (#14434) 2021-09-24 11:55:15 +03:00
new_post_result.rb DEV: Let's always give a drop_from param to deprecate (#14901) 2021-11-12 08:52:59 -06:00
notification_levels.rb
onebox.rb DEV: Absorb onebox gem into core (#12979) 2021-05-26 15:11:35 +05:30
oneboxer.rb FIX: Use CDN URL for internal onebox avatars (#15077) 2021-11-25 12:07:34 +00:00
onpdiff.rb FIX: Show a correct diff when editing consecutive paragraphs (#8177) 2019-10-11 03:50:37 -04:00
pbkdf2.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
permalink_constraint.rb
pinned_check.rb
plain_text_to_markdown.rb DEV: stop freezing frozen strings 2020-04-30 16:48:53 +10:00
plugin_gem.rb DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
plugin_initialization_guard.rb DEV: Print backtrace of error when plugin fails to initialize. 2020-06-09 10:25:43 +08:00
post_action_creator.rb DEV: Create post actions without creating a notification and store custom data. (#15397) 2021-12-27 11:25:37 -03:00
post_action_destroyer.rb FIX: Unlike own posts on ownership transfer (#10446) 2020-08-19 09:21:02 -06:00
post_action_result.rb
post_creator.rb FIX: Don't publish PM archive events to acting user. (#14291) 2021-09-10 09:20:50 +08:00
post_destroyer.rb FIX: Clean flagged queue when response to flagged post deleted (#15463) 2022-01-05 12:37:15 -06:00
post_jobs_enqueuer.rb FIX: Do not send emails to mailing_list_mode subscribers for PMs (#14159) 2021-08-26 15:16:35 +10:00
post_locker.rb
post_merger.rb FEATURE: TL4 & category moderators can merge posts (#12843) 2021-04-27 18:24:27 +02:00
post_revisor.rb FIX: Make PostRevisor more consistent (#14841) 2021-11-09 16:29:37 +02:00
presence_channel.rb DEV: Fix deprecation warning after updating to messabe_bus 4.0.0. 2022-01-13 14:11:07 +08:00
pretty_text.rb FEATURE: Customizable rules and plugins for `PrettyText.markdown`. 2022-01-11 10:39:40 +08:00
promotion.rb FIX: check if BasicBadge is enabled for TL1 welcome message (#13983) 2021-08-11 08:39:25 +10:00
quote_comparer.rb FEATURE: Nokogumbo (#9577) 2020-05-05 13:46:57 +10:00
rake_helpers.rb Try fix upload_spec flakys and remove logging from tasks/uploads_spec 2020-02-18 15:08:58 +10:00
rate_limiter.rb FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
read_only_header.rb
redis_snapshot.rb PERF: Redis snapshotting during tests (#15260) 2021-12-10 14:25:26 -06:00
retrieve_title.rb FIX: increase chunk size to fetch title tag correctly (#14144) 2021-09-03 13:15:58 +05:30
route_format.rb
route_matcher.rb REFACTOR: Introduce RouteMatcher class 2020-10-19 10:40:55 +01:00
rtl.rb Check site default locale if Rtl class is initialized without a user (#8417) 2019-11-26 15:01:37 -05:00
s3_cors_rulesets.rb DEV: Skip logging in test environment (#14971) 2021-11-16 18:01:48 +03:00
s3_helper.rb FEATURE: Direct S3 multipart uploads for backups (#14736) 2021-11-11 08:25:31 +10:00
s3_inventory.rb DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
score_calculator.rb
screening_model.rb
search.rb SECURITY: Advanced group search did not respect visiblity of groups. 2022-01-10 13:49:26 +08:00
secure_session.rb DEV: s/\$redis/Discourse\.redis (#8431) 2019-12-03 10:05:53 +01:00
shrink_uploaded_image.rb DEV: Improve `script/downsize_uploads.rb` (#13508) 2021-06-24 00:09:40 +02:00
site_icon_manager.rb PERF: Defer setting of distributed cache in more spots. 2021-06-04 09:13:18 +08:00
site_setting_extension.rb DEV: Don't clear cache/trigger events if site setting hasn't changed (#15045) 2021-11-22 16:43:12 +01:00
slug.rb FIX: Make category slugs lowercase (#11277) 2021-01-12 17:28:33 +02:00
socket_server.rb
spam_handler.rb FIX: use allowlist and blocklist terminology (#10209) 2020-07-27 10:23:54 +10:00
sql_builder.rb DEV: Let's always give a drop_from param to deprecate (#14901) 2021-11-12 08:52:59 -06:00
staff_constraint.rb FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) 2021-11-17 23:27:30 +03:00
staff_message_format.rb
