Commit Graph

49 Commits

Author SHA1 Message Date
Dan Brown
415cd6a360
Includes: Workaround for PHP 8.3.14 bug
Changed DOMText creation to be done via document so its document
reference is correct to avoid a bug in PHP 8.3.14.
Ref: https://github.com/php/php-src/issues/16967

Fixes #5341
2024-11-28 16:30:59 +00:00
Dan Brown
897bb338f9
CSP: Updated handling of drawio URL to consider port
Previously if a custom port was used in the DRAWIO option it would not
be considered in the CSP handling, which would block loading.

Added test to cover.
For #5107
2024-07-14 16:06:18 +01:00
Dan Brown
19f78dbe6c
WYSIWYG descriptions: Allowed anchor target attrs
Allowed since this is a control in the editor UI, but would previously
be stripped by editor config & server-side filtering.
For #4925
2024-04-03 16:46:53 +01:00
Dan Brown
a21ca44633
Input WYSIWYG: Fixed existing tests, fixed empty description handling 2023-12-20 17:21:09 +00:00
Dan Brown
7fd6d5b2cc
Input WYSIWYG: Updated tests, Added simple html limiting 2023-12-19 15:10:29 +00:00
Dan Brown
71c93c8878
Includes: Switched page to new system
- Added mulit-level depth parsing.
- Updating usage of HTML doc in page content to be efficient.
- Removed now redundant PageContentTest cases.
- Made some include system fixes based upon testing.
2023-11-27 19:54:47 +00:00
Dan Brown
c88eb729a4
Includes: Added block-level handling to new include system
Implements block promoting to body (including position choosing based
upon likely tag position within parent) and block splitting where we're
only a single depth down from the body child.
2023-11-24 23:39:16 +00:00
Dan Brown
75936454cc
Includes: Developed to get new system working with inline includes
Adds logic for locating and splitting text nodes.
Adds specific classes to offload tag/content specific logic.
2023-11-23 14:29:07 +00:00
Dan Brown
37a17e858a
HTML: Tweaked output from full HtmlDocument
Saves specifically the document element on output to HTML, since this
results in just the outer HTML being saved while not including the extra
XML tags which would show up before with the changes to force utf8
usage.
2023-11-14 17:23:05 +00:00
Dan Brown
db7b11fe93
HTML: Aligned and standardised DOMDocument usage
Adds a thin wrapper for DOMDocument to simplify and align usage within
all areas of BookStack.
Also means we move away from old depreacted mb_convert_encoding usage.

Closes #4638
2023-11-14 15:46:32 +00:00
Dan Brown
5af3041b9b
Thumbnails: Added OOM handling and regen endpoint
- Added some level of app out-of-memory handling so we can show a proper
  error message upon OOM events.
- Added endpoint and image-manager button/action for regenerating
  thumbnails for an image so they can be re-created upon failure.
2023-09-29 13:54:08 +01:00
Dan Brown
b292cf7090
Extracted icon helper, aligned container resolution
Also updated breadcrumb view composer to current standards.
Closes #4553
2023-09-16 18:26:28 +01:00
Dan Brown
903895814a
SSR: Updated allow list handling & covered webhook usage
- Covered webhook SSR allow list useage via test.
- Updated allow list handling to use trailing slash, or hash, or end of
  line as late anchor for better handling for hosts (prevent .co.uk
passing for .co domain host)
2023-08-26 20:13:37 +01:00
Dan Brown
c324ad928d
Security: Added new SSR allow list and validator
Included unit tests to cover validator functionality.
Added to webhooks.
Still need to do testing specifically for webhooks.
2023-08-26 15:28:29 +01:00
Dan Brown
295cd01605
Played around with a new app structure 2023-05-17 17:56:55 +01:00
Dan Brown
7c27d26161
Fixed language locale setting issue
Attempted to access an array that had been filtered and therefore could
have holes within, including as position 0 which would then be
accessed.
Also added cs language to internal map

Related to #4068
2023-02-27 19:14:45 +00:00
Dan Brown
a031edec16
Fixed old deprecated encoding convert on HTML doc load 2023-02-23 22:59:26 +00:00
Dan Brown
9ca088a4e2
Fixed static analysis issues 2023-02-06 20:00:44 +00:00
Dan Brown
78ebcb6f38
Addressed a range of deprecation warnings
Closes #3969
2023-01-21 20:50:04 +00:00
Dan Brown
6364c541ea
Fixed phpstan static usage warning, updated ci flows
CI flow updates to follow deprecation warnings
2022-11-03 14:14:22 +00:00
Dan Brown
d4e71e431b
Revised revision list to responsive layout 2022-10-31 21:26:31 +00:00
Dan Brown
ec4cbbd004
Refactored common list handling operations to new class 2022-10-30 15:16:06 +00:00
Dan Brown
905d339572
Added greek language option 2022-10-20 12:25:02 +01:00
Dan Brown
050d69ea27
Added extra setlocale format to help windows support
Related to #3650
2022-09-20 12:00:14 +01:00
Dan Brown
623ccd4cfa
Removed old thai files, added romanian as lang option
Also applied styleci changes
2022-09-06 17:41:32 +01:00
Dan Brown
6955b2fd5a
Widened svg content attribute xss filtering
Takes care of additional cases that can occur.
Closes #3705
2022-09-06 17:01:56 +01:00
Dan Brown
2d7552aa09
Addressed setlocale issue caught by phpstan
setlocale could be called with no second param if the language given to
the modified function was empty.
2022-09-05 13:33:05 +01:00
Dan Brown
ee1e936660
Applied styleci changes, updated composer deps 2022-09-05 13:18:37 +01:00
Dan Brown
9158a66bff
Updated & improved language locale handling
Extracted much of the language and locale work to a seperate, focused class.
Updated php set_locale usage to prioritise UTF8 usage.
Added locale options for windows.
Clarified what's a locale and a bookstack language string.

For #3590 and maybe #3650
2022-09-02 19:19:01 +01:00
Dan Brown
5f7cd735ea
Added content filtering of tags with javascript or data in values attr
Case would be blocked by CSP but adding for cases where CSP may not be
active when content taken externally.

For #3636
2022-08-11 10:28:32 +01:00
Dan Brown
abc283fc64
Extracted download response logic to its own class
Cleans up base controller and groups up download & streaming logic for
potential future easier addition of range request support.
2022-06-08 23:50:42 +01:00
Dan Brown
e72ade727d
Added audio mimes to our safe list for inline serving
Closes #3485
2022-06-08 22:30:55 +01:00
Dan Brown
ee6a2339b6
Applied latest styleCI changes 2022-03-09 14:30:36 +00:00
Dan Brown
856fca8289
Updated CSP with frame-src rules
- Configurable via 'ALLOWED_IFRAME_SOURCES' .env option.
- Also updated how CSP rules are set, with a single header being used
  instead of many.
- Also applied CSP rules to HTML export outputs.
- Updated tests to cover.

For #3314
2022-03-07 14:27:41 +00:00
Dan Brown
31f1dca8a8
Added detection and thumbnail bypass for apng images
Adds apng sniffing when generating thumbnails with retained ratios to
serve the original image files, as we do for GIF images, to prevent
the image being resized to a static version.

Is more tricky than GIF since apng file mimes and extensions
are the same as png, we have to detect part of the file header
to sniff the type. Means we have to sniff at a later stage
than GIF since we have to load the image file data.

Made some changes to the image thubmnail caching while doing
this work to fit in with this handling.

Added test to cover.
For #3136.
2022-01-04 13:10:35 +00:00
Dan Brown
8d7c8ac8bf
Done a round of phpstan fixes 2021-11-06 00:32:01 +00:00
Dan Brown
a17be959d8
Applied latest styleci changes 2021-11-01 13:26:02 +00:00
Dan Brown
ae155d6745
Added safe mime sniffing to prevent serving HTML
(Amoung other content types)
For #3027
2021-10-31 17:58:56 +00:00
Dan Brown
ef459ca4c4
Altered the parsing of custom head to prevent htmlentities on content
Was causing things like emjoi within script content to be somewhat
mangled. Instead we force UTF8 only parsing via XML declaration.

Added test to cover.

For #2923
2021-09-12 16:19:17 +01:00
Dan Brown
fb80bb5d58
Applied latest styleci changes 2021-09-06 22:19:06 +01:00
Dan Brown
88c698796b
Fixed issue with HTML tags in custom head scripts
Fixes a strange issue of HTML tags within script tags being malformed
when part of the HTML custom head content due to the PHP parsing we do.
DOMDocument seemed to cause this upon load.
Adding LIBXML_SCHEMA_CREATE to the ->loadHTML call seems to fix this but
not really sure why. Doesn't seem to cause further issues though.
Tested with multiple scripts and styles and comments and meta tags.

- Also added new testing class to cover.
- As part of testing, added new folder within tests to house setting
  specific tests.

For #2914
2021-09-05 23:52:39 +01:00
Dan Brown
492af79c27
Added a couple of additional CSP rules
As per guidance from google's CSP evaluator.
2021-09-04 14:34:43 +01:00
Dan Brown
253f386f00
Finished off script CSP rules
- Added caching for custom html head parsing to add nonce.
- Also moved api docs page into web routes to prevent issues.
2021-09-04 13:57:04 +01:00
Dan Brown
fd44e4ba74
Started application of CSP headers 2021-09-03 23:32:42 +01:00
Dan Brown
040997fdc4
Added filter for xlink:href svg xss
Simply remove all such attributes
2021-09-03 22:34:49 +01:00
Dan Brown
5e6092aaf8
Added extra HTML filtering of dangerous content
In particular, That around the casing of dangerous values within
attributes. This uses some xpath translation to handle different casing
in contains searching.
2021-09-02 22:02:30 +01:00
Dan Brown
934a833818 Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Dan Brown
b5caaa73b7
Fixed content parsing break with line html comment
Fixes issues thrown in custom HMTL head & page content filtering when
the content is comprised of only a single HTML comment.
Adds tests to cover.

For #2804
2021-06-13 12:53:04 +01:00
Dan Brown
43b6633183 Filtered scripts in custom HTML head for exports
Since it appeared to cause problems in some scenarios.
Related to #2490
2021-05-03 23:59:52 +01:00