suggested_topics_builder.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
system_message.rb DEV: Add option to send system message to groups (#12256) 2021-03-02 18:51:50 +01:00
temporary_db.rb DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
temporary_redis.rb DEV: Introduce `TemporaryRedis` and unset `DISCOURSE_*` env vars in the `themes:isolated_test` rake task (#13401) 2021-06-23 07:38:43 +03:00
text_cleaner.rb FEATURE: Correctly convert topic title to uppercase and lowercase for Turkish default locale (#13115) 2021-05-24 18:13:30 +10:00
text_sentinel.rb DEV: Correct typos and spelling mistakes (#12812) 2021-05-21 11:43:47 +10:00
theme_javascript_compiler.rb FEATURE: Allow theme tests to be run in production (take 2) (#12845) 2021-04-28 23:12:08 +03:00
theme_modifier_helper.rb Code review comments. 2021-06-21 11:06:58 +08:00
theme_settings_manager.rb FEATURE: Allow theme settings to request refresh (#15037) 2021-11-22 13:16:56 +01:00
theme_settings_parser.rb FEATURE: Allow theme settings to request refresh (#15037) 2021-11-22 13:16:56 +01:00
theme_translation_manager.rb
theme_translation_parser.rb
timeline_lookup.rb FIX: ensures timeline_lookup includes last tuple (#11829) 2021-01-25 11:30:59 +01:00
topic_creator.rb FIX: include new tags in validation if user can create one. (#14744) 2021-10-28 11:59:46 +05:30
topic_list_responder.rb DEV: Refactor draft attributes for `CategoryList` and `TopicList`. 2020-07-24 10:11:30 +08:00
topic_publisher.rb FIX: Use destroy_all instead of delete_all for shared drafts 2020-03-05 11:13:43 -08:00
topic_query.rb FIX: exclude topics from muted tag in category featured list. (#14925) 2021-11-16 12:10:50 +05:30
topic_query_params.rb FIX: Build correct topic list filter (#11473) 2020-12-11 14:20:48 +02:00
topic_retriever.rb FEATURE: Fallback to system users when creating new TopicEmbed (#12386) 2021-03-15 11:58:53 -03:00
topic_subtype.rb
topic_upload_security_manager.rb DEV: Add security_last_changed_at and security_last_changed_reason to uploads (#11860) 2021-01-29 09:03:44 +10:00
topic_view.rb FIX: Display pending posts in a moderated category 2021-12-07 10:14:45 +01:00
topics_bulk_action.rb FIX: Don't publish PM archive events to acting user. (#14291) 2021-09-10 09:20:50 +08:00
trust_level.rb FIX: Don't store translated trust level names in anonymous cache (#13224) 2021-06-01 22:11:48 +02:00
turbo_tests.rb FIX: Make thumbnail tests start with a clean slate (#15216) 2021-12-07 13:07:45 -06:00
twitter_api.rb DEV: Update rubocop-discourse from 2.3.2 to 2.4.0 (#11079) 2020-10-30 15:04:29 +01:00
unicorn_logstash_patch.rb DEV: Fix lint. 2020-07-21 15:55:03 +08:00
unread.rb FEATURE: Add last visit indication to topic view page. (#13471) 2021-07-05 14:17:31 +08:00
upload_creator.rb FIX: Blurry onebox favicon images (#15258) 2021-12-10 12:25:50 -07:00
upload_fixer.rb
upload_markdown.rb DEV: Upgrading Discourse to Zeitwerk (#8098) 2019-10-02 14:01:53 +10:00
upload_recovery.rb FIX: Support Ruby 3 keyword arguments 2021-10-05 11:25:00 -04:00
upload_security.rb FIX: Do not mark badge image uploads as secure (#13193) 2021-05-28 12:35:52 +10:00
url_helper.rb FEATURE: revert disallowing putting URLs in titles for TL0 users (#13970) 2021-08-06 20:07:42 +04:00
user_lookup.rb REVERT "FIX: do not show private group flair on user avatars" (#13991) 2021-08-10 17:25:11 +05:30
user_name_suggester.rb FEATURE: when suggesting usernames skip input that consist entirely of disallowed characters (#15368) 2021-12-21 21:13:05 +04:00
vary_header.rb FIX: Include the Vary:Accept header on all Accept-based responses (#14647) 2021-10-25 12:53:50 +01:00
version.rb Version bump to v2.8.0.beta11 (#15567) 2022-01-13 10:35:59 -05:00
webauthn.rb DEV: stop freezing frozen strings 2020-04-30 16:48:53 +10:00
wizard.rb DEV: Allow plugins to add wizard steps after specific steps (#9315) 2020-04-01 08:36:50 -05:00
zeitwerk_config.rb FIX: Better and more secure validation of periods for TopicQuery 2021-07-23 14:24:44 -04:00